From 7551196b240503f2d959bb2b6f1da06972705fe0 Mon Sep 17 00:00:00 2001 From: Kanishk-Bansal Date: Fri, 28 Feb 2025 11:27:48 +0000 Subject: [PATCH 1/2] Patch gh for CVE-2025-27144 [Medium] --- SPECS/gh/CVE-2025-27144.patch | 49 +++++++++++++++++++++++++++++++++++ SPECS/gh/gh.spec | 6 ++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 SPECS/gh/CVE-2025-27144.patch diff --git a/SPECS/gh/CVE-2025-27144.patch b/SPECS/gh/CVE-2025-27144.patch new file mode 100644 index 00000000000..818881b1a84 --- /dev/null +++ b/SPECS/gh/CVE-2025-27144.patch @@ -0,0 +1,49 @@ +From 72e5dc031b9ecdc0ba2db04b715bb43b8eefcf59 Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Fri, 28 Feb 2025 09:57:57 +0000 +Subject: [PATCH] CVE-2025-27144 +Upstream Reference : https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22 +--- + vendor/github.com/go-jose/go-jose/v4/jwe.go | 5 +++-- + vendor/github.com/go-jose/go-jose/v4/jws.go | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go +index 89f03ee3..9f1322dc 100644 +--- a/vendor/github.com/go-jose/go-jose/v4/jwe.go ++++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go +@@ -288,10 +288,11 @@ func ParseEncryptedCompact( + keyAlgorithms []KeyAlgorithm, + contentEncryption []ContentEncryption, + ) (*JSONWebEncryption, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 5 { ++ // Five parts is four separators ++ if strings.Count(input, ".") != 4 { + return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") + } ++ parts := strings.SplitN(input, ".", 5) + + rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) + if err != nil { +diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go +index 3a912301..d09d8ba5 100644 +--- a/vendor/github.com/go-jose/go-jose/v4/jws.go ++++ b/vendor/github.com/go-jose/go-jose/v4/jws.go +@@ -327,10 +327,11 @@ func parseSignedCompact( + payload []byte, + signatureAlgorithms []SignatureAlgorithm, + ) (*JSONWebSignature, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 3 { ++ // Three parts is two separators ++ if strings.Count(input, ".") != 2 { + return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") + } ++ parts := strings.SplitN(input, ".", 3) + + if parts[1] != "" && payload != nil { + return nil, fmt.Errorf("go-jose/go-jose: payload is not detached") +-- +2.45.2 + diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec index b8483bba070..922d62e0e6f 100644 --- a/SPECS/gh/gh.spec +++ b/SPECS/gh/gh.spec @@ -1,7 +1,7 @@ Summary: GitHub official command line tool Name: gh Version: 2.62.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -19,6 +19,7 @@ Patch2: CVE-2024-45337.patch Patch3: CVE-2024-45338.patch Patch5: CVE-2024-53859.patch Patch6: CVE-2025-25204.patch +Patch7: CVE-2025-27144.patch BuildRequires: golang < 1.23 BuildRequires: git @@ -61,6 +62,9 @@ make test %{_datadir}/zsh/site-functions/_gh %changelog +* Fri Feb 28 2025 Kanishk Bansal - 2.62.0-7 +- Fix CVE-2025-27144 with an upstream patch + * Fri Feb 21 2025 Kshitiz Godara - 2.62.0-6 - Patch CVE-2025-25204 From 70cd7143889cbbddd40f3bc09c3dd2143d6737f3 Mon Sep 17 00:00:00 2001 From: Kanishk-Bansal Date: Sun, 2 Mar 2025 19:56:14 +0000 Subject: [PATCH 2/2] Patch gh for CVE-2025-22869 [High] --- SPECS/gh/CVE-2025-22869.patch | 140 ++++++++++++++++++++++++++++++++++ SPECS/gh/gh.spec | 3 +- 2 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 SPECS/gh/CVE-2025-22869.patch diff --git a/SPECS/gh/CVE-2025-22869.patch b/SPECS/gh/CVE-2025-22869.patch new file mode 100644 index 00000000000..c0415fddb0e --- /dev/null +++ b/SPECS/gh/CVE-2025-22869.patch @@ -0,0 +1,140 @@ +From 041b89a18f81265899e42e6801f830c101a96120 Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Sun, 2 Mar 2025 13:46:00 +0000 +Subject: [PATCH] CVE-2025-22869 + +Upstream Reference : https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22 + +ssh: limit the size of the internal packet queue while waiting for KEX + +In the SSH protocol, clients and servers execute the key exchange to +generate one-time session keys used for encryption and authentication. +The key exchange is performed initially after the connection is +established and then periodically after a configurable amount of data. +While a key exchange is in progress, we add the received packets to an +internal queue until we receive SSH_MSG_KEXINIT from the other side. +This can result in high memory usage if the other party is slow to +respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a +malicious client never responds to an SSH_MSG_KEXINIT packet during a +large file transfer. +We now limit the internal queue to 64 packets: this means 2MB with the +typical 32KB packet size. +When the internal queue is full we block further writes until the +pending key exchange is completed or there is a read or write error. + +Thanks to Yuichi Watanabe for reporting this issue. + +Change-Id: I1ce2214cc16e08b838d4bc346c74c72addafaeec +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/652135 +Reviewed-by: Neal Patel +Auto-Submit: Gopher Robot +Reviewed-by: Roland Shoemaker +LUCI-TryBot-Result: Go LUCI + +--- + vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++----- + 1 file changed, 37 insertions(+), 10 deletions(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go +index 70a7369..e14eb6c 100644 +--- a/vendor/golang.org/x/crypto/ssh/handshake.go ++++ b/vendor/golang.org/x/crypto/ssh/handshake.go +@@ -24,6 +24,11 @@ const debugHandshake = false + // quickly. + const chanSize = 16 + ++// maxPendingPackets sets the maximum number of packets to queue while waiting ++// for KEX to complete. This limits the total pending data to maxPendingPackets ++// * maxPacket bytes, which is ~16.8MB. ++const maxPendingPackets = 64 ++ + // keyingTransport is a packet based transport that supports key + // changes. It need not be thread-safe. It should pass through + // msgNewKeys in both directions. +@@ -58,11 +63,19 @@ type handshakeTransport struct { + incoming chan []byte + readError error + +- mu sync.Mutex +- writeError error +- sentInitPacket []byte +- sentInitMsg *kexInitMsg +- pendingPackets [][]byte // Used when a key exchange is in progress. ++ mu sync.Mutex ++ // Condition for the above mutex. It is used to notify a completed key ++ // exchange or a write failure. Writes can wait for this condition while a ++ // key exchange is in progress. ++ writeCond *sync.Cond ++ writeError error ++ sentInitPacket []byte ++ sentInitMsg *kexInitMsg ++ // Used to queue writes when a key exchange is in progress. The length is ++ // limited by pendingPacketsSize. Once full, writes will block until the key ++ // exchange is completed or an error occurs. If not empty, it is emptied ++ // all at once when the key exchange is completed in kexLoop. ++ pendingPackets [][]byte + writePacketsLeft uint32 + writeBytesLeft int64 + +@@ -114,6 +127,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, + + config: config, + } ++ t.writeCond = sync.NewCond(&t.mu) + t.resetReadThresholds() + t.resetWriteThresholds() + +@@ -236,6 +250,7 @@ func (t *handshakeTransport) recordWriteError(err error) { + defer t.mu.Unlock() + if t.writeError == nil && err != nil { + t.writeError = err ++ t.writeCond.Broadcast() + } + } + +@@ -339,6 +354,8 @@ write: + } + } + t.pendingPackets = t.pendingPackets[:0] ++ // Unblock writePacket if waiting for KEX. ++ t.writeCond.Broadcast() + t.mu.Unlock() + } + +@@ -526,11 +543,20 @@ func (t *handshakeTransport) writePacket(p []byte) error { + } + + if t.sentInitMsg != nil { +- // Copy the packet so the writer can reuse the buffer. +- cp := make([]byte, len(p)) +- copy(cp, p) +- t.pendingPackets = append(t.pendingPackets, cp) +- return nil ++ if len(t.pendingPackets) < maxPendingPackets { ++ // Copy the packet so the writer can reuse the buffer. ++ cp := make([]byte, len(p)) ++ copy(cp, p) ++ t.pendingPackets = append(t.pendingPackets, cp) ++ return nil ++ } ++ for t.sentInitMsg != nil { ++ // Block and wait for KEX to complete or an error. ++ t.writeCond.Wait() ++ if t.writeError != nil { ++ return t.writeError ++ } ++ } + } + + if t.writeBytesLeft > 0 { +@@ -547,6 +573,7 @@ func (t *handshakeTransport) writePacket(p []byte) error { + + if err := t.pushPacket(p); err != nil { + t.writeError = err ++ t.writeCond.Broadcast() + } + + return nil +-- +2.45.2 + diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec index 922d62e0e6f..e33d115c3c3 100644 --- a/SPECS/gh/gh.spec +++ b/SPECS/gh/gh.spec @@ -20,6 +20,7 @@ Patch3: CVE-2024-45338.patch Patch5: CVE-2024-53859.patch Patch6: CVE-2025-25204.patch Patch7: CVE-2025-27144.patch +Patch8: CVE-2025-22869.patch BuildRequires: golang < 1.23 BuildRequires: git @@ -63,7 +64,7 @@ make test %changelog * Fri Feb 28 2025 Kanishk Bansal - 2.62.0-7 -- Fix CVE-2025-27144 with an upstream patch +- Fix CVE-2025-27144, CVE-2025-22869 with an upstream patch * Fri Feb 21 2025 Kshitiz Godara - 2.62.0-6 - Patch CVE-2025-25204