From 6ffc01d04e8cc44dd87ba541f52615758ffcad76 Mon Sep 17 00:00:00 2001 From: "Sreenivasulu Malavathula (HCL Technologies Ltd)" Date: Thu, 27 Mar 2025 17:40:15 -0500 Subject: [PATCH] [Medium] Patch influxdb for CVE-2025-22870 and CVE-2024-51744 (#13010) Signed-off-by: Sreenivasulu Malavathula Co-authored-by: jslobodzian (cherry picked from commit 69cffc256e64c08852d76f7098e5329b8c499596) --- SPECS/influxdb/CVE-2024-51744.patch | 161 ++++++++++++++++++++++++++++ SPECS/influxdb/CVE-2025-22870.patch | 47 ++++++++ SPECS/influxdb/influxdb.spec | 7 +- 3 files changed, 214 insertions(+), 1 deletion(-) create mode 100644 SPECS/influxdb/CVE-2024-51744.patch create mode 100644 SPECS/influxdb/CVE-2025-22870.patch diff --git a/SPECS/influxdb/CVE-2024-51744.patch b/SPECS/influxdb/CVE-2024-51744.patch new file mode 100644 index 00000000000..694870c0ec4 --- /dev/null +++ b/SPECS/influxdb/CVE-2024-51744.patch @@ -0,0 +1,161 @@ +From 78ef06fbde145deea5303f193b795f173db4c4a3 Mon Sep 17 00:00:00 2001 +From: Sreenivasulu Malavathula +Date: Tue, 18 Mar 2025 14:56:14 -0500 +Subject: [PATCH] Address CVE-2024-51744 + +--- + .../github.com/form3tech-oss/jwt-go/parser.go | 36 +++++++++++-------- + vendor/github.com/golang-jwt/jwt/parser.go | 36 +++++++++++-------- + 2 files changed, 42 insertions(+), 30 deletions(-) + +diff --git a/vendor/github.com/form3tech-oss/jwt-go/parser.go b/vendor/github.com/form3tech-oss/jwt-go/parser.go +index d6901d9..bfb480c 100644 +--- a/vendor/github.com/form3tech-oss/jwt-go/parser.go ++++ b/vendor/github.com/form3tech-oss/jwt-go/parser.go +@@ -14,12 +14,21 @@ type Parser struct { + } + + // Parse, validate, and return a token. +-// keyFunc will receive the parsed token and should return the key for validating. +-// If everything is kosher, err will be nil ++// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will ++// receive the parsed token and should return the key for validating. + func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) { + return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc) + } + ++// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object ++// implementing the Claims interface. This provides default values which can be overridden and ++// allows a caller to use their own type, rather than the default MapClaims implementation of ++// Claims. ++// ++// Note: If you provide a custom claim implementation that embeds one of the standard claims (such ++// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or ++// b) if you are using a pointer, allocate the proper memory for it before passing in the overall ++// claims, otherwise you might run into a panic. + func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) { + token, parts, err := p.ParseUnverified(tokenString, claims) + if err != nil { +@@ -56,12 +65,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable} + } + ++ // Perform validation ++ token.Signature = parts[2] ++ if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { ++ return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid} ++ } ++ + vErr := &ValidationError{} + + // Validate Claims + if !p.SkipClaimsValidation { + if err := token.Claims.Valid(); err != nil { +- + // If the Claims Valid returned an error, check if it is a validation error, + // If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set + if e, ok := err.(*ValidationError); !ok { +@@ -69,22 +83,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + } else { + vErr = e + } ++ return token, vErr + } + } + +- // Perform validation +- token.Signature = parts[2] +- if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { +- vErr.Inner = err +- vErr.Errors |= ValidationErrorSignatureInvalid +- } +- +- if vErr.valid() { +- token.Valid = true +- return token, nil +- } ++ // No errors so far, token is valid. ++ token.Valid = true + +- return token, vErr ++ return token, nil + } + + // WARNING: Don't use this method unless you know what you're doing +diff --git a/vendor/github.com/golang-jwt/jwt/parser.go b/vendor/github.com/golang-jwt/jwt/parser.go +index d6901d9..bfb480c 100644 +--- a/vendor/github.com/golang-jwt/jwt/parser.go ++++ b/vendor/github.com/golang-jwt/jwt/parser.go +@@ -14,12 +14,21 @@ type Parser struct { + } + + // Parse, validate, and return a token. +-// keyFunc will receive the parsed token and should return the key for validating. +-// If everything is kosher, err will be nil ++// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will ++// receive the parsed token and should return the key for validating. + func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) { + return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc) + } + ++// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object ++// implementing the Claims interface. This provides default values which can be overridden and ++// allows a caller to use their own type, rather than the default MapClaims implementation of ++// Claims. ++// ++// Note: If you provide a custom claim implementation that embeds one of the standard claims (such ++// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or ++// b) if you are using a pointer, allocate the proper memory for it before passing in the overall ++// claims, otherwise you might run into a panic. + func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) { + token, parts, err := p.ParseUnverified(tokenString, claims) + if err != nil { +@@ -56,12 +65,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable} + } + ++ // Perform validation ++ token.Signature = parts[2] ++ if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { ++ return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid} ++ } ++ + vErr := &ValidationError{} + + // Validate Claims + if !p.SkipClaimsValidation { + if err := token.Claims.Valid(); err != nil { +- + // If the Claims Valid returned an error, check if it is a validation error, + // If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set + if e, ok := err.(*ValidationError); !ok { +@@ -69,22 +83,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + } else { + vErr = e + } ++ return token, vErr + } + } + +- // Perform validation +- token.Signature = parts[2] +- if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { +- vErr.Inner = err +- vErr.Errors |= ValidationErrorSignatureInvalid +- } +- +- if vErr.valid() { +- token.Valid = true +- return token, nil +- } ++ // No errors so far, token is valid. ++ token.Valid = true + +- return token, vErr ++ return token, nil + } + + // WARNING: Don't use this method unless you know what you're doing +-- +2.45.2 + diff --git a/SPECS/influxdb/CVE-2025-22870.patch b/SPECS/influxdb/CVE-2025-22870.patch new file mode 100644 index 00000000000..3d4692bb239 --- /dev/null +++ b/SPECS/influxdb/CVE-2025-22870.patch @@ -0,0 +1,47 @@ +From 828e979c77d6a1702ad07e4c2d2afd4e887b69fd Mon Sep 17 00:00:00 2001 +From: Sreenivasulu Malavathula +Date: Tue, 18 Mar 2025 14:36:41 -0500 +Subject: [PATCH] Address CVE-2025-22870 + +--- + vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http/httpproxy/proxy.go b/vendor/golang.org/x/net/http/httpproxy/proxy.go +index 16994ac..0ce4f6b 100644 +--- a/vendor/golang.org/x/net/http/httpproxy/proxy.go ++++ b/vendor/golang.org/x/net/http/httpproxy/proxy.go +@@ -14,6 +14,7 @@ import ( + "errors" + "fmt" + "net" ++ "net/netip" + "net/url" + "os" + "strings" +@@ -181,8 +182,10 @@ func (cfg *config) useProxy(addr string) bool { + if host == "localhost" { + return false + } +- ip := net.ParseIP(host) +- if ip != nil { ++ nip, err := netip.ParseAddr(host) ++ var ip net.IP ++ if err == nil { ++ ip = net.IP(nip.AsSlice()) + if ip.IsLoopback() { + return false + } +@@ -364,6 +367,9 @@ type domainMatch struct { + } + + func (m domainMatch) match(host, port string, ip net.IP) bool { ++ if ip != nil { ++ return false ++ } + if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) { + return m.port == "" || m.port == port + } +-- +2.45.2 + diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec index d3fe1bf1657..f6103dc1c73 100644 --- a/SPECS/influxdb/influxdb.spec +++ b/SPECS/influxdb/influxdb.spec @@ -18,7 +18,7 @@ Summary: Scalable datastore for metrics, events, and real-time analytics Name: influxdb Version: 2.6.1 -Release: 21%{?dist} +Release: 22%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -61,6 +61,8 @@ Patch2: CVE-2024-24786.patch Patch3: CVE-2024-45338.patch Patch4: CVE-2024-28180.patch Patch5: CVE-2025-27144.patch +Patch6: CVE-2025-22870.patch +Patch7: CVE-2024-51744.patch BuildRequires: clang BuildRequires: golang <= 1.18.8 BuildRequires: kernel-headers @@ -150,6 +152,9 @@ go test ./... %{_tmpfilesdir}/influxdb.conf %changelog +* Tue Mar 18 2025 Sreeniavsulu Malavathula - 2.6.1-22 +- Fix CVE-2025-22870, CVE-2024-51744 with an upstream patch + * Fri Feb 28 2025 Kanishk Bansal - 2.6.1-21 - Fix CVE-2025-27144 with an upstream patch