Sync from SUSE:SLFO:Main skopeo revision 61766f726da06488bfbcdea0f51bf600

2025-03-12 17:20:39 +01:00 · 2025-03-12 17:20:39 +01:00 · a06eae1283
commit a06eae1283
parent 35b5eaa0b8
5 changed files with 116 additions and 2 deletions
--- a/0001-http2-close-connections-when-receiving-too-many-head.patch
+++ b/0001-http2-close-connections-when-receiving-too-many-head.patch
@ -1,7 +1,7 @@
 From 24daef011d67659fced01c3576ddf2ef17d7190c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Wed, 5 Feb 2025 15:38:33 +0100
-Subject: [PATCH 1/2] http2: close connections when receiving too many headers
+Subject: [PATCH 1/3] http2: close connections when receiving too many headers

 Maintaining HPACK state requires that we parse and process
 all HEADERS and CONTINUATION frames on a connection.
--- a/0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
+++ b/0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
@ -1,7 +1,7 @@
 From 31243434c9214391e60b78aeea714dffa7cbb07f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Wed, 5 Feb 2025 17:55:27 +0100
-Subject: [PATCH 2/2] Switch hashicorp/go-retryablehttp to the SUSE fork
+Subject: [PATCH 2/3] Switch hashicorp/go-retryablehttp to the SUSE fork

 The SUSE fork has the fix for CVE-2024-6104 backported to v0.7.5 and is a proper
 go module. Thereby this fix can no longer get overwritten by an accidental
--- a/0003-Don-t-allow-unbounded-amounts-of-splits-https-github.patch
+++ b/0003-Don-t-allow-unbounded-amounts-of-splits-https-github.patch
@ -0,0 +1,101 @@
+From 3a37cde87e3c111d547bdcf12bae7522585e4fc1 Mon Sep 17 00:00:00 2001
+From: Matthew McPherrin <mattm@letsencrypt.org>
+Date: Tue, 25 Feb 2025 15:46:09 +0100
+Subject: [PATCH 3/3] Don't allow unbounded amounts of splits
+ (https://github.com/go-jose/go-jose/pull/167)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In compact JWS/JWE, don't allow unbounded number of splits.
+Count to make sure there's the right number, then use SplitN.
+
+This fixes CVE-2025-27144
+This fixes bsc#1237613
+
+Cherry-picked from
+https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22
+
+Signed-off-by: Dan Čermák <dcermak@suse.com>
+---
+ vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++--
+ vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++--
+ vendor/gopkg.in/go-jose/go-jose.v2/jwe.go   | 5 +++--
+ vendor/gopkg.in/go-jose/go-jose.v2/jws.go   | 5 +++--
+ 4 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go
+index 4267ac75..1ba4ae0c 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go
+@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
+ 
+ // parseEncryptedCompact parses a message in compact format.
+ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
+	// Five parts is four separators
+	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ 	}
+	parts := strings.SplitN(input, ".", 5)
+ 
+ 	rawProtected, err := base64URLDecode(parts[0])
+ 	if err != nil {
+diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go
+index e37007db..401fc18a 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jws.go
+@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
+ 
+ // parseSignedCompact parses a message in compact format.
+ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
+	// Three parts is two separators
+	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ 	}
+	parts := strings.SplitN(input, ".", 3)
+ 
+ 	if parts[1] != "" && payload != nil {
+ 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
+index a8966ab8..faebb8dd 100644
+--- a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
+@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
+ 
+ // parseEncryptedCompact parses a message in compact format.
+ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
+	// Five parts is four separators
+	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ 	}
+	parts := strings.SplitN(input, ".", 5)
+ 
+ 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ 	if err != nil {
+diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
+index 1a24fa46..717f04ac 100644
+--- a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
+@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
+ 
+ // parseSignedCompact parses a message in compact format.
+ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
+	// Three parts is two separators
+	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ 	}
+	parts := strings.SplitN(input, ".", 3)
+ 
+ 	if parts[1] != "" && payload != nil {
+ 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+-- 
+2.48.1
+
--- a/skopeo.changes
+++ b/skopeo.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Fri Feb 28 07:49:33 UTC 2025 - Dan Čermák <dcermak@suse.com>
+
+- Add patch for CVE-2025-27144 (bsc#1237613)
+
+  Add patch:
+  * 0003-Don-t-allow-unbounded-amounts-of-splits-https-github.patch
+
+  Rebase patches:
+  * 0001-http2-close-connections-when-receiving-too-many-head.patch
+  * 0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
+
 -------------------------------------------------------------------
 Thu Feb  6 08:51:23 UTC 2025 - Dan Čermák <dcermak@suse.com>

--- a/skopeo.spec
+++ b/skopeo.spec
@ -31,6 +31,7 @@ Source1:        skopeo.rpmlintrc
 Requires:       libcontainers-common
 Patch0:         0001-http2-close-connections-when-receiving-too-many-head.patch
 Patch1:         0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
+Patch2:         0003-Don-t-allow-unbounded-amounts-of-splits-https-github.patch
 BuildRequires:  bash
 BuildRequires:  device-mapper-devel >= 1.2.68
 BuildRequires:  glib2-devel