Skip to content

Patch blobfuse2 for CVE-2025-30204 [High] (Do Not Merge) #13794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Patch blobfuse2 for CVE-2025-30204 [High] (Do Not Merge) #13794

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
168 changes: 168 additions & 0 deletions SPECS/blobfuse2/CVE-2025-30204.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
From 855549d5c9dd981d8a93ddbc3d03bbc6e4b9330c Mon Sep 17 00:00:00 2001
From: Shiwani Jain <t-shijain@microsoft.com>
Date: Wed, 14 May 2025 10:47:34 +0000
Subject: [PATCH] CVE-2025-30204

Upstream Patch Reference : v4: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84
---
vendor/github.com/golang-jwt/jwt/v4/jwt_test.go | 89 ++++++++++++++++++++++++
vendor/github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++-
2 files changed, 122 insertions(+), 3 deletions(-)
create mode 100644 vendor/github.com/golang-jwt/jwt/v4/jwt_test.go

diff --git a/vendor/github.com/golang-jwt/jwt/v4/jwt_test.go b/vendor/github.com/golang-jwt/jwt/v4/jwt_test.go
new file mode 100644
index 0000000..b01e899
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v4/jwt_test.go
@@ -0,0 +1,89 @@
+package jwt
+
+import (
+ "testing"
+)
+
+func TestSplitToken(t *testing.T) {
+ t.Parallel()
+
+ tests := []struct {
+ name string
+ input string
+ expected []string
+ isValid bool
+ }{
+ {
+ name: "valid token with three parts",
+ input: "header.claims.signature",
+ expected: []string{"header", "claims", "signature"},
+ isValid: true,
+ },
+ {
+ name: "invalid token with two parts only",
+ input: "header.claims",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with one part only",
+ input: "header",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with extra delimiter",
+ input: "header.claims.signature.extra",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid empty token",
+ input: "",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "valid token with empty parts",
+ input: "..signature",
+ expected: []string{"", "", "signature"},
+ isValid: true,
+ },
+ {
+ // We are just splitting the token into parts, so we don't care about the actual values.
+ // It is up to the caller to validate the parts.
+ name: "valid token with all parts empty",
+ input: "..",
+ expected: []string{"", "", ""},
+ isValid: true,
+ },
+ {
+ name: "invalid token with just delimiters and extra part",
+ input: "...",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with many delimiters",
+ input: "header.claims.signature..................",
+ expected: nil,
+ isValid: false,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ parts, ok := splitToken(tt.input)
+ if ok != tt.isValid {
+ t.Errorf("expected %t, got %t", tt.isValid, ok)
+ }
+ if ok {
+ for i, part := range tt.expected {
+ if parts[i] != part {
+ t.Errorf("expected %s, got %s", part, parts[i])
+ }
+ }
+ }
+ })
+ }
+}
diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
index c0a6f69..8e7e67c 100644
--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
+++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
@@ -7,6 +7,8 @@ import (
"strings"
)

+const tokenDelimiter = "."
+
type Parser struct {
// If populated, only these methods will be considered valid.
//
@@ -123,9 +125,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
// It's only ever useful in cases where you know the signature is valid (because it has
// been checked previously in the stack) and you want to extract values from it.
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
- parts = strings.Split(tokenString, ".")
- if len(parts) != 3 {
- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ var ok bool
+ parts, ok = splitToken(tokenString)
+ if !ok {
+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
}

token = &Token{Raw: tokenString}
@@ -175,3 +178,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke

return token, parts, nil
}
+
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
+// will return nil parts and false.
+func splitToken(token string) ([]string, bool) {
+ parts := make([]string, 3)
+ header, remain, ok := strings.Cut(token, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[0] = header
+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[1] = claims
+ // One more cut to ensure the signature is the last part of the token and there are no more
+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
+ // causing unecessary overhead parsing tokens.
+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
+ if unexpected {
+ return nil, false
+ }
+ parts[2] = signature
+
+ return parts, true
+}
--
2.45.3

6 changes: 5 additions & 1 deletion SPECS/blobfuse2/blobfuse2.spec
View file
Original file line number Diff line number Diff line change
@@ -7,7 +7,7 @@
Summary: FUSE adapter - Azure Storage
Name: blobfuse2
Version: %{blobfuse2_version}
Release: 8%{?dist}
Release: 9%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@@ -38,6 +38,7 @@ Source1: %{name}-%{version}-vendor.tar.gz
Patch0: CVE-2023-45288.patch
Patch1: CVE-2024-24786.patch
Patch2: CVE-2025-22868.patch
Patch3: CVE-2025-30204.patch
BuildRequires: cmake
BuildRequires: fuse3-devel
BuildRequires: gcc
@@ -82,6 +83,9 @@ install -D -m 0644 ./setup/blobfuse2-logrotate %{buildroot}%{_sysconfdir}/logrot
%{_sysconfdir}/logrotate.d/blobfuse2

%changelog
* Wed May 14 2025 Shiwani Jain <t-shijain@microsoft.com> - 2.1.2-9
- Fix CVE-2025-30204 with an upstream patch

* Sun Mar 02 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.1.2-8
- Fix CVE-2025-22868 with an upstream patch

Loading
Oops, something went wrong.