Skip to content

Patch docker-buildx for CVE-2025-22872 #13859

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 5 commits into
base: 3.0-dev
Choose a base branch
from

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented May 22, 2025

Summary

This PR addresses CVE-2025-22872 in the docker-buildx package by applying the upstream patch from the Go library.

Changes

  • Added upstream patch from Golang's net package that fixes improper handling of trailing solidus in unquoted attribute values in foreign content
  • Incremented the Release tag from 5 to 6
  • Added appropriate changelog entry

Technical Details

The vulnerability occurs in the HTML tokenizer when parsing tags with trailing solidus in unquoted attribute values. The parser correctly handles tags like <p a=/> as <p a="/">, but the tokenizer was emitting the SelfClosingTagToken token incorrectly. When used to parse foreign content, this resulted in an incorrect DOM.

The upstream fix improves the logic for detecting self-closing tags by checking that the last character of the tag isn't also the last character of an unquoted attribute value.

References

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • _https._tcp.esm.ubuntu.com
    • Triggering command: /usr/lib/apt/methods/https (dns block)
  • _https._tcp.motd.ubuntu.com
    • Triggering command: /usr/lib/apt/methods/https (dns block)
  • esm.ubuntu.com
    • Triggering command: /usr/lib/apt/methods/https (dns block)
  • motd.ubuntu.com
    • Triggering command: /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Co-authored-by: kgodara912 <193572699+kgodara912@users.noreply.github.com>
Co-authored-by: kgodara912 <193572699+kgodara912@users.noreply.github.com>
@Copilot Copilot AI changed the title [WIP] Patch docker-buildx for CVE-2025-22872 [High] Patch docker-buildx for CVE-2025-22872 May 22, 2025
@Copilot Copilot AI requested a review from kgodara912 May 22, 2025 05:55
Copilot finished work on behalf of kgodara912 May 22, 2025 05:55
@kgodara912
Copy link
Contributor

update patch file paths in SPECS/docker-buildx/CVE-2025-22872.patch from html/token.go to vendor/golang.org/x/net/html/token.go

Co-authored-by: kgodara912 <193572699+kgodara912@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented May 22, 2025

update patch file paths in SPECS/docker-buildx/CVE-2025-22872.patch from html/token.go to vendor/golang.org/x/net/html/token.go

I've updated the patch file paths in SPECS/docker-buildx/CVE-2025-22872.patch from html/token.go to vendor/golang.org/x/net/html/token.go as requested. The changes are included in commit 60c87c3.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • cdn.fwupd.org
    • Triggering command: /usr/bin/fwupdmgr refresh (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot finished work on behalf of kgodara912 May 22, 2025 06:05
@kgodara912
Copy link
Contributor

Please remove vendor/golang.org/x/net/html/token_test.go from SPECS/docker-buildx/CVE-2025-22872.patch

Co-authored-by: kgodara912 <193572699+kgodara912@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented May 22, 2025

Please remove vendor/golang.org/x/net/html/token_test.go from SPECS/docker-buildx/CVE-2025-22872.patch

I've removed the vendor/golang.org/x/net/html/token_test.go file from the CVE-2025-22872.patch as requested. The patch now only includes changes to the token.go file. The changes are in commit 9c3863b.

Copilot finished work on behalf of kgodara912 May 22, 2025 06:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.0-dev PRs Destined for AzureLinux 3.0 Packaging security
Projects
None yet
Development

Error loading sessions

Retrying...

Successfully merging this pull request may close these issues.

2 participants