-
Notifications
You must be signed in to change notification settings - Fork 568
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[AUTO-CHERRYPICK] Patch
node-problem-detector for CVE-2025-22868 [H…
…igh] - branch main (#12735) Co-authored-by: Kanishk Bansal <[email protected]>
- Loading branch information
1 parent
c280989
commit 327db28
Showing
2 changed files
with
43 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001 | ||
| From: Neal Patel <[email protected]> | ||
| Date: Thu, 30 Jan 2025 14:10:09 -0500 | ||
| Subject: [PATCH] jws: split token into fixed number of parts | ||
|
|
||
| Thanks to 'jub0bs' for reporting this issue. | ||
|
|
||
| Fixes #71490 | ||
| Fixes CVE-2025-22868 | ||
|
|
||
| Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 | ||
| Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 | ||
| Auto-Submit: Gopher Robot <[email protected]> | ||
| Reviewed-by: Damien Neil <[email protected]> | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| --- | ||
| vendor/golang.org/x/oauth2/jws/jws.go | 4 ++-- | ||
| 1 file changed, 2 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go | ||
| index 95015648b..6f03a49d3 100644 | ||
| --- a/vendor/golang.org/x/oauth2/jws/jws.go | ||
| +++ b/vendor/golang.org/x/oauth2/jws/jws.go | ||
| @@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) { | ||
| // Verify tests whether the provided JWT token's signature was produced by the private key | ||
| // associated with the supplied public key. | ||
| func Verify(token string, key *rsa.PublicKey) error { | ||
| - parts := strings.Split(token, ".") | ||
| - if len(parts) != 3 { | ||
| + if strings.Count(token, ".") != 2 { | ||
| return errors.New("jws: invalid token received, token must have 3 parts") | ||
| } | ||
|
|
||
| + parts := strings.SplitN(token, ".", 3) | ||
| signedContent := parts[0] + "." + parts[1] | ||
| signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) | ||
| if err != nil { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: Kubernetes daemon to detect and report node issues | ||
| Name: node-problem-detector | ||
| Version: 0.8.17 | ||
| Release: 5%{?dist} | ||
| Release: 6%{?dist} | ||
| License: ASL 2.0 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -12,6 +12,7 @@ Patch0: 001-remove_arch_specific_makefile_logic.patch | |
| Patch1: 002-add_mariner_OSVersion.patch | ||
| Patch2: CVE-2024-24786.patch | ||
| Patch3: CVE-2023-45288.patch | ||
| Patch4: CVE-2025-22868.patch | ||
| BuildRequires: golang | ||
| BuildRequires: systemd-devel | ||
| Requires: mariner-release | ||
|
|
@@ -66,6 +67,9 @@ make test | |
| %config(noreplace) %{_sysconfdir}/node-problem-detector.d/* | ||
|
|
||
| %changelog | ||
| * Mon Mar 03 2025 Kanishk Bansal <[email protected]> - 0.8.17-6 | ||
| - Fix CVE-2025-22868 with an upstream patch | ||
|
|
||
| * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 0.8.17-5 | ||
| - Bump release to rebuild with go 1.22.7 | ||
|
|
||
|
|
||