Skip to content

[AUTO-CHERRYPICK] Patch coredns for CVE-2025-30204 [HIGH] - branch main #13220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jslobodzian merged 1 commit into from
Mar 31, 2025
Merged

[AUTO-CHERRYPICK] Patch coredns for CVE-2025-30204 [HIGH] - branch main #13220

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 73 additions & 0 deletions SPECS/coredns/CVE-2025-30204.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
From 52215bbe38134b0f05ba3bbc56288ef68813747d Mon Sep 17 00:00:00 2001
From: Kshitiz Godara <kgodara@microsoft.com>
Date: Sun, 30 Mar 2025 17:35:55 +0000
Subject: [PATCH] Fix for CVE-2025-30204

Upstream source:
https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
---
vendor/github.com/golang-jwt/jwt/v4/parser.go | 37 +++++++++++++++++--
1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
index c0a6f69..7b5ddfe 100644
--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
+++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
@@ -7,6 +7,8 @@ import (
"strings"
)

+const tokenDelimiter = "."
+
type Parser struct {
// If populated, only these methods will be considered valid.
//
@@ -123,9 +125,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
// It's only ever useful in cases where you know the signature is valid (because it has
// been checked previously in the stack) and you want to extract values from it.
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
- parts = strings.Split(tokenString, ".")
- if len(parts) != 3 {
- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ var ok bool
+ parts, ok = splitToken(tokenString)
+ if !ok {
+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
}

token = &Token{Raw: tokenString}
@@ -175,3 +178,31 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke

return token, parts, nil
}
+
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
+// will return nil parts and false.
+func splitToken(token string) ([]string, bool) {
+ parts := make([]string, 3)
+ header, remain, ok := strings.Cut(token, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[0] = header
+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[1] = claims
+ // One more cut to ensure the signature is the last part of the token and there are no more
+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
+ // causing unecessary overhead parsing tokens.
+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
+ if unexpected {
+ return nil, false
+ }
+ parts[2] = signature
+
+ return parts, true
+}
+
--
2.45.3

10 changes: 7 additions & 3 deletions SPECS/coredns/coredns.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Summary: Fast and flexible DNS server
Name: coredns
Version: 1.11.1
Release: 15%{?dist}
Release: 16%{?dist}
License: Apache License 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -42,6 +42,7 @@ Patch7: CVE-2025-22868.patch
# https://github.com/coredns/coredns/commit/d8ecde1080e7cbbeb98257ba4e03a271f16b4cd9
Patch8: coredns-example-net-test.patch
Patch9: CVE-2024-53259.patch
Patch10: CVE-2025-30204.patch

BuildRequires: msft-golang

Expand Down Expand Up @@ -80,6 +81,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
%{_bindir}/%{name}

%changelog
* Mon Mar 31 2025 Kshitiz Godara <kgodara@microsoft.com> - 1.11.1-16
- Fix CVE-2025-30204 with an upstream patch

* Wed Mar 19 2025 Mayank Singh <mayansingh@microsoft.com> - 1.11.1-15
- Fix CVE-2024-53259 with an upstream patch

Expand Down Expand Up @@ -110,7 +114,7 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
* Wed Apr 17 2024 Bala <balakumaran.kannan@microsoft.com> - 1.11.1-6
- Patched vendored quic-go package to address CVE-2024-22189

* Fri Feb 10 2024 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 1.11.1-5
* Sat Feb 10 2024 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 1.11.1-5
- patched vendored quic-go package to address CVE-2023-49295

* Thu Feb 08 2024 Muhammad Falak <mwani@microsoft.com> - 1.11.1-4
Expand All @@ -123,7 +127,7 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
* Mon Jan 29 2024 Daniel McIlvaney <damcilva@microsoft.com> - 1.11.1-2
- Address CVE-2023-44487 by patching vendored golang.org/x/net

* Tue Oct 18 2023 Nicolas Guibourge <nicolasg@microsoft.com> - 1.11.1-1
* Wed Oct 18 2023 Nicolas Guibourge <nicolasg@microsoft.com> - 1.11.1-1
- Upgrade to 1.11.1 to match version required by kubernetes

* Mon Oct 16 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.9.3-10
Expand Down
Loading