[AUTO-CHERRYPICK] Patch coredns for CVE-2025-30204 [HIGH] - branch main (#13220)

CBL-Mariner-Bot · kgodara912 · web-flow · commit 2ec1f917c9c7 · 2025-03-31T13:03:38.000-04:00
Co-authored-by: kgodara912 &lt;kshigodara@outlook.com&gt;
diff --git a/SPECS/coredns/CVE-2025-30204.patch b/SPECS/coredns/CVE-2025-30204.patch
@@ -0,0 +1,73 @@
+From 52215bbe38134b0f05ba3bbc56288ef68813747d Mon Sep 17 00:00:00 2001
+From: Kshitiz Godara <kgodara@microsoft.com>
+Date: Sun, 30 Mar 2025 17:35:55 +0000
+Subject: [PATCH] Fix for CVE-2025-30204
+
+Upstream source:
+https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
+---
+ vendor/github.com/golang-jwt/jwt/v4/parser.go | 37 +++++++++++++++++--
+ 1 file changed, 34 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+index c0a6f69..7b5ddfe 100644
+--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+@@ -7,6 +7,8 @@ import (
+ 	"strings"
+ )
+ 
++const tokenDelimiter = "."
++
+ type Parser struct {
+ 	// If populated, only these methods will be considered valid.
+ 	//
+@@ -123,9 +125,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ // It's only ever useful in cases where you know the signature is valid (because it has
+ // been checked previously in the stack) and you want to extract values from it.
+ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+-	parts = strings.Split(tokenString, ".")
+-	if len(parts) != 3 {
+-		return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
++	var ok bool
++	parts, ok = splitToken(tokenString)
++	if !ok {
++		return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ 	}
+ 
+ 	token = &Token{Raw: tokenString}
+@@ -175,3 +178,31 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
+ 
+ 	return token, parts, nil
+ }
++
++// splitToken splits a token string into three parts: header, claims, and signature. It will only
++// return true if the token contains exactly two delimiters and three parts. In all other cases, it
++// will return nil parts and false.
++func splitToken(token string) ([]string, bool) {
++	parts := make([]string, 3)
++	header, remain, ok := strings.Cut(token, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[0] = header
++	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[1] = claims
++	// One more cut to ensure the signature is the last part of the token and there are no more
++	// delimiters. This avoids an issue where malicious input could contain additional delimiters
++	// causing unecessary overhead parsing tokens.
++	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
++	if unexpected {
++		return nil, false
++	}
++	parts[2] = signature
++
++	return parts, true
++}
++
+-- 
+2.45.3
+
diff --git a/SPECS/coredns/coredns.spec b/SPECS/coredns/coredns.spec
@@ -3,7 +3,7 @@
 Summary:        Fast and flexible DNS server
 Name:           coredns
 Version:        1.11.1
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        Apache License 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -42,6 +42,7 @@ Patch7:         CVE-2025-22868.patch
 # https://github.com/coredns/coredns/commit/d8ecde1080e7cbbeb98257ba4e03a271f16b4cd9
 Patch8:         coredns-example-net-test.patch
 Patch9:         CVE-2024-53259.patch
+Patch10:        CVE-2025-30204.patch
 
 BuildRequires:  msft-golang
 
@@ -80,6 +81,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
 %{_bindir}/%{name}
 
 %changelog
+* Mon Mar 31 2025 Kshitiz Godara <kgodara@microsoft.com> - 1.11.1-16
+- Fix CVE-2025-30204 with an upstream patch
+
 * Wed Mar 19 2025 Mayank Singh <mayansingh@microsoft.com> - 1.11.1-15
 - Fix CVE-2024-53259 with an upstream patch
 
@@ -110,7 +114,7 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
 * Wed Apr 17 2024 Bala <balakumaran.kannan@microsoft.com> - 1.11.1-6
 - Patched vendored quic-go package to address CVE-2024-22189
 
-* Fri Feb 10 2024 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 1.11.1-5
+* Sat Feb 10 2024 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 1.11.1-5
 - patched vendored quic-go package to address CVE-2023-49295
 
 * Thu Feb 08 2024 Muhammad Falak <mwani@microsoft.com> - 1.11.1-4
@@ -123,7 +127,7 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
 * Mon Jan 29 2024 Daniel McIlvaney <damcilva@microsoft.com> - 1.11.1-2
 - Address CVE-2023-44487 by patching vendored golang.org/x/net
 
-* Tue Oct 18 2023 Nicolas Guibourge <nicolasg@microsoft.com> - 1.11.1-1
+* Wed Oct 18 2023 Nicolas Guibourge <nicolasg@microsoft.com> - 1.11.1-1
 - Upgrade to 1.11.1 to match version required by kubernetes
 
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.9.3-10
