Sync changes to SLFO-1.2 branch

2025-08-20 09:21:00 +02:00
8 changed files with 61 additions and 102 deletions
--- a/CVE-2025-22868.patch
+++ b/CVE-2025-22868.patch
@@ -0,0 +1,41 @@
+From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Thu, 30 Jan 2025 14:10:09 -0500
+Subject: [PATCH] jws: split token into fixed number of parts
+
+Thanks to 'jub0bs' for reporting this issue.
+
+Fixes #71490
+Fixes CVE-2025-22868
+
+Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
+Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+---
+ jws/jws.go | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/jws/jws.go b/jws/jws.go
+index 9501564..6f03a49 100644
+--- a/jws/jws.go
+++ b/jws/jws.go
+@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
+ // Verify tests whether the provided JWT token's signature was produced by the private key
+ // associated with the supplied public key.
+ func Verify(token string, key *rsa.PublicKey) error {
+-	parts := strings.Split(token, ".")
+-	if len(parts) != 3 {
+	if strings.Count(token, ".") != 2 {
+ 		return errors.New("jws: invalid token received, token must have 3 parts")
+ 	}
+ 
+	parts := strings.SplitN(token, ".", 3)
+ 	signedContent := parts[0] + "." + parts[1]
+ 	signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
+ 	if err != nil {
+-- 
+2.48.1
+
--- a/6
+++ b/6
@@ -3,8 +3,8 @@
    <param name="url">https://github.com/GoogleCloudPlatform/osconfig</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">20250729.00</param>
-    <param name="revision">20250729.00</param>
+    <param name="versionformat">20250416.02</param>
+    <param name="revision">20250416.02</param>
    <param name="changesgenerate">enable</param>
  </service>
  <service name="recompress" mode="disabled">
@@ -15,6 +15,6 @@
    <param name="basename">osconfig</param>
  </service>
  <service name="go_modules" mode="disabled">
-    <param name="archive">osconfig-20250729.00.tar.gz</param>
+    <param name="archive">osconfig-20250416.02.tar.gz</param>
  </service>
 </services>
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/GoogleCloudPlatform/osconfig</param>
-              <param name="changesrevision">6d3741d26882e1585233a875d67f466904b2ba0c</param></service></servicedata>
+              <param name="changesrevision">af84137069fbb2170051e7d370a55f59f856a7a9</param></service></servicedata>
--- a/google-osconfig-agent.changes
+++ b/google-osconfig-agent.changes
@@ -1,94 +1,7 @@
 -------------------------------------------------------------------
-Mon Aug 11 13:30:16 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+Thu Jun 12 13:35:19 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

- Update to version 20250806.00
-  * Fixed JSON identifier for the universe domain (#855)
- from version 20250729.00
-  * Bump github.com/google/s2a-go from 0.1.8 to 0.1.9 (#828)
- from version 20250725.02
-  * Update utils.go (#854)
-  * Upgrade golang.org/x/oauth2 package to the latest. (#853)
-  * Bump golang.org/x/time from 0.9.0 to 0.12.0 (#839)
- from version 20250725.01
-  * Bump golang.org/x/oauth2 (#848)
-  * Port fix for debian 11 to goo package manager. (#852)
- from version 20250725.00
-  * Update Golang version in common.sh and skip backports
-    repo for debian 11 (#850)
- from version 20250723.01
-  * Add workflows to build package for el10 (#849)
- from version 20250721.00
-  * Make OS Config agent TPC aware (#846)
- from version 20250718.00
-  * Create workflows for new Debian 13. (#847)
- Drop CVE-2025-22868.patch, merged upstream
-
-------------------------------------------------------------------
-Fri Jul 11 11:51:22 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20250703.00
-  * Fix sles images (#844)
- from version 20250702.00
-  * Remove rhel-sap 8-4 add rhel-sap 8-10 (#843)
- from version 20250701.00
-  * Bump the go_modules group across 1 directory with 2 updates (#840)
-
-------------------------------------------------------------------
-Wed Jun 25 11:23:00 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20250606.00
-  * Change base docker images Google's official base images. (#838)
-
-------------------------------------------------------------------
-Wed May 28 09:01:24 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20250523.01
-  * Add a simple no-op OS policy for user testing (#837)
- from version 20250523.00
-  * Introduce scalibr inventory extractor for dpkg/rpm/cos
-    os/filesystem extractors (linux) (#834)
-  * Trace GetInstalledPackages memory levels (#835)
- from version 20250520.00
-  * Trace GetInstalledPackages memory levels (#835)
-
-------------------------------------------------------------------
-Wed May 14 08:37:59 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20250513.00
-  * Fix rpm extractor, handle (none) value correctly. (#833)
- from version 20250512.01
-  * Bump github.com/envoyproxy/go-control-plane from 0.13.1 to 0.13.4 (#816)
- from version 20250512.00
-  * Bump golang.org/x/net from 0.39.0 to 0.40.0 (#819)
- from version 20250508.01
-  * cosmetic refactoring to osinfo package (#826)
- from version 20250508.00
-  * Refactor /inventory with dependency injection (#825)
-  * Add debian, ubuntu (InstalledDebPackages) snapshots (#821)
-  * cover packages_linux.go file with tests (#824)
-  * Add debian (10,11,12) GetPackageUpdates output snapshots (#822)
- from version 20250507.00
-  * Add InstalledRPMPackages snapshot tests (#823)
- from version 20250506.02
-  * Yum tests: simplify initialization of exit errors (#820)
- from version 20250506.01
-  * Improve test coverage for gem package manager (#818)
- from version 20250506.00
-  *  after go/x/crypto update 0.32.0 -> 0.37.0 (#817)
- from version 20250505.01
-  * Improve packages package coverage (#814)
-  * Bump golang.org/x/net from 0.34.0 to 0.39.0 (#807)
- from version 20250505.00
-  * Bump golang.org/x/crypto from 0.32.0 to 0.37.0 (#806)
- from version 20250430.00
-  * Snapshot YumUpdates (GetPackageUpdates) output (#813)
- from version 20250428.00
-  * Snapshot ZypperPatches, ZypperUpdates (GetPackageUpdates) output
-    for sles 12, 15 testdata (#812)
- from version 20250423.00
-  * Introduce MatchSnapshot large test results matcher function, snapshot
-    apt-deb GetPackageUpdates (#811)
- from version 20250416.02
+- Update to version 20250416.02 (bsc#1244304, bsc#1244503)
  * defaultSleeper: tolerate 10% difference to reduce test flakiness (#810)
  * Add output of some packagemanagers to the testdata (#808)
 - from version 20250416.01
@@ -145,7 +58,7 @@ Mon Feb 17 09:40:07 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.c
  * CVE-2024-45339.patch (bsc#1236560, CVE-2024-45339)

 -------------------------------------------------------------------
-Mon Jan 27 08:26:52 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+Mon Jan 27 16:54:33 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

 - Update to version 20250115.01 (bsc#1236406, bsc#1236407)
  * Bump cloud.google.com/go/osconfig from 1.14.2 to 1.14.3 (#772)
@@ -218,7 +131,7 @@ Mon Jan 27 08:26:52 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.c
  * Add new packagebuild presubmit that will use cloud-build (#694)
 - from version 20240927.00
  * Third batch of dependencies upgrade (#690)
- Bump the golang compiler version to 1.22.4 (CVE-2024-24790)
+- Bump the golang compiler version to 1.22.4 (bsc#1225974, CVE-2024-24790)

 -------------------------------------------------------------------
 Wed Oct 30 10:54:08 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
--- a/google-osconfig-agent.spec
+++ b/google-osconfig-agent.spec
@@ -24,7 +24,7 @@
 %global import_path     %{provider_prefix}

 Name:           google-osconfig-agent
-Version:        20250729.00
+Version:        20250416.02
 Release:        0
 Summary:        Google Cloud Guest Agent
 License:        Apache-2.0
@@ -33,6 +33,8 @@ URL:            https://%{provider_prefix}
 Source0:        %{repo}-%{version}.tar.gz
 Source1:        vendor.tar.gz
 Source2:        rpmlintrc
+# PATCH-FIX-UPSTREAM - Fix unexpected memory consumption during token parsing in golang.org/x/oauth2
+Patch0:         CVE-2025-22868.patch
 BuildRequires:  golang(API) >= 1.22.4
 BuildRequires:  golang-packaging
 Requires:       google-guest-configs
@@ -49,10 +51,13 @@ Google Cloud OSConfig Agent
 %prep
 %setup -q -n %{repo}-%{version}
 %setup -q -D -T -a 1 -n %{repo}-%{version}
+pushd vendor/golang.org/x/oauth2
+%patch -P0 -p1
+popd

 %build
 %goprep %{import_path}
-CGO_ENABLED=0 go build -buildmode=pie -ldflags="-s -w -X main.version=%{version}-%{release}" -mod=vendor -o google_osconfig_agent
+CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=%{version}-%{release}" -mod=vendor -o google_osconfig_agent

 %install
 install -d %{buildroot}%{_bindir}
--- a/osconfig-20250416.02.tar.gz
+++ b/osconfig-20250416.02.tar.gz
--- a/osconfig-20250729.00.tar.gz
+++ b/osconfig-20250729.00.tar.gz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3055365614a7250f6eb12145ae0bce915eecb425d67789d9ff7f76c672ad8839
-size 467750
--- a/vendor.tar.gz
+++ b/vendor.tar.gz