Sync from SUSE:SLFO:Main podman revision b6aaf2340aecd09a7e184fbdbca318f4

2025-03-12 17:19:39 +01:00 · 2025-03-12 17:19:39 +01:00 · 3dba964b97
commit 3dba964b97
parent e253b7c873
4 changed files with 109 additions and 1 deletions
--- a/0001-vendor-bump-buildah-to-1.37.6-CVE-2024-11218.patch
+++ b/0001-vendor-bump-buildah-to-1.37.6-CVE-2024-11218.patch
@ -1,7 +1,7 @@
 From bf768e9a1fd103bb84503bcec4187b9e7cff10bd Mon Sep 17 00:00:00 2001
 From: Danish Prakash <contact@danishpraka.sh>
 Date: Mon, 17 Feb 2025 14:21:30 +0530
-Subject: [PATCH] vendor: bump buildah to 1.37.6; CVE-2024-11218
+Subject: [PATCH 1/2] vendor: bump buildah to 1.37.6; CVE-2024-11218

 Fix a time-of-check/time-of-use error when mounting type=bind and
 type=cache directories that use a "src" flag.  A hostile writer could
--- a/0002-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
+++ b/0002-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
@ -0,0 +1,99 @@
+From aae4b1bdc593b2b454469992977f776bd35435f3 Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Fri, 28 Feb 2025 12:54:41 +0530
+Subject: [PATCH 2/2] CVE-2025-27144: vendor: don't allow unbounded amounts of
+ splits (#11)
+
+In compact JWS/JWE, don't allow unbounded number of splits.
+Count to make sure there's the right number, then use SplitN.
+
+This fixes CVE-2025-27144
+This fixes bsc#1237641
+
+Cherry-picked from
+go-jose/go-jose@99b346c
+
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+Co-authored-by: Matthew McPherrin <git@mcpherrin.ca>
+---
+ vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++--
+ vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++--
+ vendor/github.com/go-jose/go-jose/v4/jwe.go | 5 +++--
+ vendor/github.com/go-jose/go-jose/v4/jws.go | 5 +++--
+ 4 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go
+index 4267ac75025a..1ba4ae0c0031 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go
+@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
+ 
+ // parseEncryptedCompact parses a message in compact format.
+ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
+	// Five parts is four separators
+	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ 	}
+	parts := strings.SplitN(input, ".", 5)
+ 
+ 	rawProtected, err := base64URLDecode(parts[0])
+ 	if err != nil {
+diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go
+index e37007dbb855..401fc18ac4df 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jws.go
+@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
+ 
+ // parseSignedCompact parses a message in compact format.
+ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
+	// Three parts is two separators
+	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ 	}
+	parts := strings.SplitN(input, ".", 3)
+ 
+ 	if parts[1] != "" && payload != nil {
+ 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
+index 89f03ee3e1e6..9f1322dccc9c 100644
+--- a/vendor/github.com/go-jose/go-jose/v4/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
+@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
+ 	keyAlgorithms []KeyAlgorithm,
+ 	contentEncryption []ContentEncryption,
+ ) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
+	// Five parts is four separators
+	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ 	}
+	parts := strings.SplitN(input, ".", 5)
+ 
+ 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ 	if err != nil {
+diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
+index 3a912301afc2..d09d8ba5078c 100644
+--- a/vendor/github.com/go-jose/go-jose/v4/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
+@@ -327,10 +327,11 @@ func parseSignedCompact(
+ 	payload []byte,
+ 	signatureAlgorithms []SignatureAlgorithm,
+ ) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
+	// Three parts is two separators
+	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ 	}
+	parts := strings.SplitN(input, ".", 3)
+ 
+ 	if parts[1] != "" && payload != nil {
+ 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+-- 
+2.46.0
+
--- a/podman.changes
+++ b/podman.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Mar  3 07:21:00 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2025-27144 (bsc#1237641):
+  * 0002-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
+- Rebase patches:
+  * 0001-vendor-bump-buildah-to-1.37.6-CVE-2024-11218.patch
+
 -------------------------------------------------------------------
 Mon Feb 17 09:03:19 UTC 2025 - danish.prakash@suse.com

--- a/podman.spec
+++ b/podman.spec
@ -31,6 +31,7 @@ URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.gz
 Source1:        podman.conf
 Patch0:         0001-vendor-bump-buildah-to-1.37.6-CVE-2024-11218.patch
+Patch1:         0002-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes