SLFO-pool/skopeo
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main skopeo revision 61766f726da06488bfbcdea0f51bf600

Browse Source
This commit is contained in:
Adrian Schröter
2025-03-12 17:20:39 +01:00
parent 35b5eaa0b8
commit a06eae1283
5 changed files with 116 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
0001-http2-close-connections-when-receiving-too-many-head.patch
View File

@@ -1,7 +1,7 @@
From 24daef011d67659fced01c3576ddf2ef17d7190c Mon Sep 17 00:00:00 2001 From 24daef011d67659fced01c3576ddf2ef17d7190c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com> From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
Date: Wed, 5 Feb 2025 15:38:33 +0100 Date: Wed, 5 Feb 2025 15:38:33 +0100
Subject: [PATCH 1/2] http2: close connections when receiving too many headers Subject: [PATCH 1/3] http2: close connections when receiving too many headers
Maintaining HPACK state requires that we parse and process Maintaining HPACK state requires that we parse and process
all HEADERS and CONTINUATION frames on a connection. all HEADERS and CONTINUATION frames on a connection.

2
0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
View File

@@ -1,7 +1,7 @@
From 31243434c9214391e60b78aeea714dffa7cbb07f Mon Sep 17 00:00:00 2001 From 31243434c9214391e60b78aeea714dffa7cbb07f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com> From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
Date: Wed, 5 Feb 2025 17:55:27 +0100 Date: Wed, 5 Feb 2025 17:55:27 +0100
Subject: [PATCH 2/2] Switch hashicorp/go-retryablehttp to the SUSE fork Subject: [PATCH 2/3] Switch hashicorp/go-retryablehttp to the SUSE fork
The SUSE fork has the fix for CVE-2024-6104 backported to v0.7.5 and is a proper The SUSE fork has the fix for CVE-2024-6104 backported to v0.7.5 and is a proper
go module. Thereby this fix can no longer get overwritten by an accidental go module. Thereby this fix can no longer get overwritten by an accidental

101
0003-Don-t-allow-unbounded-amounts-of-splits-https-github.patch Normal file
View File

@@ -0,0 +1,101 @@
From 3a37cde87e3c111d547bdcf12bae7522585e4fc1 Mon Sep 17 00:00:00 2001
From: Matthew McPherrin <mattm@letsencrypt.org>
Date: Tue, 25 Feb 2025 15:46:09 +0100
Subject: [PATCH 3/3] Don't allow unbounded amounts of splits
(https://github.com/go-jose/go-jose/pull/167)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In compact JWS/JWE, don't allow unbounded number of splits.
Count to make sure there's the right number, then use SplitN.
This fixes CVE-2025-27144
This fixes bsc#1237613
Cherry-picked from
https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22
Signed-off-by: Dan Čermák <dcermak@suse.com>
---
vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++--
vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++--
vendor/gopkg.in/go-jose/go-jose.v2/jwe.go | 5 +++--
vendor/gopkg.in/go-jose/go-jose.v2/jws.go | 5 +++--
4 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go
index 4267ac75..1ba4ae0c 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go
@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
// parseEncryptedCompact parses a message in compact format.
func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 5 {
+ // Five parts is four separators
+ if strings.Count(input, ".") != 4 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
}
+ parts := strings.SplitN(input, ".", 5)
rawProtected, err := base64URLDecode(parts[0])
if err != nil {
diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go
index e37007db..401fc18a 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jws.go
@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
// parseSignedCompact parses a message in compact format.
func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 3 {
+ // Three parts is two separators
+ if strings.Count(input, ".") != 2 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
}
+ parts := strings.SplitN(input, ".", 3)
if parts[1] != "" && payload != nil {
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
index a8966ab8..faebb8dd 100644
--- a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
// parseEncryptedCompact parses a message in compact format.
func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 5 {
+ // Five parts is four separators
+ if strings.Count(input, ".") != 4 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
}
+ parts := strings.SplitN(input, ".", 5)
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
if err != nil {
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
index 1a24fa46..717f04ac 100644
--- a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
// parseSignedCompact parses a message in compact format.
func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 3 {
+ // Three parts is two separators
+ if strings.Count(input, ".") != 2 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
}
+ parts := strings.SplitN(input, ".", 3)
if parts[1] != "" && payload != nil {
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
--
2.48.1

12
skopeo.changes
View File

@@ -1,3 +1,15 @@
-------------------------------------------------------------------
Fri Feb 28 07:49:33 UTC 2025 - Dan Čermák <dcermak@suse.com>
- Add patch for CVE-2025-27144 (bsc#1237613)
Add patch:
* 0003-Don-t-allow-unbounded-amounts-of-splits-https-github.patch
Rebase patches:
* 0001-http2-close-connections-when-receiving-too-many-head.patch
* 0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Feb 6 08:51:23 UTC 2025 - Dan Čermák <dcermak@suse.com> Thu Feb 6 08:51:23 UTC 2025 - Dan Čermák <dcermak@suse.com>

1
skopeo.spec
View File

@@ -31,6 +31,7 @@ Source1: skopeo.rpmlintrc
Requires: libcontainers-common Requires: libcontainers-common
Patch0: 0001-http2-close-connections-when-receiving-too-many-head.patch Patch0: 0001-http2-close-connections-when-receiving-too-many-head.patch
Patch1: 0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch Patch1: 0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
Patch2: 0003-Don-t-allow-unbounded-amounts-of-splits-https-github.patch
BuildRequires: bash BuildRequires: bash
BuildRequires: device-mapper-devel >= 1.2.68 BuildRequires: device-mapper-devel >= 1.2.68
BuildRequires: glib2-devel BuildRequires: glib2-devel