dirkmueller/trivy
SHA256
1
0
Fork 0
forked from pool/trivy
Code Pull Requests Activity

Add patch for CVE-2025-27144

Browse Source
This commit is contained in:
Dirk Müller 2025-02-26 10:02:35 +01:00
parent 242c86594f
commit f0646f271b
No known key found for this signature in database
3 changed files with 60 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
jwe-avoid-unbounded-splits.patch Normal file
View File

@ -0,0 +1,49 @@
From 99b346cec4e86d102284642c5dcbe9bb0cacfc22 Mon Sep 17 00:00:00 2001
From: Matthew McPherrin <mattm@letsencrypt.org>
Date: Mon, 24 Feb 2025 15:06:34 -0500
Subject: [PATCH] Don't allow unbounded amounts of splits (#167)
In compact JWS/JWE, don't allow unbounded number of splits.
Count to make sure there's the right number, then use SplitN.
---
jwe.go | 5 +++--
jws.go | 5 +++--
jws_test.go | 3 +++
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/jwe.go b/jwe.go
index 89f03ee..9f1322d 100644
--- a/jwe.go
+++ b/jwe.go
@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
keyAlgorithms []KeyAlgorithm,
contentEncryption []ContentEncryption,
) (*JSONWebEncryption, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 5 {
+ // Five parts is four separators
+ if strings.Count(input, ".") != 4 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
}
+ parts := strings.SplitN(input, ".", 5)
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
if err != nil {
diff --git a/jws.go b/jws.go
index 3a91230..d09d8ba 100644
--- a/jws.go
+++ b/jws.go
@@ -327,10 +327,11 @@ func parseSignedCompact(
payload []byte,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 3 {
+ // Three parts is two separators
+ if strings.Count(input, ".") != 2 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
}
+ parts := strings.SplitN(input, ".", 3)
if parts[1] != "" && payload != nil {
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")

6
trivy.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Feb 26 09:01:28 UTC 2025 - Dirk Müller <dmueller@suse.com>
- add jwe-avoid-unbounded-splits.patch (bsc#1237618,
CVE-2025-27144)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 25 14:46:22 UTC 2025 - dmueller@suse.com Tue Feb 25 14:46:22 UTC 2025 - dmueller@suse.com

5
trivy.spec
View File

@ -25,6 +25,7 @@ Group: System/Management
URL: https://github.com/aquasecurity/trivy URL: https://github.com/aquasecurity/trivy
Source: %{name}-%{version}.tar.zst Source: %{name}-%{version}.tar.zst
Source1: vendor.tar.zst Source1: vendor.tar.zst
Patch1: jwe-avoid-unbounded-splits.patch
BuildRequires: golang-packaging BuildRequires: golang-packaging
BuildRequires: zstd BuildRequires: zstd
BuildRequires: golang(API) = 1.23 BuildRequires: golang(API) = 1.23
@ -44,6 +45,10 @@ name of the container.
%prep %prep
%setup -a1 %setup -a1
(
cd vendor/github.com/go-jose/go-jose/v4
%patch -P 1 -p1
)
%build %build
export CGO_ENABLED=1 export CGO_ENABLED=1