From f0646f271b638d4cf53f86e463a222a46366598e326af4f4e15e6c9baf11061b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dirk=20M=C3=BCller?= Date: Wed, 26 Feb 2025 10:02:35 +0100 Subject: [PATCH] Add patch for CVE-2025-27144 --- jwe-avoid-unbounded-splits.patch | 49 ++++++++++++++++++++++++++++++++ trivy.changes | 6 ++++ trivy.spec | 5 ++++ 3 files changed, 60 insertions(+) create mode 100644 jwe-avoid-unbounded-splits.patch diff --git a/jwe-avoid-unbounded-splits.patch b/jwe-avoid-unbounded-splits.patch new file mode 100644 index 0000000..78b6896 --- /dev/null +++ b/jwe-avoid-unbounded-splits.patch @@ -0,0 +1,49 @@ +From 99b346cec4e86d102284642c5dcbe9bb0cacfc22 Mon Sep 17 00:00:00 2001 +From: Matthew McPherrin +Date: Mon, 24 Feb 2025 15:06:34 -0500 +Subject: [PATCH] Don't allow unbounded amounts of splits (#167) + +In compact JWS/JWE, don't allow unbounded number of splits. +Count to make sure there's the right number, then use SplitN. +--- + jwe.go | 5 +++-- + jws.go | 5 +++-- + jws_test.go | 3 +++ + 3 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/jwe.go b/jwe.go +index 89f03ee..9f1322d 100644 +--- a/jwe.go ++++ b/jwe.go +@@ -288,10 +288,11 @@ func ParseEncryptedCompact( + keyAlgorithms []KeyAlgorithm, + contentEncryption []ContentEncryption, + ) (*JSONWebEncryption, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 5 { ++ // Five parts is four separators ++ if strings.Count(input, ".") != 4 { + return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") + } ++ parts := strings.SplitN(input, ".", 5) + + rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) + if err != nil { +diff --git a/jws.go b/jws.go +index 3a91230..d09d8ba 100644 +--- a/jws.go ++++ b/jws.go +@@ -327,10 +327,11 @@ func parseSignedCompact( + payload []byte, + signatureAlgorithms []SignatureAlgorithm, + ) (*JSONWebSignature, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 3 { ++ // Three parts is two separators ++ if strings.Count(input, ".") != 2 { + return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") + } ++ parts := strings.SplitN(input, ".", 3) + + if parts[1] != "" && payload != nil { + return nil, fmt.Errorf("go-jose/go-jose: payload is not detached") diff --git a/trivy.changes b/trivy.changes index 8fa655b..1038e66 100644 --- a/trivy.changes +++ b/trivy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Feb 26 09:01:28 UTC 2025 - Dirk Müller + +- add jwe-avoid-unbounded-splits.patch (bsc#1237618, + CVE-2025-27144) + ------------------------------------------------------------------- Tue Feb 25 14:46:22 UTC 2025 - dmueller@suse.com diff --git a/trivy.spec b/trivy.spec index fe7d17e..6984ce8 100644 --- a/trivy.spec +++ b/trivy.spec @@ -25,6 +25,7 @@ Group: System/Management URL: https://github.com/aquasecurity/trivy Source: %{name}-%{version}.tar.zst Source1: vendor.tar.zst +Patch1: jwe-avoid-unbounded-splits.patch BuildRequires: golang-packaging BuildRequires: zstd BuildRequires: golang(API) = 1.23 @@ -44,6 +45,10 @@ name of the container. %prep %setup -a1 +( + cd vendor/github.com/go-jose/go-jose/v4 +%patch -P 1 -p1 +) %build export CGO_ENABLED=1