[AutoPR- Security] Patch jx for CVE-2025-30204 [MEDIUM] (#15873)

azurelinux-security · Kanishk Bansal · akhila-guruju · web-flow · commit 0aec119504cf · 2026-02-18T17:22:30.000+05:30
Signed-off-by: Kanishk Bansal &lt;kanbansal@microsoft.com&gt;
Co-authored-by: Kanishk Bansal &lt;kanbansal@microsoft.com&gt;
Co-authored-by: Akhila Guruju &lt;v-guakhila@microsoft.com&gt;
diff --git a/SPECS/jx/CVE-2025-30204.patch b/SPECS/jx/CVE-2025-30204.patch
@@ -0,0 +1,169 @@
+From 56e036d7e11fee56d99cba4c96f3d3abaf11c1b9 Mon Sep 17 00:00:00 2001
+From: Michael Fridman <mfridman@buf.build>
+Date: Fri, 21 Mar 2025 16:42:51 -0400
+Subject: [PATCH] Backporting 0951d18 to v4
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84.patch
+---
+ .../github.com/form3tech-oss/jwt-go/jwt_test.go| 89 +++++++++++++++++++
+ .../github.com/form3tech-oss/jwt-go/parser.go  | 36 +++++++-
+ 2 files changed, 122 insertions(+), 3 deletions(-)
+ create mode 100644 github.com/form3tech-oss/jwt-go/jwt_test.go
+
+diff --git a/vendor/github.com/form3tech-oss/jwt-go/jwt_test.go b/vendor/github.com/form3tech-oss/jwt-go/jwt_test.go
+new file mode 100644
+index 0000000..b01e899
+--- /dev/null
++++ b/vendor/github.com/form3tech-oss/jwt-go/jwt_test.go
+@@ -0,0 +1,89 @@
++package jwt
++
++import (
++	"testing"
++)
++
++func TestSplitToken(t *testing.T) {
++	t.Parallel()
++
++	tests := []struct {
++		name     string
++		input    string
++		expected []string
++		isValid  bool
++	}{
++		{
++			name:     "valid token with three parts",
++			input:    "header.claims.signature",
++			expected: []string{"header", "claims", "signature"},
++			isValid:  true,
++		},
++		{
++			name:     "invalid token with two parts only",
++			input:    "header.claims",
++			expected: nil,
++			isValid:  false,
++		},
++		{
++			name:     "invalid token with one part only",
++			input:    "header",
++			expected: nil,
++			isValid:  false,
++		},
++		{
++			name:     "invalid token with extra delimiter",
++			input:    "header.claims.signature.extra",
++			expected: nil,
++			isValid:  false,
++		},
++		{
++			name:     "invalid empty token",
++			input:    "",
++			expected: nil,
++			isValid:  false,
++		},
++		{
++			name:     "valid token with empty parts",
++			input:    "..signature",
++			expected: []string{"", "", "signature"},
++			isValid:  true,
++		},
++		{
++			// We are just splitting the token into parts, so we don't care about the actual values.
++			// It is up to the caller to validate the parts.
++			name:     "valid token with all parts empty",
++			input:    "..",
++			expected: []string{"", "", ""},
++			isValid:  true,
++		},
++		{
++			name:     "invalid token with just delimiters and extra part",
++			input:    "...",
++			expected: nil,
++			isValid:  false,
++		},
++		{
++			name:     "invalid token with many delimiters",
++			input:    "header.claims.signature..................",
++			expected: nil,
++			isValid:  false,
++		},
++	}
++
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			parts, ok := splitToken(tt.input)
++			if ok != tt.isValid {
++				t.Errorf("expected %t, got %t", tt.isValid, ok)
++			}
++			if ok {
++				for i, part := range tt.expected {
++					if parts[i] != part {
++						t.Errorf("expected %s, got %s", part, parts[i])
++					}
++				}
++			}
++		})
++	}
++}
+diff --git a/vendor/github.com/form3tech-oss/jwt-go/parser.go b/vendor/github.com/form3tech-oss/jwt-go/parser.go
+index 9fddb7d..dbee074 100644
+--- a/vendor/github.com/form3tech-oss/jwt-go/parser.go
++++ b/vendor/github.com/form3tech-oss/jwt-go/parser.go
+@@ -7,6 +7,8 @@ import (
+ 	"strings"
+ )
+ 
++const tokenDelimiter = "."
++
+ type Parser struct {
+ 	ValidMethods         []string // If populated, only these methods will be considered valid
+ 	UseJSONNumber        bool     // Use JSON Number format in JSON decoder
+@@ -99,9 +101,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ // been checked previously in the stack) and you want to extract values from
+ // it.
+ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+-	parts = strings.Split(tokenString, ".")
+-	if len(parts) != 3 {
+-		return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
++	var ok bool
++	parts, ok = splitToken(tokenString)
++	if !ok {
++		return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ 	}
+ 
+ 	token = &Token{Raw: tokenString}
+@@ -151,3 +154,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
+ 
+ 	return token, parts, nil
+ }
++
++// splitToken splits a token string into three parts: header, claims, and signature. It will only
++// return true if the token contains exactly two delimiters and three parts. In all other cases, it
++// will return nil parts and false.
++func splitToken(token string) ([]string, bool) {
++	parts := make([]string, 3)
++	header, remain, ok := strings.Cut(token, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[0] = header
++	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[1] = claims
++	// One more cut to ensure the signature is the last part of the token and there are no more
++	// delimiters. This avoids an issue where malicious input could contain additional delimiters
++	// causing unecessary overhead parsing tokens.
++	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
++	if unexpected {
++		return nil, false
++	}
++	parts[2] = signature
++
++	return parts, true
++}
+-- 
+2.45.4
+
diff --git a/SPECS/jx/jx.spec b/SPECS/jx/jx.spec
@@ -1,7 +1,7 @@
 Summary:        Command line tool for working with Jenkins X.
 Name:           jx
 Version:        3.2.236
-Release:        24%{?dist}
+Release:        25%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -33,6 +33,7 @@ Patch2:         CVE-2023-45288.patch
 Patch3:         CVE-2024-51744.patch
 Patch4:         CVE-2025-58058.patch
 Patch5:         CVE-2025-65637.patch
+Patch6:         CVE-2025-30204.patch
 BuildRequires:  golang
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -71,16 +72,19 @@ make test && \
 %{_bindir}/jx
 
 %changelog
+* Tue Feb 17 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.2.236-25
+- Patch for CVE-2025-30204
+
 * Mon Dec 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.2.236-24
 - Patch for CVE-2025-65637
 
 * Wed Sep 03 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.2.236-23
 - Patch for CVE-2025-58058
 
-* Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 3.2.236-22
+* Tue Sep 02 2025 Akhila Guruju <v-guakhila@microsoft.com> - 3.2.236-22
 - Bump release to rebuild with golang
 
-* Thur Mar 20 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 3.2.236-21
+* Thu Mar 20 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 3.2.236-21
 - Fix CVE-2024-51744
 
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.2.236-20
