From 9d7daaacbd78b6d42cdf9c66659ba30d0b1721d4 Mon Sep 17 00:00:00 2001
From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Date: Mon, 31 Mar 2025 22:08:51 +0530
Subject: [PATCH] Patch `packer` for CVE-2025-30204 [High] (#13186)

Co-authored-by: jslobodzian <joslobo@microsoft.com>
(cherry picked from commit 2d396f10014f47ae0c05e8ce563476d809217c60)
---
 SPECS/packer/CVE-2025-30204.patch | 72 +++++++++++++++++++++++++++++++
 SPECS/packer/packer.spec          |  9 +++-
 2 files changed, 79 insertions(+), 2 deletions(-)
 create mode 100644 SPECS/packer/CVE-2025-30204.patch

diff --git a/SPECS/packer/CVE-2025-30204.patch b/SPECS/packer/CVE-2025-30204.patch
new file mode 100644
index 00000000000..b72c6e6ae26
--- /dev/null
+++ b/SPECS/packer/CVE-2025-30204.patch
@@ -0,0 +1,72 @@
+From 3b49efd441bf131dd895fd75dcf669a493b95638 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Sat, 29 Mar 2025 17:54:57 +0000
+Subject: [PATCH] CVE-2025-30204
+
+Upstream Patch Reference : v4: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84
+
+---
+ vendor/github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++++++++---
+ 1 file changed, 33 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+index 2f61a69..9484f28 100644
+--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+@@ -7,6 +7,8 @@ import (
+ 	"strings"
+ )
+ 
++const tokenDelimiter = "."
++
+ type Parser struct {
+ 	// If populated, only these methods will be considered valid.
+ 	//
+@@ -116,9 +118,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ // It's only ever useful in cases where you know the signature is valid (because it has
+ // been checked previously in the stack) and you want to extract values from it.
+ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+-	parts = strings.Split(tokenString, ".")
+-	if len(parts) != 3 {
+-		return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
++	var ok bool
++	parts, ok = splitToken(tokenString)
++	if !ok {
++		return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ 	}
+ 
+ 	token = &Token{Raw: tokenString}
+@@ -168,3 +171,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
+ 
+ 	return token, parts, nil
+ }
++
++// splitToken splits a token string into three parts: header, claims, and signature. It will only
++// return true if the token contains exactly two delimiters and three parts. In all other cases, it
++// will return nil parts and false.
++func splitToken(token string) ([]string, bool) {
++	parts := make([]string, 3)
++	header, remain, ok := strings.Cut(token, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[0] = header
++	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[1] = claims
++	// One more cut to ensure the signature is the last part of the token and there are no more
++	// delimiters. This avoids an issue where malicious input could contain additional delimiters
++	// causing unecessary overhead parsing tokens.
++	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
++	if unexpected {
++		return nil, false
++	}
++	parts[2] = signature
++
++	return parts, true
++}
+-- 
+2.45.2
+
diff --git a/SPECS/packer/packer.spec b/SPECS/packer/packer.spec
index a25c480f98e..29003e89cf9 100644
--- a/SPECS/packer/packer.spec
+++ b/SPECS/packer/packer.spec
@@ -5,7 +5,7 @@ Summary:        Tool for creating identical machine images for multiple platform
 Name:           packer
 Epoch:          1
 Version:        1.9.5
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -42,6 +42,7 @@ Patch6:         CVE-2025-22868.patch
 Patch7:         CVE-2025-22869.patch
 Patch8:         CVE-2025-22870.patch
 Patch9:         CVE-2024-51744.patch
+Patch10:        CVE-2025-30204.patch
 BuildRequires:  golang
 BuildRequires:  kernel-headers
 BuildRequires:  glibc-devel
@@ -75,7 +76,11 @@ go test -mod=vendor
 %{_bindir}/packer
 
 %changelog
-* Fri Mar 14 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 2.4.0-28
+* Sat Mar 29 2025 Kanishk Bansal <kanbansal@microsoft.com> - 1.9.5-12
+- Patch CVE-2025-30204
+- Fix previous changelog
+
+* Fri Mar 14 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 1.9.5-11
 - Patch to fix CVE-2025-22870, CVE-2024-51744 with an upstream patch
 
 * Sun Mar 02 2025 Kanishk Bansal <kanbansal@microsoft.com> - 1.9.5-10