File 0005-CVE-2025-27144-vendor-don-t-allow-unbounde... of Package podman

Overview Repositories Revisions Requests Users Attributes Meta

File 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch of Package podman

From dda641be16015a75016a67e122615f92c3363d09 Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh>
Date: Fri, 28 Feb 2025 12:54:44 +0530
Subject: [PATCH 5/6] CVE-2025-27144: vendor: don't allow unbounded amounts of
 splits (#10)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In compact JWS/JWE, don't allow unbounded number of splits.
Count to make sure there's the right number, then use SplitN.

This fixes CVE-2025-27144
This fixes bsc#1237641

Cherry-picked from
https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22

Signed-off-by: Dan Čermák <dcermak@suse.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Co-authored-by: Matthew McPherrin <mattm@letsencrypt.org>
---
 vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++--
 vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++--
 vendor/gopkg.in/go-jose/go-jose.v2/jwe.go   | 5 +++--
 vendor/gopkg.in/go-jose/go-jose.v2/jws.go   | 5 +++--
 4 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go
index 4267ac75025a..1ba4ae0c0031 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go
@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
 
 // parseEncryptedCompact parses a message in compact format.
 func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
-	parts := strings.Split(input, ".")
-	if len(parts) != 5 {
+	// Five parts is four separators
+	if strings.Count(input, ".") != 4 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
 	}
+	parts := strings.SplitN(input, ".", 5)
 
 	rawProtected, err := base64URLDecode(parts[0])
 	if err != nil {
diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go
index e37007dbb855..401fc18ac4df 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jws.go
@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
 
 // parseSignedCompact parses a message in compact format.
 func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
-	parts := strings.Split(input, ".")
-	if len(parts) != 3 {
+	// Three parts is two separators
+	if strings.Count(input, ".") != 2 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
 	}
+	parts := strings.SplitN(input, ".", 3)
 
 	if parts[1] != "" && payload != nil {
 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
index a8966ab8e9d3..faebb8dd4ca4 100644
--- a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
 
 // parseEncryptedCompact parses a message in compact format.
 func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
-	parts := strings.Split(input, ".")
-	if len(parts) != 5 {
+	// Five parts is four separators
+	if strings.Count(input, ".") != 4 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
 	}
+	parts := strings.SplitN(input, ".", 5)
 
 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
 	if err != nil {
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
index 1a24fa468a31..717f04ace0ce 100644
--- a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
 
 // parseSignedCompact parses a message in compact format.
 func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
-	parts := strings.Split(input, ".")
-	if len(parts) != 3 {
+	// Three parts is two separators
+	if strings.Count(input, ".") != 2 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
 	}
+	parts := strings.SplitN(input, ".", 3)
 
 	if parts[1] != "" && payload != nil {
 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
-- 
2.46.0

xxxxxxxxxx
 
From dda641be16015a75016a67e122615f92c3363d09 Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh>
Date: Fri, 28 Feb 2025 12:54:44 +0530
Subject: [PATCH 5/6] CVE-2025-27144: vendor: don't allow unbounded amounts of
 splits (#10)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
​
In compact JWS/JWE, don't allow unbounded number of splits.
Count to make sure there's the right number, then use SplitN.
​
This fixes CVE-2025-27144
This fixes bsc#1237641
​
Cherry-picked from
https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22
​
Signed-off-by: Dan Čermák <dcermak@suse.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Co-authored-by: Matthew McPherrin <mattm@letsencrypt.org>
---
 vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++--
 vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++--
 vendor/gopkg.in/go-jose/go-jose.v2/jwe.go   | 5 +++--
 vendor/gopkg.in/go-jose/go-jose.v2/jws.go   | 5 +++--
 4 files changed, 12 insertions(+), 8 deletions(-)
​
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go
index 4267ac75025a..1ba4ae0c0031 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go
@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
 
 // parseEncryptedCompact parses a message in compact format.
 func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
-   parts := strings.Split(input, ".")
-   if len(parts) != 5 {
+   // Five parts is four separators
+   if strings.Count(input, ".") != 4 {
        return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
    }
+   parts := strings.SplitN(input, ".", 5)
 
    rawProtected, err := base64URLDecode(parts[0])
    if err != nil {
diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go
index e37007dbb855..401fc18ac4df 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jws.go
@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
 
 // parseSignedCompact parses a message in compact format.
 func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
-   parts := strings.Split(input, ".")
-   if len(parts) != 3 {
+   // Three parts is two separators
+   if strings.Count(input, ".") != 2 {
        return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
    }
+   parts := strings.SplitN(input, ".", 3)
 
    if parts[1] != "" && payload != nil {
        return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
index a8966ab8e9d3..faebb8dd4ca4 100644
--- a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
 
 // parseEncryptedCompact parses a message in compact format.
 func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
-   parts := strings.Split(input, ".")
-   if len(parts) != 5 {
+   // Five parts is four separators
+   if strings.Count(input, ".") != 4 {
        return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
    }
+   parts := strings.SplitN(input, ".", 5)
 
    rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
    if err != nil {
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
index 1a24fa468a31..717f04ace0ce 100644
--- a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
 
 // parseSignedCompact parses a message in compact format.
 func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
-   parts := strings.Split(input, ".")
-   if len(parts) != 3 {
+   // Three parts is two separators
+   if strings.Count(input, ".") != 2 {
        return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
    }
+   parts := strings.SplitN(input, ".", 3)
 
    if parts[1] != "" && payload != nil {
        return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
-- 
2.46.0
​
​

Places

File 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch of Package podman

Places