Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch cri-o for CVE-2025-27144 [medium] #13067

Merged
merged 1 commit into from
Mar 24, 2025
Merged

Patch cri-o for CVE-2025-27144 [medium] #13067

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions SPECS/cri-o/CVE-2025-27144.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
From fa324fa38481f9d2da9109cb5983326f62ff7507 Mon Sep 17 00:00:00 2001
From: Kanishk-Bansal <[email protected]>
Date: Fri, 28 Feb 2025 07:45:53 +0000
Subject: [PATCH] CVE-2025-27144
Upstream Ref: https://github.com/go-jose/go-jose/commit/c9ed84d8f0cfadcfad817150158caca6fcbc518b

---
vendor/gopkg.in/square/go-jose.v2/jwe.go | 5 +++--
vendor/gopkg.in/square/go-jose.v2/jws.go | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/vendor/gopkg.in/square/go-jose.v2/jwe.go b/vendor/gopkg.in/square/go-jose.v2/jwe.go
index b5a6dcd..cd1de9e 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwe.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwe.go
@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {

// parseEncryptedCompact parses a message in compact format.
func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 5 {
+ // Five parts is four separators
+ if strings.Count(input, ".") != 4 {
return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts")
}
+ parts := strings.SplitN(input, ".", 5)

rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
if err != nil {
diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go
index 7e261f9..a8d55fb 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jws.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jws.go
@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {

// parseSignedCompact parses a message in compact format.
func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 3 {
+ // Three parts is two separators
+ if strings.Count(input, ".") != 2 {
return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts")
}
+ parts := strings.SplitN(input, ".", 3)

if parts[1] != "" && payload != nil {
return nil, fmt.Errorf("square/go-jose: payload is not detached")
--
2.45.2

6 changes: 5 additions & 1 deletion SPECS/cri-o/cri-o.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa
# Define macros for further referenced sources
Name: cri-o
Version: 1.22.3
Release: 10%{?dist}
Release: 11%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -73,6 +73,7 @@ Patch17: CVE-2024-9341.patch
Patch18: CVE-2024-45338.patch
Patch19: CVE-2023-0778.patch
Patch20: CVE-2023-6476.patch
Patch21: CVE-2025-27144.patch
BuildRequires: btrfs-progs-devel
BuildRequires: device-mapper-devel
BuildRequires: fdupes
Expand Down Expand Up @@ -225,6 +226,9 @@ mkdir -p /opt/cni/bin
%{_fillupdir}/sysconfig.kubelet

%changelog
* Fri Mar 21 2025 Dallas Delaney <[email protected]> - 1.22.3-11
- Add patch for CVE-2025-27144

* Thu Jan 23 2025 Sumedh Sharma <[email protected]> - 1.22.3-10
- Add patch for CVE-2023-0778 & CVE-2023-6476.

Expand Down
Loading