Aleksa Sarai
dcfb1c4083
+ 0015-bsc1247362-release-container-layer-on-export.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker-stable?expand=0&rev=33
41 lines
1.6 KiB
Diff
41 lines
1.6 KiB
Diff
From 4b86dca1e44964483c4587dbca1aa1fac42571d9 Mon Sep 17 00:00:00 2001
|
|
From: Aleksa Sarai <cyphar@cyphar.com>
|
|
Date: Tue, 25 Mar 2025 12:02:42 +1100
|
|
Subject: [PATCH 12/14] CVE-2025-22868: vendor: jws: split token into fixed
|
|
number of parts
|
|
|
|
Thanks to 'jub0bs' for reporting this issue.
|
|
|
|
Fixes: CVE-2025-22868
|
|
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
|
|
Reviewed-by: Damien Neil <dneil@google.com>
|
|
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
(Cherry-picked from golang.org/x/oauth2@681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3.)
|
|
SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1239185
|
|
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
|
---
|
|
vendor/golang.org/x/oauth2/jws/jws.go | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go
|
|
index 95015648b43f..6f03a49d3120 100644
|
|
--- a/vendor/golang.org/x/oauth2/jws/jws.go
|
|
+++ b/vendor/golang.org/x/oauth2/jws/jws.go
|
|
@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
|
|
// Verify tests whether the provided JWT token's signature was produced by the private key
|
|
// associated with the supplied public key.
|
|
func Verify(token string, key *rsa.PublicKey) error {
|
|
- parts := strings.Split(token, ".")
|
|
- if len(parts) != 3 {
|
|
+ if strings.Count(token, ".") != 2 {
|
|
return errors.New("jws: invalid token received, token must have 3 parts")
|
|
}
|
|
|
|
+ parts := strings.SplitN(token, ".", 3)
|
|
signedContent := parts[0] + "." + parts[1]
|
|
signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
|
|
if err != nil {
|
|
--
|
|
2.49.0
|
|
|