Skip to content

[AUTO-CHERRYPICK] Patch azcopy for CVE-2025-30204 [High] - branch main #13213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jslobodzian merged 1 commit into from
Mar 31, 2025
Merged

[AUTO-CHERRYPICK] Patch azcopy for CVE-2025-30204 [High] - branch main #13213

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 134 additions & 0 deletions SPECS/azcopy/CVE-2025-30204.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
From 84c7f3d0b9dccb4a20d0ad4de10896d40344ba26 Mon Sep 17 00:00:00 2001
From: Kanishk-Bansal <kbkanishk975@gmail.com>
Date: Fri, 28 Mar 2025 20:43:26 +0000
Subject: [PATCH] CVE-2025-30204
Upstream Patch Reference :
v4 : https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84
v5 : https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
---
github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++++++++---
github.com/golang-jwt/jwt/v5/parser.go | 36 +++++++++++++++++++++++---
2 files changed, 66 insertions(+), 6 deletions(-)

diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
index c0a6f69..8e7e67c 100644
--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
+++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
@@ -7,6 +7,8 @@ import (
"strings"
)

+const tokenDelimiter = "."
+
type Parser struct {
// If populated, only these methods will be considered valid.
//
@@ -123,9 +125,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
// It's only ever useful in cases where you know the signature is valid (because it has
// been checked previously in the stack) and you want to extract values from it.
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
- parts = strings.Split(tokenString, ".")
- if len(parts) != 3 {
- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ var ok bool
+ parts, ok = splitToken(tokenString)
+ if !ok {
+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
}

token = &Token{Raw: tokenString}
@@ -175,3 +178,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke

return token, parts, nil
}
+
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
+// will return nil parts and false.
+func splitToken(token string) ([]string, bool) {
+ parts := make([]string, 3)
+ header, remain, ok := strings.Cut(token, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[0] = header
+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[1] = claims
+ // One more cut to ensure the signature is the last part of the token and there are no more
+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
+ // causing unecessary overhead parsing tokens.
+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
+ if unexpected {
+ return nil, false
+ }
+ parts[2] = signature
+
+ return parts, true
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go
index ecf99af..054c7eb 100644
--- a/vendor/github.com/golang-jwt/jwt/v5/parser.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go
@@ -8,6 +8,8 @@ import (
"strings"
)

+const tokenDelimiter = "."
+
type Parser struct {
// If populated, only these methods will be considered valid.
validMethods []string
@@ -136,9 +138,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
// It's only ever useful in cases where you know the signature is valid (since it has already
// been or will be checked elsewhere in the stack) and you want to extract values from it.
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
- parts = strings.Split(tokenString, ".")
- if len(parts) != 3 {
- return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed)
+ var ok bool
+ parts, ok = splitToken(tokenString)
+ if !ok {
+ return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed)
}

token = &Token{Raw: tokenString}
@@ -196,6 +199,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
return token, parts, nil
}

+// splitToken splits a token string into three parts: header, claims, and signature. It will only
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
+// will return nil parts and false.
+func splitToken(token string) ([]string, bool) {
+ parts := make([]string, 3)
+ header, remain, ok := strings.Cut(token, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[0] = header
+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[1] = claims
+ // One more cut to ensure the signature is the last part of the token and there are no more
+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
+ // causing unecessary overhead parsing tokens.
+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
+ if unexpected {
+ return nil, false
+ }
+ parts[2] = signature
+
+ return parts, true
+}
+
// DecodeSegment decodes a JWT specific base64url encoding. This function will
// take into account whether the [Parser] is configured with additional options,
// such as [WithStrictDecoding] or [WithPaddingAllowed].
--
2.45.2

6 changes: 5 additions & 1 deletion SPECS/azcopy/azcopy.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: The new Azure Storage data transfer utility - AzCopy v10
Name: azcopy
Version: 10.25.1
Release: 4%{?dist}
Release: 5%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -30,6 +30,7 @@ Source1: azure-storage-%{name}-%{version}-vendor.tar.gz
Patch0: CVE-2025-22868.patch
Patch1: CVE-2025-22870.patch
Patch2: CVE-2024-51744.patch
Patch3: CVE-2025-30204.patch

BuildRequires: golang
BuildRequires: git
Expand Down Expand Up @@ -66,6 +67,9 @@ go test -mod=vendor
%{_bindir}/azcopy

%changelog
* Fri Mar 28 2025 Kanishk Bansal <kanbansal@microsoft.com> - 10.25.1-5
- Patch CVE-2025-30204

* Mon Mar 17 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 10.25.1-4
- Fix CVE-2025-22870, CVE-2024-51744 with an upstream patch

Expand Down
Loading