diff --git a/CVE-2025-53547.patch b/CVE-2025-53547.patch new file mode 100644 index 0000000..6d26969 --- /dev/null +++ b/CVE-2025-53547.patch @@ -0,0 +1,38 @@ +From 00de613324df4dd930e6d231d9aae7f9dee29c76 Mon Sep 17 00:00:00 2001 +From: Matt Farina +Date: Wed, 2 Jul 2025 15:10:04 -0400 +Subject: [PATCH] Updating link handling + +Signed-off-by: Matt Farina +(cherry picked from commit 76fdba4c8c2a4829a6b7abb48a08e51fd07fa0b3) +(cherry picked from commit 4389fa639a4d8e6836fa8df9bb70dd69c2820c12) +--- + pkg/downloader/manager.go | 14 +++++ + pkg/downloader/manager_test.go | 94 ++++++++++++++++++++++++++++++++++ + 2 files changed, 108 insertions(+) + +diff --git a/pkg/downloader/manager.go b/pkg/downloader/manager.go +index ec4056d2753..cc7850aae4b 100644 +--- a/pkg/downloader/manager.go ++++ b/pkg/downloader/manager.go +@@ -852,6 +852,20 @@ func writeLock(chartpath string, lock *chart.Lock, legacyLockfile bool) error { + lockfileName = "requirements.lock" + } + dest := filepath.Join(chartpath, lockfileName) ++ ++ info, err := os.Lstat(dest) ++ if err != nil && !os.IsNotExist(err) { ++ return fmt.Errorf("error getting info for %q: %w", dest, err) ++ } else if err == nil { ++ if info.Mode()&os.ModeSymlink != 0 { ++ link, err := os.Readlink(dest) ++ if err != nil { ++ return fmt.Errorf("error reading symlink for %q: %w", dest, err) ++ } ++ return fmt.Errorf("the %s file is a symlink to %q", lockfileName, link) ++ } ++ } ++ + return os.WriteFile(dest, data, 0644) + } + diff --git a/_service b/_service index 4e4f745..a177e5c 100644 --- a/_service +++ b/_service @@ -2,7 +2,7 @@ https://github.com/aquasecurity/trivy git - v0.62.1 + v0.64.1 @PARENT_TAG@ v(.*) enable diff --git a/_servicedata b/_servicedata index 06d51e2..271a775 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/aquasecurity/trivy - c75ed2156c8fa801d6998016f46f6b953e8a9556 \ No newline at end of file + 86ee3c1176d4707536914dfa65ac8eca452e14cd \ No newline at end of file diff --git a/jwe-avoid-unbounded-splits.patch b/jwe-avoid-unbounded-splits.patch deleted file mode 100644 index 78b6896..0000000 --- a/jwe-avoid-unbounded-splits.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 99b346cec4e86d102284642c5dcbe9bb0cacfc22 Mon Sep 17 00:00:00 2001 -From: Matthew McPherrin -Date: Mon, 24 Feb 2025 15:06:34 -0500 -Subject: [PATCH] Don't allow unbounded amounts of splits (#167) - -In compact JWS/JWE, don't allow unbounded number of splits. -Count to make sure there's the right number, then use SplitN. ---- - jwe.go | 5 +++-- - jws.go | 5 +++-- - jws_test.go | 3 +++ - 3 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/jwe.go b/jwe.go -index 89f03ee..9f1322d 100644 ---- a/jwe.go -+++ b/jwe.go -@@ -288,10 +288,11 @@ func ParseEncryptedCompact( - keyAlgorithms []KeyAlgorithm, - contentEncryption []ContentEncryption, - ) (*JSONWebEncryption, error) { -- parts := strings.Split(input, ".") -- if len(parts) != 5 { -+ // Five parts is four separators -+ if strings.Count(input, ".") != 4 { - return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") - } -+ parts := strings.SplitN(input, ".", 5) - - rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) - if err != nil { -diff --git a/jws.go b/jws.go -index 3a91230..d09d8ba 100644 ---- a/jws.go -+++ b/jws.go -@@ -327,10 +327,11 @@ func parseSignedCompact( - payload []byte, - signatureAlgorithms []SignatureAlgorithm, - ) (*JSONWebSignature, error) { -- parts := strings.Split(input, ".") -- if len(parts) != 3 { -+ // Three parts is two separators -+ if strings.Count(input, ".") != 2 { - return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") - } -+ parts := strings.SplitN(input, ".", 3) - - if parts[1] != "" && payload != nil { - return nil, fmt.Errorf("go-jose/go-jose: payload is not detached") diff --git a/trivy-0.62.1.tar.zst b/trivy-0.62.1.tar.zst deleted file mode 100644 index 6eb1815..0000000 --- a/trivy-0.62.1.tar.zst +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:46cc9194188a32b8e6c798a5bb8b3e73c7de2b8b9651b6c6d99d9b54c23761a7 -size 52302459 diff --git a/trivy-0.64.1.tar.zst b/trivy-0.64.1.tar.zst new file mode 100644 index 0000000..1c171c2 --- /dev/null +++ b/trivy-0.64.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:635e17a7d1e530db6685e32422200d2df68de8ef1beee579f76b84f6807bbac9 +size 52364182 diff --git a/trivy.changes b/trivy.changes index 6a6a242..88828d4 100644 --- a/trivy.changes +++ b/trivy.changes @@ -1,3 +1,121 @@ +------------------------------------------------------------------- +Wed Jul 9 15:48:08 UTC 2025 - Dirk Müller + +- add CVE-2025-53547.patch: (CVE-2025-53547, bsc#1246151) + +------------------------------------------------------------------- +Wed Jul 09 15:17:39 UTC 2025 - Dirk Müller + +- Update to version 0.64.1: + * release: v0.64.1 [release/v0.64] (#9122) + * fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127) + * fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124) + * fix(rootio): check full version to detect `root.io` packages [backport: release/v0.64] (#9120) + * fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119) + * release: v0.64.0 [main] (#8955) + * docs(python): fix type with METADATA file name (#9090) + * feat: reject unsupported artifact types in remote image retrieval (#9052) + * chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#9088) + * refactor(misconf): rewrite Rego module filtering using functional filters (#9061) + * feat(terraform): add partial evaluation for policy templates (#8967) + * feat(vuln): add Root.io support for container image scanning (#9073) + * feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019) + * fix(cli): add some values to the telemetry call (#9056) + * feat(ubuntu): add end of life date for Ubuntu 25.04 (#9077) + * refactor: centralize HTTP transport configuration (#9058) + * test: include integration tests in linting and fix all issues (#9060) + * chore(deps): bump the common group across 1 directory with 26 updates (#9063) + * feat(java): dereference all maven settings.xml env placeholders (#9024) + * fix(misconf): reduce log noise on incompatible check (#9029) + * fix(misconf): .Config.User always takes precedence over USER in .History (#9050) + * chore(deps): update Docker to v28.2.2 and fix compatibility issues (#9037) + * docs(misconf): simplify misconfiguration docs (#9030) + * fix(misconf): move disabled checks filtering after analyzer scan (#9002) + * docs: add PR review policy for maintainers (#9032) + * fix(sbom): remove unnecessary OS detection check in SBOM decoding (#9034) + * test: improve and extend tests for iac/adapters/arm (#9028) + * chore: bump up Go version to 1.24.4 (#9031) + * feat(cli): add version constraints to annoucements (#9023) + * fix(misconf): correct Azure value-to-time conversion in AsTimeValue (#9015) + * feat(ubuntu): add eol date for 20.04-ESM (#8981) + * fix(report): don't panic when report contains vulns, but doesn't contain packages for `table` format (#8549) + * fix(nodejs): correctly parse `packages` array of `bun.lock` file (#8998) + * refactor: use strings.SplitSeq instead of strings.Split in for-loop (#8983) + * docs: change --disable-metrics to --disable-telemetry in example (#8999) (#9003) + * feat(misconf): add OpenTofu file extension support (#8747) + * refactor(misconf): set Trivy version by default in Rego scanner (#9001) + * docs: fix assets with versioning (#8996) + * docs: add partners page (#8988) + * chore(alpine): add EOL date for Alpine 3.22 (#8992) + * fix: don't show corrupted trivy-db warning for first run (#8991) + * Update installation.md (#8979) + * feat(misconf): normalize CreatedBy for buildah and legacy docker builder (#8953) + * chore(k8s): update comments with deprecated command format (#8964) + * chore: fix errors and typos in docs (#8963) + * fix: Add missing version check flags (#8951) + * feat(redhat): Add EOL date for RHEL 10. (#8910) + * fix: Correctly check for semver versions for trivy version check (#8948) + * refactor(server): change custom advisory and vulnerability data types fr… (#8923) + * ci(helm): bump Trivy version to 0.63.0 for Trivy Helm Chart 0.15.0 (#8946) + * release: v0.63.0 [main] (#8809) + * fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942) + * chore(deps): Bump trivy-checks (#8934) + * fix(julia): add `Relationship` field support (#8939) + * feat(minimos): Add support for MinimOS (#8792) + * feat(alpine): add maintainer field extraction for APK packages (#8930) + * feat(echo): Add Echo Support (#8833) + * fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924) + * fix(wolfi): support new APK database location (#8937) + * feat(k8s): get components from namespaced resources (#8918) + * refactor(cloudformation): remove unused ScanFile method from Scanner (#8927) + * refactor(terraform): remove result sorting from scanner (#8928) + * feat(misconf): Add support for `Minimum Trivy Version` (#8880) + * docs: improve skipping files documentation (#8749) + * feat(cli): Add available version checking (#8553) + * feat(nodejs): add a bun.lock analyzer (#8897) + * feat: terraform parser option to set current working directory (#8909) + * perf(secret): only match secrets of meaningful length, allow example strings to not be matched (#8602) + * feat(misconf): export raw Terraform data to Rego (#8741) + * refactor(terraform): simplify AllReferences method signature in Attribute (#8906) + * fix: check post-analyzers for StaticPaths (#8904) + * feat: add Bottlerocket OS package analyzer (#8653) + * feat(license): improve work text licenses with custom classification (#8888) + * chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 (#8901) + * chore(deps): bump the common group across 1 directory with 9 updates (#8887) + * refactor(license): simplify compound license scanning (#8896) + * feat(license): Support compound licenses (licenses using SPDX operators) (#8816) + * fix(k8s): use in-memory cache backend during misconfig scanning (#8873) + * feat(nodejs): add bun.lock parser (#8851) + * feat(license): improve work with custom classification of licenses from config file (#8861) + * fix(cli): disable `--skip-dir` and `--skip-files` flags for `sbom` command (#8886) + * fix: julia parser panicing (#8883) + * refactor(db): change logic to detect wrong DB (#8864) + * fix(cli): don't use allow values for `--compliance` flag (#8881) + * docs(misconf): Reorganize misconfiguration scan pages (#8206) + * fix(server): add missed Relationship field for `rpc` (#8872) + * feat: add JSONC support for comments and trailing commas (#8862) + * fix(vex): use `lo.IsNil` to check `VEX` from OCI artifact (#8858) + * feat(go): support license scanning in both GOPATH and vendor (#8843) + * fix(redhat): save contentSets for OS packages in fs/vm modes (#8820) + * fix: filter all files when processing files installed from package managers (#8842) + * feat(misconf): add misconfiguration location to junit template (#8793) + * docs(vuln): remove OSV for Python from data sources (#8841) + * chore: add an issue template for maintainers (#8838) + * chore: enable staticcheck (#8815) + * ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1 (#8836) + * feat(license): scan vendor directory for license for go.mod files (#8689) + * docs(java): Update info about dev deps in gradle lock (#8830) + * chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the common group (#8822) + * fix(java): exclude dev dependencies in gradle lockfile (#8803) + * fix: octalLiteral from go-critic (#8811) + * fix(redhat): trim invalid suffix from content_sets in manifest parsing (#8818) + * chore(deps): bump the common group across 1 directory with 10 updates (#8817) + * fix: use-any from revive (#8810) + * fix: more revive rules (#8814) + * docs: change in java.md: fix the Trity -to-> Trivy typo (#8813) + * fix(misconf): check if for-each is known when expanding dyn block (#8808) + * ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0 (#8802) + ------------------------------------------------------------------- Wed May 07 15:37:35 UTC 2025 - Dirk Müller @@ -166,6 +284,8 @@ Thu Apr 24 15:03:57 UTC 2025 - dmueller@suse.com * fix(misconf): ecs include enhanced for container insights (#8326) * fix(sbom): preserve OS packages from multiple SBOMs (#8325) * ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0 (#8311) +- drop jwe-avoid-unbounded-splits.patch (included upstream via + version update) ------------------------------------------------------------------- Wed Feb 26 09:01:28 UTC 2025 - Dirk Müller diff --git a/trivy.spec b/trivy.spec index 2575d45..837f7db 100644 --- a/trivy.spec +++ b/trivy.spec @@ -17,7 +17,7 @@ Name: trivy -Version: 0.62.1 +Version: 0.64.1 Release: 0 Summary: A Simple and Comprehensive Vulnerability Scanner for Containers License: Apache-2.0 @@ -25,6 +25,8 @@ Group: System/Management URL: https://github.com/aquasecurity/trivy Source: %{name}-%{version}.tar.zst Source1: vendor.tar.zst +# PATCH-FIX-OPENSUSE: backport from https://github.com/helm/helm/commit/00de613324df4dd930e6d231d9aae7f9dee29c76.patch +Patch1: CVE-2025-53547.patch BuildRequires: golang-packaging BuildRequires: zstd BuildRequires: golang(API) = 1.24 @@ -44,6 +46,9 @@ name of the container. %prep %setup -a1 +pushd vendor/helm.sh/helm/v3 +%patch -P 1 -p1 +popd %build export CGO_ENABLED=1 diff --git a/vendor.tar.zst b/vendor.tar.zst index 4cc3c09..0e6b5cb 100644 --- a/vendor.tar.zst +++ b/vendor.tar.zst @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c1bc88836d3c18dbfe0662b5202ee4331ef67c80f110e595e7484ea6ec0dafcb -size 39440109 +oid sha256:74056c11c62d0bd9884add8d93a15599d848842f045022d85b694047aca0433c +size 39448531