[Medium] Patch docker-buildx for CVE-2025-22872 (#13640)

v-smalavathu · web-flow · commit 162fa3b9ac71 · 2025-06-05T16:05:13.000+05:30
Signed-off-by: Sreenivasulu Malavathula &lt;v-smalavathu@microsoft.com&gt;
diff --git a/SPECS/docker-buildx/CVE-2025-22872.patch b/SPECS/docker-buildx/CVE-2025-22872.patch
@@ -0,0 +1,42 @@
+From 3d8f07a885376e45fcffcb5c4e33a867a951935b Mon Sep 17 00:00:00 2001
+From: Sreenivasulu Malavathula <v-smalavathu@microsoft.com>
+Date: Tue, 29 Apr 2025 18:29:16 -0500
+Subject: [PATCH] Address CVE-2025-22872
+Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9
+
+---
+ vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
+index 3c57880..6598c1f 100644
+--- a/vendor/golang.org/x/net/html/token.go
++++ b/vendor/golang.org/x/net/html/token.go
+@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ 	if raw {
+ 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ 	}
+-	// Look for a self-closing token like "<br/>".
+-	if z.err == nil && z.buf[z.raw.end-2] == '/' {
++	// Look for a self-closing token (e.g. <br/>).
++	//
++	// Originally, we did this by just checking that the last character of the
++	// tag (ignoring the closing bracket) was a solidus (/) character, but this
++	// is not always accurate.
++	//
++	// We need to be careful that we don't misinterpret a non-self-closing tag
++	// as self-closing, as can happen if the tag contains unquoted attribute
++	// values (i.e. <p a=/>).
++	//
++	// To avoid this, we check that the last non-bracket character of the tag
++	// (z.raw.end-2) isn't the same character as the last non-quote character of
++	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++	// attributes.
++	nAttrs := len(z.attr)
++	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ 		return SelfClosingTagToken
+ 	}
+ 	return StartTagToken
+-- 
+2.45.2
+
diff --git a/SPECS/docker-buildx/docker-buildx.spec b/SPECS/docker-buildx/docker-buildx.spec
@@ -4,7 +4,7 @@ Summary:        A Docker CLI plugin for extended build capabilities with BuildKi
 Name:           docker-buildx
 # update "commit_hash" above when upgrading version
 Version:        0.14.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        ASL 2.0
 Group:          Tools/Container
 Vendor:         Microsoft Corporation
@@ -15,6 +15,7 @@ Patch0:         CVE-2024-45337.patch
 Patch1:         CVE-2024-45338.patch
 Patch2:         CVE-2025-22869.patch
 Patch3:         CVE-2025-0495.patch
+Patch4:         CVE-2025-22872.patch
 
 BuildRequires: bash
 BuildRequires: golang
@@ -48,6 +49,9 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil
 %{_libexecdir}/docker/cli-plugins/docker-buildx
 
 %changelog
+* Wed May 21 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 0.14-0-6
+- Patch CVE-2025-22872
+
 * Tue May 13 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 0.14.0-5
 - Fix CVE-2025-0495 with upstream patch modified to apply for azurelinux package
 
