-
Notifications
You must be signed in to change notification settings - Fork 568
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patch
vitess for CVE-2025-22868 [High] (#12730)
Co-authored-by: jslobodzian <[email protected]>
- Loading branch information
1 parent
b6940f4
commit 6c78126
Showing
2 changed files
with
44 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001 | ||
| From: Neal Patel <[email protected]> | ||
| Date: Thu, 30 Jan 2025 14:10:09 -0500 | ||
| Subject: [PATCH] jws: split token into fixed number of parts | ||
|
|
||
| Thanks to 'jub0bs' for reporting this issue. | ||
|
|
||
| Fixes #71490 | ||
| Fixes CVE-2025-22868 | ||
|
|
||
| Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 | ||
| Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 | ||
| Auto-Submit: Gopher Robot <[email protected]> | ||
| Reviewed-by: Damien Neil <[email protected]> | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| --- | ||
| vendor/golang.org/x/oauth2/jws/jws.go | 4 ++-- | ||
| 1 file changed, 2 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go | ||
| index 95015648b..6f03a49d3 100644 | ||
| --- a/vendor/golang.org/x/oauth2/jws/jws.go | ||
| +++ b/vendor/golang.org/x/oauth2/jws/jws.go | ||
| @@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) { | ||
| // Verify tests whether the provided JWT token's signature was produced by the private key | ||
| // associated with the supplied public key. | ||
| func Verify(token string, key *rsa.PublicKey) error { | ||
| - parts := strings.Split(token, ".") | ||
| - if len(parts) != 3 { | ||
| + if strings.Count(token, ".") != 2 { | ||
| return errors.New("jws: invalid token received, token must have 3 parts") | ||
| } | ||
|
|
||
| + parts := strings.SplitN(token, ".", 3) | ||
| signedContent := parts[0] + "." + parts[1] | ||
| signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) | ||
| if err != nil { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,7 +3,7 @@ | |
|
|
||
| Name: vitess | ||
| Version: 17.0.7 | ||
| Release: 4%{?dist} | ||
| Release: 5%{?dist} | ||
| Summary: Database clustering system for horizontal scaling of MySQL | ||
| # Upstream license specification: MIT and Apache-2.0 | ||
| License: MIT and ASL 2.0 | ||
|
|
@@ -27,7 +27,8 @@ Source0: %{name}-%{version}.tar.gz | |
| # | ||
| Source1: %{name}-%{version}-vendor.tar.gz | ||
| Patch0: CVE-2024-45338.patch | ||
| Patch1: CVE-2024-45339.patch | ||
| Patch1: CVE-2024-45339.patch | ||
| Patch2: CVE-2025-22868.patch | ||
| BuildRequires: golang | ||
|
|
||
| %description | ||
|
|
@@ -100,6 +101,9 @@ go test -v ./go/cmd/... \ | |
| %{_bindir}/* | ||
|
|
||
| %changelog | ||
| * Mon Mar 03 2025 Kanishk Bansal <[email protected]> - 17.0.7-5 | ||
| - Fix CVE-2025-22868 with an upstream patch | ||
|
|
||
| * Fri Jan 31 2025 Kavya Sree Kaitepalli <[email protected]> - 17.0.7-4 | ||
| - Add patch for CVE-2024-45339 | ||
|
|
||
|
|
||