Sync changes to SLFO-1.2 branch

2025-08-20 09:21:00 +02:00
10 changed files with 59 additions and 401 deletions
--- a/CVE-2025-22868.patch
+++ b/CVE-2025-22868.patch
@@ -0,0 +1,41 @@
+From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Thu, 30 Jan 2025 14:10:09 -0500
+Subject: [PATCH] jws: split token into fixed number of parts
+
+Thanks to 'jub0bs' for reporting this issue.
+
+Fixes #71490
+Fixes CVE-2025-22868
+
+Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
+Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+---
+ jws/jws.go | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/jws/jws.go b/jws/jws.go
+index 9501564..6f03a49 100644
+--- a/jws/jws.go
+++ b/jws/jws.go
+@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
+ // Verify tests whether the provided JWT token's signature was produced by the private key
+ // associated with the supplied public key.
+ func Verify(token string, key *rsa.PublicKey) error {
+-	parts := strings.Split(token, ".")
+-	if len(parts) != 3 {
+	if strings.Count(token, ".") != 2 {
+ 		return errors.New("jws: invalid token received, token must have 3 parts")
+ 	}
+ 
+	parts := strings.SplitN(token, ".", 3)
+ 	signedContent := parts[0] + "." + parts[1]
+ 	signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
+ 	if err != nil {
+-- 
+2.48.1
+
--- a/CVE-2025-47911.patch
+++ b/CVE-2025-47911.patch
@@ -1,98 +0,0 @@
-From c217fe54b033f05ca89b931c1650738a68914f30 Mon Sep 17 00:00:00 2001
-From: Roland Shoemaker <roland@golang.org>
-Date: Mon, 29 Sep 2025 16:33:18 -0700
-Subject: [PATCH 2/2] html: impose open element stack size limit
-
-The HTML specification contains a number of algorithms which are
-quadratic in complexity by design. Instead of adding complicated
-workarounds to prevent these cases from becoming extremely expensive in
-pathological cases, we impose a limit of 512 to the size of the stack of
-open elements. It is extremely unlikely that non-adversarial HTML
-documents will ever hit this limit (but if we see cases of this, we may
-want to make the limit configurable via a ParseOption).
-
-Thanks to Guido Vranken and Jakub Ciolek for both independently
-reporting this issue.
-
-Fixes CVE-2025-47911
-Fixes golang/go#75682
-
-Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
-Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
-Reviewed-by: Damien Neil <dneil@google.com>
-LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
- html/escape.go |  2 +-
- html/parse.go  | 21 +++++++++++++++++----
- 2 files changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/html/escape.go b/html/escape.go
-index 04c6bec..12f2273 100644
--- a/html/escape.go
-+++ b/html/escape.go
-@@ -299,7 +299,7 @@ func escape(w writer, s string) error {
- 		case '\r':
- 			esc = "&#13;"
- 		default:
-			panic("unrecognized escape character")
-+			panic("html: unrecognized escape character")
- 		}
- 		s = s[i+1:]
- 		if _, err := w.WriteString(esc); err != nil {
-diff --git a/html/parse.go b/html/parse.go
-index 722e927..88fc005 100644
--- a/html/parse.go
-+++ b/html/parse.go
-@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
- 	}
- 
- 	if n.Type == ElementNode {
-		p.oe = append(p.oe, n)
-+		p.insertOpenElement(n)
-+	}
-+}
-+
-+func (p *parser) insertOpenElement(n *Node) {
-+	p.oe = append(p.oe, n)
-+	if len(p.oe) > 512 {
-+		panic("html: open stack of elements exceeds 512 nodes")
- 	}
- }
- 
-@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
- 			p.im = inFramesetIM
- 			return true
- 		case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
-			p.oe = append(p.oe, p.head)
-+			p.insertOpenElement(p.head)
- 			defer p.oe.remove(p.head)
- 			return inHeadIM(p)
- 		case a.Head:
-@@ -2324,9 +2331,13 @@ func (p *parser) parseCurrentToken() {
- 	}
- }
- 
-func (p *parser) parse() error {
-+func (p *parser) parse() (err error) {
-+	defer func() {
-+		if panicErr := recover(); panicErr != nil {
-+			err = fmt.Errorf("%s", panicErr)
-+		}
-+	}()
- 	// Iterate until EOF. Any other error will cause an early return.
-	var err error
- 	for err != io.EOF {
- 		// CDATA sections are allowed only in foreign content.
- 		n := p.oe.top()
-@@ -2355,6 +2366,8 @@ func (p *parser) parse() error {
- // <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
- // with no corresponding node in the resulting tree.
- //
-+// Parse will reject HTML that is nested deeper than 512 elements.
-+//
- // The input is assumed to be UTF-8 encoded.
- func Parse(r io.Reader) (*Node, error) {
- 	return ParseWithOptions(r)
-- 
-2.51.0
-
--- a/CVE-2025-58190.patch
+++ b/CVE-2025-58190.patch
@@ -1,124 +0,0 @@
-From 6265ff02c00c9911070d6742bb140d1f30126997 Mon Sep 17 00:00:00 2001
-From: Roland Shoemaker <roland@golang.org>
-Date: Mon, 29 Sep 2025 19:38:24 -0700
-Subject: [PATCH 1/2] html: align in row insertion mode with spec
-
-Update inRowIM to match the HTML specification. This fixes an issue
-where a specific HTML document could cause the parser to enter an
-infinite loop when trying to parse a </tbody> and implied </tr> next to
-each other.
-
-Fixes CVE-2025-58190
-Fixes golang/go#70179
-
-Change-Id: Idcb133c87c7d475cc8c7eb1f1550ea21d8bdddea
-Reviewed-on: https://go-review.googlesource.com/c/net/+/709875
-LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
-Reviewed-by: Damien Neil <dneil@google.com>
---
- html/parse.go | 36 ++++++++++++++++++++++++------------
- 1 file changed, 24 insertions(+), 12 deletions(-)
-
-diff --git a/html/parse.go b/html/parse.go
-index 518ee4c..722e927 100644
--- a/html/parse.go
-+++ b/html/parse.go
-@@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s scope, matchTags ...a.Atom) int {
- 					return -1
- 				}
- 			default:
-				panic("unreachable")
-+				panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s))
- 			}
- 		}
- 		switch s {
-@@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s scope) {
- 				return
- 			}
- 		default:
-			panic("unreachable")
-+			panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s))
- 		}
- 	}
- }
-@@ -1678,7 +1678,7 @@ func inTableBodyIM(p *parser) bool {
- 	return inTableIM(p)
- }
- 
-// Section 12.2.6.4.14.
-+// Section 13.2.6.4.14.
- func inRowIM(p *parser) bool {
- 	switch p.tok.Type {
- 	case StartTagToken:
-@@ -1690,7 +1690,9 @@ func inRowIM(p *parser) bool {
- 			p.im = inCellIM
- 			return true
- 		case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr:
-			if p.popUntil(tableScope, a.Tr) {
-+			if p.elementInScope(tableScope, a.Tr) {
-+				p.clearStackToContext(tableRowScope)
-+				p.oe.pop()
- 				p.im = inTableBodyIM
- 				return false
- 			}
-@@ -1700,22 +1702,28 @@ func inRowIM(p *parser) bool {
- 	case EndTagToken:
- 		switch p.tok.DataAtom {
- 		case a.Tr:
-			if p.popUntil(tableScope, a.Tr) {
-+			if p.elementInScope(tableScope, a.Tr) {
-+				p.clearStackToContext(tableRowScope)
-+				p.oe.pop()
- 				p.im = inTableBodyIM
- 				return true
- 			}
- 			// Ignore the token.
- 			return true
- 		case a.Table:
-			if p.popUntil(tableScope, a.Tr) {
-+			if p.elementInScope(tableScope, a.Tr) {
-+				p.clearStackToContext(tableRowScope)
-+				p.oe.pop()
- 				p.im = inTableBodyIM
- 				return false
- 			}
- 			// Ignore the token.
- 			return true
- 		case a.Tbody, a.Tfoot, a.Thead:
-			if p.elementInScope(tableScope, p.tok.DataAtom) {
-				p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String())
-+			if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) {
-+				p.clearStackToContext(tableRowScope)
-+				p.oe.pop()
-+				p.im = inTableBodyIM
- 				return false
- 			}
- 			// Ignore the token.
-@@ -2222,16 +2230,20 @@ func parseForeignContent(p *parser) bool {
- 			p.acknowledgeSelfClosingTag()
- 		}
- 	case EndTagToken:
-+		if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) {
-+			p.oe = p.oe[:len(p.oe)-1]
-+			return true
-+		}
- 		for i := len(p.oe) - 1; i >= 0; i-- {
-			if p.oe[i].Namespace == "" {
-				return p.im(p)
-			}
- 			if strings.EqualFold(p.oe[i].Data, p.tok.Data) {
- 				p.oe = p.oe[:i]
-+				return true
-+			}
-+			if i > 0 && p.oe[i-1].Namespace == "" {
- 				break
- 			}
- 		}
-		return true
-+		return p.im(p)
- 	default:
- 		// Ignore the token.
- 	}
-- 
-2.51.0
-
--- a/6
+++ b/6
@@ -3,8 +3,8 @@
    <param name="url">https://github.com/GoogleCloudPlatform/osconfig</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">20251202.00</param>
-    <param name="revision">20251202.00</param>
+    <param name="versionformat">20250416.02</param>
+    <param name="revision">20250416.02</param>
    <param name="changesgenerate">enable</param>
  </service>
  <service name="recompress" mode="disabled">
@@ -15,6 +15,6 @@
    <param name="basename">osconfig</param>
  </service>
  <service name="go_modules" mode="disabled">
-    <param name="archive">osconfig-20251202.00.tar.gz</param>
+    <param name="archive">osconfig-20250416.02.tar.gz</param>
  </service>
 </services>
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/GoogleCloudPlatform/osconfig</param>
-              <param name="changesrevision">23ea43baf55074943d56b1e141eefd7b7b3983d7</param></service></servicedata>
+              <param name="changesrevision">af84137069fbb2170051e7d370a55f59f856a7a9</param></service></servicedata>
--- a/google-osconfig-agent.changes
+++ b/google-osconfig-agent.changes
@@ -1,167 +1,7 @@
 -------------------------------------------------------------------
-Tue Dec  9 08:38:50 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+Thu Jun 12 13:35:19 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

- Update to version 20251202.00
-  * Revert "Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.5 (#887)" (#893)
-
-------------------------------------------------------------------
-Tue Dec  2 12:47:38 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20251201.00
-  * Revert "Bump github.com/containerd/containerd (#890)" (#892)
-
-------------------------------------------------------------------
-Thu Nov 27 10:31:37 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20251126.00
-  * Bump github.com/containerd/containerd (#890)
-  * Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.5 (#887)
-
-------------------------------------------------------------------
-Fri Nov  7 11:04:38 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20251028.00
-  * Bump go.opentelemetry.io/otel/sdk/metric from 1.35.0 to 1.38.0 (#886)
-  * Bump github.com/tidwall/pretty from 1.2.0 to 1.2.1 (#880)
- from version 20251023.02
-  * Create multiple_os.yaml (#883)
- from version 20251023.00
-  * Bump github.com/docker/go-connections from 0.4.0 to 0.6.0 (#877)
-  * Add test runner for e2e tests (#876)
- Reword previous changelog entry so that the added patches are accepted
-
-------------------------------------------------------------------
-Tue Oct 14 10:56:31 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20250925.00
-  * Bump cloud.google.com/go/auth/oauth2adapt from 0.2.7 to 0.2.8 (#870)
-  * Bump google.golang.org/protobuf from 1.36.6 to 1.36.9 (#874)
-  * Bump go.opentelemetry.io/otel from 1.35.0 to 1.38.0 (#872)
-  * Bump github.com/golang/glog from 1.2.4 to 1.2.5 (#830)
-
-------------------------------------------------------------------
-Wed Oct  8 16:20:08 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Add CVE-2025-47911.patch to fix an issue in the HTML parser where a large
-  number of open elements can cause the parser to become extremely slow by
-  limiting the stack size of open elements (bsc#1251453, CVE-2025-47911)
- Add CVE-2025-58190.patch to fix an issue in the HTML parser where a specific
-  HTML document can cause the parser to enter an infinite loop when trying
-  to parse a </tbody> and implied </tr> next to each other.
-  (bsc#1251704, CVE-2025-58190)
-
-------------------------------------------------------------------
-Tue Sep 16 12:12:32 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20250902.01
-  * Bump github.com/googleapis/enterprise-certificate-proxy (#829)
- from version 20250902.00
-  * update github.com/go-jose/go-jose/v4 (#869)
-  * Upgrade scalibr and other deps (#866)
- from version 20250901.00
-  * Fix possibility of path traversal for zip and tar archival (#868)
- from version 20250825.00
-  * set CODEOWNERS file as required by org (#863)
- from version 20250819.00
-  * Fix/rhel10 build centos image (#860)
- from version 20250814.00
-  * Fix/rhel10 build image (#859)
- from version 20250813.00
-  * Fix: Add RHEL 10 support to RPM startup script (#858)
- from version 20250811.00
-  * Remove old/sles-15-sp4-sap as image is deprecated (#857)
-
-------------------------------------------------------------------
-Mon Aug 11 13:30:16 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20250806.00
-  * Fixed JSON identifier for the universe domain (#855)
- from version 20250729.00
-  * Bump github.com/google/s2a-go from 0.1.8 to 0.1.9 (#828)
- from version 20250725.02
-  * Update utils.go (#854)
-  * Upgrade golang.org/x/oauth2 package to the latest. (#853)
-  * Bump golang.org/x/time from 0.9.0 to 0.12.0 (#839)
- from version 20250725.01
-  * Bump golang.org/x/oauth2 (#848)
-  * Port fix for debian 11 to goo package manager. (#852)
- from version 20250725.00
-  * Update Golang version in common.sh and skip backports
-    repo for debian 11 (#850)
- from version 20250723.01
-  * Add workflows to build package for el10 (#849)
- from version 20250721.00
-  * Make OS Config agent TPC aware (#846)
- from version 20250718.00
-  * Create workflows for new Debian 13. (#847)
- Drop CVE-2025-22868.patch, merged upstream
-
-------------------------------------------------------------------
-Fri Jul 11 11:51:22 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20250703.00
-  * Fix sles images (#844)
- from version 20250702.00
-  * Remove rhel-sap 8-4 add rhel-sap 8-10 (#843)
- from version 20250701.00
-  * Bump the go_modules group across 1 directory with 2 updates (#840)
-
-------------------------------------------------------------------
-Wed Jun 25 11:23:00 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20250606.00
-  * Change base docker images Google's official base images. (#838)
-
-------------------------------------------------------------------
-Wed May 28 09:01:24 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20250523.01
-  * Add a simple no-op OS policy for user testing (#837)
- from version 20250523.00
-  * Introduce scalibr inventory extractor for dpkg/rpm/cos
-    os/filesystem extractors (linux) (#834)
-  * Trace GetInstalledPackages memory levels (#835)
- from version 20250520.00
-  * Trace GetInstalledPackages memory levels (#835)
-
-------------------------------------------------------------------
-Wed May 14 08:37:59 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
- Update to version 20250513.00
-  * Fix rpm extractor, handle (none) value correctly. (#833)
- from version 20250512.01
-  * Bump github.com/envoyproxy/go-control-plane from 0.13.1 to 0.13.4 (#816)
- from version 20250512.00
-  * Bump golang.org/x/net from 0.39.0 to 0.40.0 (#819)
- from version 20250508.01
-  * cosmetic refactoring to osinfo package (#826)
- from version 20250508.00
-  * Refactor /inventory with dependency injection (#825)
-  * Add debian, ubuntu (InstalledDebPackages) snapshots (#821)
-  * cover packages_linux.go file with tests (#824)
-  * Add debian (10,11,12) GetPackageUpdates output snapshots (#822)
- from version 20250507.00
-  * Add InstalledRPMPackages snapshot tests (#823)
- from version 20250506.02
-  * Yum tests: simplify initialization of exit errors (#820)
- from version 20250506.01
-  * Improve test coverage for gem package manager (#818)
- from version 20250506.00
-  *  after go/x/crypto update 0.32.0 -> 0.37.0 (#817)
- from version 20250505.01
-  * Improve packages package coverage (#814)
-  * Bump golang.org/x/net from 0.34.0 to 0.39.0 (#807)
- from version 20250505.00
-  * Bump golang.org/x/crypto from 0.32.0 to 0.37.0 (#806)
- from version 20250430.00
-  * Snapshot YumUpdates (GetPackageUpdates) output (#813)
- from version 20250428.00
-  * Snapshot ZypperPatches, ZypperUpdates (GetPackageUpdates) output
-    for sles 12, 15 testdata (#812)
- from version 20250423.00
-  * Introduce MatchSnapshot large test results matcher function, snapshot
-    apt-deb GetPackageUpdates (#811)
- from version 20250416.02
+- Update to version 20250416.02 (bsc#1244304, bsc#1244503)
  * defaultSleeper: tolerate 10% difference to reduce test flakiness (#810)
  * Add output of some packagemanagers to the testdata (#808)
 - from version 20250416.01
@@ -218,7 +58,7 @@ Mon Feb 17 09:40:07 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.c
  * CVE-2024-45339.patch (bsc#1236560, CVE-2024-45339)

 -------------------------------------------------------------------
-Mon Jan 27 08:26:52 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+Mon Jan 27 16:54:33 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

 - Update to version 20250115.01 (bsc#1236406, bsc#1236407)
  * Bump cloud.google.com/go/osconfig from 1.14.2 to 1.14.3 (#772)
@@ -291,7 +131,7 @@ Mon Jan 27 08:26:52 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.c
  * Add new packagebuild presubmit that will use cloud-build (#694)
 - from version 20240927.00
  * Third batch of dependencies upgrade (#690)
- Bump the golang compiler version to 1.22.4 (CVE-2024-24790)
+- Bump the golang compiler version to 1.22.4 (bsc#1225974, CVE-2024-24790)

 -------------------------------------------------------------------
 Wed Oct 30 10:54:08 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
--- a/google-osconfig-agent.spec
+++ b/google-osconfig-agent.spec
@@ -24,7 +24,7 @@
 %global import_path     %{provider_prefix}

 Name:           google-osconfig-agent
-Version:        20251202.00
+Version:        20250416.02
 Release:        0
 Summary:        Google Cloud Guest Agent
 License:        Apache-2.0
@@ -33,8 +33,8 @@ URL:            https://%{provider_prefix}
 Source0:        %{repo}-%{version}.tar.gz
 Source1:        vendor.tar.gz
 Source2:        rpmlintrc
-Patch0:         CVE-2025-47911.patch
-Patch1:         CVE-2025-58190.patch
+# PATCH-FIX-UPSTREAM - Fix unexpected memory consumption during token parsing in golang.org/x/oauth2
+Patch0:         CVE-2025-22868.patch
 BuildRequires:  golang(API) >= 1.22.4
 BuildRequires:  golang-packaging
 Requires:       google-guest-configs
@@ -51,14 +51,13 @@ Google Cloud OSConfig Agent
 %prep
 %setup -q -n %{repo}-%{version}
 %setup -q -D -T -a 1 -n %{repo}-%{version}
-pushd vendor/golang.org/x/net
+pushd vendor/golang.org/x/oauth2
 %patch -P0 -p1
-%patch -P1 -p1
 popd

 %build
 %goprep %{import_path}
-CGO_ENABLED=0 go build -buildmode=pie -ldflags="-s -w -X main.version=%{version}-%{release}" -mod=vendor -o google_osconfig_agent
+CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=%{version}-%{release}" -mod=vendor -o google_osconfig_agent

 %install
 install -d %{buildroot}%{_bindir}
--- a/osconfig-20250416.02.tar.gz
+++ b/osconfig-20250416.02.tar.gz
--- a/osconfig-20251202.00.tar.gz
+++ b/osconfig-20251202.00.tar.gz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c8f033021a9fa2a2b94917c43e01483ea9123ce8af054e9bcc9eecdd3e729a6f
-size 471280
--- a/vendor.tar.gz
+++ b/vendor.tar.gz