From 5febb002b3f74223e6392074bf0ebebc2f3cde97 Mon Sep 17 00:00:00 2001 From: "Sreenivasulu Malavathula (HCL Technologies Ltd)" Date: Mon, 31 Mar 2025 11:49:32 -0500 Subject: [PATCH] [Medium] Patch keda for CVE-2025-22870 and CVE-2024-51744 (#12970) Signed-off-by: Sreenivasulu Malavathula Co-authored-by: jslobodzian (cherry picked from commit 27781c3fd75e218ace0e72ae117948fd0e12817c) --- SPECS/keda/CVE-2024-51744.patch | 86 +++++++++++++++++++++++++++++++++ SPECS/keda/CVE-2025-22870.patch | 47 ++++++++++++++++++ SPECS/keda/keda.spec | 7 ++- 3 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 SPECS/keda/CVE-2024-51744.patch create mode 100644 SPECS/keda/CVE-2025-22870.patch diff --git a/SPECS/keda/CVE-2024-51744.patch b/SPECS/keda/CVE-2024-51744.patch new file mode 100644 index 00000000000..11c9872fbf9 --- /dev/null +++ b/SPECS/keda/CVE-2024-51744.patch @@ -0,0 +1,86 @@ +From da9cc2fcfc075958f3bd728992dce97ba53e5c71 Mon Sep 17 00:00:00 2001 +From: Sreenivasulu Malavathula +Date: Thu, 13 Mar 2025 22:49:38 -0500 +Subject: [PATCH] Addressing CVE-2024-51744 + +--- + .../github.com/form3tech-oss/jwt-go/parser.go | 36 +++++++++++-------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +diff --git a/vendor/github.com/form3tech-oss/jwt-go/parser.go b/vendor/github.com/form3tech-oss/jwt-go/parser.go +index d6901d9..bfb480c 100644 +--- a/vendor/github.com/form3tech-oss/jwt-go/parser.go ++++ b/vendor/github.com/form3tech-oss/jwt-go/parser.go +@@ -14,12 +14,21 @@ type Parser struct { + } + + // Parse, validate, and return a token. +-// keyFunc will receive the parsed token and should return the key for validating. +-// If everything is kosher, err will be nil ++// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will ++// receive the parsed token and should return the key for validating. + func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) { + return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc) + } + ++// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object ++// implementing the Claims interface. This provides default values which can be overridden and ++// allows a caller to use their own type, rather than the default MapClaims implementation of ++// Claims. ++// ++// Note: If you provide a custom claim implementation that embeds one of the standard claims (such ++// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or ++// b) if you are using a pointer, allocate the proper memory for it before passing in the overall ++// claims, otherwise you might run into a panic. + func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) { + token, parts, err := p.ParseUnverified(tokenString, claims) + if err != nil { +@@ -56,12 +65,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable} + } + ++ // Perform validation ++ token.Signature = parts[2] ++ if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { ++ return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid} ++ } ++ + vErr := &ValidationError{} + + // Validate Claims + if !p.SkipClaimsValidation { + if err := token.Claims.Valid(); err != nil { +- + // If the Claims Valid returned an error, check if it is a validation error, + // If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set + if e, ok := err.(*ValidationError); !ok { +@@ -69,22 +83,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + } else { + vErr = e + } ++ return token, vErr + } + } + +- // Perform validation +- token.Signature = parts[2] +- if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { +- vErr.Inner = err +- vErr.Errors |= ValidationErrorSignatureInvalid +- } +- +- if vErr.valid() { +- token.Valid = true +- return token, nil +- } ++ // No errors so far, token is valid. ++ token.Valid = true + +- return token, vErr ++ return token, nil + } + + // WARNING: Don't use this method unless you know what you're doing +-- +2.45.2 + diff --git a/SPECS/keda/CVE-2025-22870.patch b/SPECS/keda/CVE-2025-22870.patch new file mode 100644 index 00000000000..b8e8e54fe7e --- /dev/null +++ b/SPECS/keda/CVE-2025-22870.patch @@ -0,0 +1,47 @@ +From 52c84a42ef05c1de656c2aa9f92ca1b3b4df4918 Mon Sep 17 00:00:00 2001 +From: Sreenivasulu Malavathula +Date: Thu, 13 Mar 2025 22:16:59 -0500 +Subject: [PATCH] Patching CVE-2025-22870 + +--- + vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http/httpproxy/proxy.go b/vendor/golang.org/x/net/http/httpproxy/proxy.go +index 1415b07..0d23a10 100644 +--- a/vendor/golang.org/x/net/http/httpproxy/proxy.go ++++ b/vendor/golang.org/x/net/http/httpproxy/proxy.go +@@ -14,6 +14,7 @@ import ( + "errors" + "fmt" + "net" ++ "net/netip" + "net/url" + "os" + "strings" +@@ -181,8 +182,10 @@ func (cfg *config) useProxy(addr string) bool { + if host == "localhost" { + return false + } +- ip := net.ParseIP(host) +- if ip != nil { ++ nip, err := netip.ParseAddr(host) ++ var ip net.IP ++ if err == nil { ++ ip = net.IP(nip.AsSlice()) + if ip.IsLoopback() { + return false + } +@@ -361,6 +364,9 @@ type domainMatch struct { + } + + func (m domainMatch) match(host, port string, ip net.IP) bool { ++ if ip != nil { ++ return false ++ } + if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) { + return m.port == "" || m.port == port + } +-- +2.45.2 + diff --git a/SPECS/keda/keda.spec b/SPECS/keda/keda.spec index 358ef6be6b2..767541f44d4 100644 --- a/SPECS/keda/keda.spec +++ b/SPECS/keda/keda.spec @@ -1,7 +1,7 @@ Summary: Kubernetes-based Event Driven Autoscaling Name: keda Version: 2.4.0 -Release: 28%{?dist} +Release: 29%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -37,6 +37,8 @@ Patch5: CVE-2024-45338.patch Patch6: CVE-2024-28180.patch Patch7: CVE-2025-27144.patch Patch8: CVE-2022-3162.patch +Patch9: CVE-2025-22870.patch +Patch10: CVE-2024-51744.patch BuildRequires: golang @@ -72,6 +74,9 @@ cp ./bin/keda-adapter %{buildroot}%{_bindir} %{_bindir}/%{name}-adapter %changelog +* Fri Mar 14 2025 Sreeniavsulu Malavathula - 2.4.0-29 +- Patch to fix CVE-2025-22870, CVE-2024-51744 with an upstream patch + * Thu Mar 06 2025 Sandeep Karambelkar - 2.4.0-28 - Fix CVE-2022-3162 with upstream patch