Add patch for CVE-2025-47914 (bsc#1254054), CVE-2025-47913 (bsc#1253598)

Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Add patch for CVE-2025-52881 (bsc#1253096)
2025-12-23 13:27:20 +05:30 · 2025-11-14 20:37:24 +05:30 · 2025-08-20 09:05:12 +02:00
10 changed files with 927 additions and 507 deletions
--- a/0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+++ b/0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
@@ -0,0 +1,145 @@
+From 71adcd0546fa3becd9a95ebbfc21bb15610ed44e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
+Date: Mon, 17 Mar 2025 10:37:21 +0100
+Subject: [PATCH 1/4] CVE-2025-22869: vendor/ssh: limit the size of the
+ internal packet queue while waiting for KEX (#7)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In the SSH protocol, clients and servers execute the key exchange to
+generate one-time session keys used for encryption and authentication.
+The key exchange is performed initially after the connection is
+established and then periodically after a configurable amount of data.
+While a key exchange is in progress, we add the received packets to an
+internal queue until we receive SSH_MSG_KEXINIT from the other side.
+This can result in high memory usage if the other party is slow to
+respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a
+malicious client never responds to an SSH_MSG_KEXINIT packet during a
+large file transfer.
+We now limit the internal queue to 64 packets: this means 2MB with the
+typical 32KB packet size.
+When the internal queue is full we block further writes until the
+pending key exchange is completed or there is a read or write error.
+
+Thanks to Yuichi Watanabe for reporting this issue.
+
+Fixes: CVE-2025-22869
+Bugs: bsc#1239339
+
+Change-Id: I1ce2214cc16e08b838d4bc346c74c72addafaeec
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/652135
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+
+Signed-off-by: Dan Čermák <dcermak@suse.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++-----
+ 1 file changed, 37 insertions(+), 10 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
+index 56cdc7c21c3b..a68d20f7f396 100644
+--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
+@@ -25,6 +25,11 @@ const debugHandshake = false
+ // quickly.
+ const chanSize = 16
+ 
+// maxPendingPackets sets the maximum number of packets to queue while waiting
+// for KEX to complete. This limits the total pending data to maxPendingPackets
+// * maxPacket bytes, which is ~16.8MB.
+const maxPendingPackets = 64
+
+ // keyingTransport is a packet based transport that supports key
+ // changes. It need not be thread-safe. It should pass through
+ // msgNewKeys in both directions.
+@@ -73,11 +78,19 @@ type handshakeTransport struct {
+ 	incoming  chan []byte
+ 	readError error
+ 
+-	mu               sync.Mutex
+-	writeError       error
+-	sentInitPacket   []byte
+-	sentInitMsg      *kexInitMsg
+-	pendingPackets   [][]byte // Used when a key exchange is in progress.
+	mu sync.Mutex
+	// Condition for the above mutex. It is used to notify a completed key
+	// exchange or a write failure. Writes can wait for this condition while a
+	// key exchange is in progress.
+	writeCond      *sync.Cond
+	writeError     error
+	sentInitPacket []byte
+	sentInitMsg    *kexInitMsg
+	// Used to queue writes when a key exchange is in progress. The length is
+	// limited by pendingPacketsSize. Once full, writes will block until the key
+	// exchange is completed or an error occurs. If not empty, it is emptied
+	// all at once when the key exchange is completed in kexLoop.
+	pendingPackets   [][]byte
+ 	writePacketsLeft uint32
+ 	writeBytesLeft   int64
+ 
+@@ -133,6 +146,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
+ 
+ 		config: config,
+ 	}
+	t.writeCond = sync.NewCond(&t.mu)
+ 	t.resetReadThresholds()
+ 	t.resetWriteThresholds()
+ 
+@@ -259,6 +273,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
+ 	defer t.mu.Unlock()
+ 	if t.writeError == nil && err != nil {
+ 		t.writeError = err
+		t.writeCond.Broadcast()
+ 	}
+ }
+ 
+@@ -362,6 +377,8 @@ write:
+ 			}
+ 		}
+ 		t.pendingPackets = t.pendingPackets[:0]
+		// Unblock writePacket if waiting for KEX.
+		t.writeCond.Broadcast()
+ 		t.mu.Unlock()
+ 	}
+ 
+@@ -567,11 +584,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
+ 	}
+ 
+ 	if t.sentInitMsg != nil {
+-		// Copy the packet so the writer can reuse the buffer.
+-		cp := make([]byte, len(p))
+-		copy(cp, p)
+-		t.pendingPackets = append(t.pendingPackets, cp)
+-		return nil
+		if len(t.pendingPackets) < maxPendingPackets {
+			// Copy the packet so the writer can reuse the buffer.
+			cp := make([]byte, len(p))
+			copy(cp, p)
+			t.pendingPackets = append(t.pendingPackets, cp)
+			return nil
+		}
+		for t.sentInitMsg != nil {
+			// Block and wait for KEX to complete or an error.
+			t.writeCond.Wait()
+			if t.writeError != nil {
+				return t.writeError
+			}
+		}
+ 	}
+ 
+ 	if t.writeBytesLeft > 0 {
+@@ -588,6 +614,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
+ 
+ 	if err := t.pushPacket(p); err != nil {
+ 		t.writeError = err
+		t.writeCond.Broadcast()
+ 	}
+ 
+ 	return nil
+-- 
+2.51.1
+
--- a/0002-run-handle-relabeling-bind-mounts-ourselves.patch
+++ b/0002-run-handle-relabeling-bind-mounts-ourselves.patch
@@ -0,0 +1,77 @@
+From 60431f798b04472409feb826d311ecd41ee22d85 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Wed, 11 Jun 2025 20:42:30 +0530
+Subject: [PATCH 2/4] run: handle relabeling bind mounts ourselves
+
+Handle requested relabeling of bind mounts (i.e., the "z" and "Z" flags)
+directly, instead of letting the runtime handle the relabeling.
+
+Bugs: bsc#1242445
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ run_linux.go | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/run_linux.go b/run_linux.go
+index 5d040cbb9997..e3e65102bc35 100644
+--- a/run_linux.go
+++ b/run_linux.go
+@@ -542,6 +542,33 @@ rootless=%d
+ 
+ 	defer b.cleanupTempVolumes()
+ 
+	// Handle mount flags that request that the source locations for "bind" mountpoints be
+	// relabeled, and filter those flags out of the list of mount options we pass to the
+	// runtime.
+	for i := range spec.Mounts {
+		switch spec.Mounts[i].Type {
+		default:
+			continue
+		case "bind", "rbind":
+			// all good, keep going
+		}
+		zflag := ""
+		for _, opt := range spec.Mounts[i].Options {
+			if opt == "z" || opt == "Z" {
+				zflag = opt
+			}
+		}
+		if zflag == "" {
+			continue
+		}
+		spec.Mounts[i].Options = slices.DeleteFunc(spec.Mounts[i].Options, func(opt string) bool {
+			return opt == "z" || opt == "Z"
+		})
+		if err := relabel(spec.Mounts[i].Source, b.MountLabel, zflag == "z"); err != nil {
+			return fmt.Errorf("setting file label %q on %q: %w", b.MountLabel, spec.Mounts[i].Source, err)
+		}
+	}
+
+ 	switch isolation {
+ 	case define.IsolationOCI:
+ 		var moreCreateArgs []string
+@@ -1130,16 +1157,19 @@ func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string,
+ 			if err := relabel(host, mountLabel, true); err != nil {
+ 				return specs.Mount{}, err
+ 			}
+			options = slices.DeleteFunc(options, func(o string) bool { return o == "z" })
+ 		}
+ 		if foundZ {
+ 			if err := relabel(host, mountLabel, false); err != nil {
+ 				return specs.Mount{}, err
+ 			}
+			options = slices.DeleteFunc(options, func(o string) bool { return o == "Z" })
+ 		}
+ 		if foundU {
+ 			if err := chown.ChangeHostPathOwnership(host, true, idMaps.processUID, idMaps.processGID); err != nil {
+ 				return specs.Mount{}, err
+ 			}
+			options = slices.DeleteFunc(options, func(o string) bool { return o == "U" })
+ 		}
+ 		if foundO {
+ 			if (upperDir != "" && workDir == "") || (workDir != "" && upperDir == "") {
+-- 
+2.51.1
+
--- a/0003-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
+++ b/0003-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
@@ -0,0 +1,64 @@
+From 0277a37699cc0930e40f8ab24ec5caa68bbe2de9 Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Fri, 14 Nov 2025 13:08:55 +0530
+Subject: [PATCH 3/4] CVE-2025-52881: backport subset of patch from runc
+
+buildah imports libcontainer/apparmor for the chroot isolation engine,
+so we need to patch it directly. None of the other vulnerable codepaths
+from CVE-2025-52881 are relevant.
+
+Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1253096
+
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ .../libcontainer/apparmor/apparmor_linux.go     | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
+index a3a8e93258e7..3453a5a16712 100644
+--- a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
+@@ -6,9 +6,10 @@ import (
+ 	"os"
+ 	"sync"
+ 
+	"github.com/cyphar/filepath-securejoin/pathrs-lite"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
+ 	"golang.org/x/sys/unix"
+ 
+-	"github.com/opencontainers/runc/internal/pathrs"
+ 	"github.com/opencontainers/runc/libcontainer/utils"
+ )
+ 
+@@ -36,14 +37,26 @@ func setProcAttr(attr, value string) error {
+ 		attrSubPath = "attr/" + attr
+ 	}
+ 
+	proc, err := procfs.OpenProcRoot()
+	if err != nil {
+		return err
+	}
+	defer proc.Close()
+
+ 	// Under AppArmor you can only change your own attr, so there's no reason
+ 	// to not use /proc/thread-self/ (instead of /proc/<tid>/, like libapparmor
+ 	// does).
+-	f, closer, err := pathrs.ProcThreadSelfOpen(attrSubPath, unix.O_WRONLY|unix.O_CLOEXEC)
+	handle, closer, err := proc.OpenThreadSelf(attrSubPath)
+ 	if err != nil {
+ 		return err
+ 	}
+ 	defer closer()
+	defer handle.Close()
+
+	f, err := pathrs.Reopen(handle, unix.O_WRONLY|unix.O_CLOEXEC)
+	if err != nil {
+		return err
+	}
+ 	defer f.Close()
+ 
+ 	_, err = f.WriteString(value)
+-- 
+2.51.1
+
--- a/0004-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch
+++ b/0004-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch
@@ -0,0 +1,86 @@
+From 254d7a74914ece920f48d36d0fcab084fa2e6663 Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Mon, 17 Nov 2025 14:57:51 +0530
+Subject: [PATCH 4/4] CVE-2025-47913, CVE-2025-47914: ssh/agent fixes
+
+--
+
+CVE-2025-47913: ssh/agent: return an error for unexpected message types
+
+Previously, receiving an unexpected message type in response to a key
+listing or a signing request could cause a panic due to a failed type
+assertion.
+
+This change adds a default case to the type switch in order to detect
+and explicitly handle unknown or invalid message types, returning a
+descriptive error instead of crashing.
+
+Fixes CVE-2025-47913
+Fixes golang/go#75178
+Fixes bsc#1253598
+
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+
+--
+
+CVE-2025-47914: ssh/agent: prevent panic on malformed constraint
+
+An attacker could supply a malformed Constraint that
+would trigger a panic in a serving agent, effectively
+causing denial of service.
+
+Thank you to Jakub Ciolek for reporting this issue.
+
+Fixes CVE-2025-47914
+Fixes golang/go#76364
+Fixes bsc#1254054
+
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ vendor/golang.org/x/crypto/ssh/agent/client.go | 6 ++++--
+ vendor/golang.org/x/crypto/ssh/agent/server.go | 3 +++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
+index 106708d289eb..410e21b065ce 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
+++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
+@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
+ 		return keys, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to list keys")
+	default:
+		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // Sign has the agent sign the data using a protocol 2 key as defined
+@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
+ 		return &sig, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to sign challenge")
+	default:
+		return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // unmarshal parses an agent message in packet, returning the parsed
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/server.go b/vendor/golang.org/x/crypto/ssh/agent/server.go
+index e35ca7ce3182..6c05994928ba 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/server.go
+++ b/vendor/golang.org/x/crypto/ssh/agent/server.go
+@@ -203,6 +203,9 @@ func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse
+ 	for len(constraints) != 0 {
+ 		switch constraints[0] {
+ 		case agentConstrainLifetime:
+			if len(constraints) < 5 {
+				return 0, false, nil, io.ErrUnexpectedEOF
+			}
+ 			lifetimeSecs = binary.BigEndian.Uint32(constraints[1:5])
+ 			constraints = constraints[5:]
+ 		case agentConstrainConfirm:
+-- 
+2.51.1
+
--- a/2
+++ b/2
@@ -5,7 +5,7 @@
    <param name="filename">buildah</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="versionrewrite-pattern">v(.*)</param>
-    <param name="revision">v1.42.2</param>
+    <param name="revision">v1.39.5</param>
    <param name="changesgenerate">enable</param>
 </service>
 <service name="recompress" mode="manual">
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/containers/buildah.git</param>
-              <param name="changesrevision">c0cc97255c76f7a3d87bfdf5e7b97f013f0bfe85</param></service></servicedata>
+              <param name="changesrevision">61d416a95863c2bde9e49efdd9a65562c039e106</param></service></servicedata>
--- a/buildah-1.39.5.tar.xz
+++ b/buildah-1.39.5.tar.xz
--- a/buildah-1.42.2.tar.xz
+++ b/buildah-1.42.2.tar.xz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b36dee367227514aa7a8c0f7d56ab315139351b1048202c4c358d1c0b9b0a206
-size 7425428
--- a/buildah.changes
+++ b/buildah.changes
--- a/buildah.spec
+++ b/buildah.spec
@@ -19,7 +19,7 @@

 %define project github.com/containers/buildah
 Name:           buildah
-Version:        1.42.2
+Version:        1.39.5
 Release:        0
 Summary:        Tool for building OCI containers
 License:        Apache-2.0
@@ -27,6 +27,10 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.xz
 Source1:        %{name}-rpmlintrc
+Patch0:         0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+Patch1:         0002-run-handle-relabeling-bind-mounts-ourselves.patch
+Patch2:         0003-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
+Patch3:         0004-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes
Author	SHA256	Message	Date
Danish Prakash	f345bbb2b2	Add patch for CVE-2025-47914 (bsc#1254054), CVE-2025-47913 (bsc#1253598) Signed-off-by: Danish Prakash <contact@danishpraka.sh>	2025-12-23 13:27:20 +05:30
Danish Prakash	683962bb89	Add patch for CVE-2025-52881 (bsc#1253096) Signed-off-by: Danish Prakash <contact@danishpraka.sh>	2025-11-14 20:37:24 +05:30
Adrian Schröter	251765ad93	Sync changes to SLFO-1.2 branch	2025-08-20 09:05:12 +02:00