Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch local-path-provisioner for CVE-2025-65637 [HIGH] - branch main" #15354

CBL-Mariner-Bot · azurelinux-security · jslobodzian · web-flow · commit 30334fec7590 · 2025-12-19T10:17:08.000-08:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/local-path-provisioner/CVE-2025-65637.patch b/SPECS/local-path-provisioner/CVE-2025-65637.patch
@@ -0,0 +1,94 @@
+From b050f79897597e999396c27aab8e57a01d88db23 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 8 Dec 2025 09:54:26 +0000
+Subject: [PATCH] vendor/logrus: Fix potential DoS in Writer() by scanning
+ input in 64KB chunks and trimming newlines. Add comments and finalizer. Based
+ on upstream patches.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/sirupsen/logrus/pull/1376.patch
+---
+ vendor/github.com/Sirupsen/logrus/writer.go | 34 ++++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/Sirupsen/logrus/writer.go b/vendor/github.com/Sirupsen/logrus/writer.go
+index f74d2aa..4bff841 100644
+--- a/vendor/github.com/Sirupsen/logrus/writer.go
++++ b/vendor/github.com/Sirupsen/logrus/writer.go
+@@ -4,16 +4,20 @@ import (
+ 	"bufio"
+ 	"io"
+ 	"runtime"
++	"strings"
+ )
+ 
++// Writer returns an io.Writer that writes to the logger at the info log level
+ func (logger *Logger) Writer() *io.PipeWriter {
+ 	return logger.WriterLevel(InfoLevel)
+ }
+ 
++// WriterLevel returns an io.Writer that writes to the logger at the given log level
+ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter {
+ 	reader, writer := io.Pipe()
+ 
+ 	var printFunc func(args ...interface{})
++	// Determine which log function to use based on the specified log level
+ 	switch level {
+ 	case DebugLevel:
+ 		printFunc = logger.Debug
+@@ -31,23 +35,51 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter {
+ 		printFunc = logger.Print
+ 	}
+ 
++	// Start a new goroutine to scan the input and write it to the logger using the specified print function.
++	// It splits the input into chunks of up to 64KB to avoid buffer overflows.
+ 	go logger.writerScanner(reader, printFunc)
++
++	// Set a finalizer function to close the writer when it is garbage collected
+ 	runtime.SetFinalizer(writer, writerFinalizer)
+ 
+ 	return writer
+ }
+ 
++// writerScanner scans the input from the reader and writes it to the logger
+ func (logger *Logger) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) {
+ 	scanner := bufio.NewScanner(reader)
++
++	// Set the buffer size to the maximum token size to avoid buffer overflows
++	scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize)
++
++	// Define a split function to split the input into chunks of up to 64KB
++	chunkSize := 64 * 1024 // 64KB
++	splitFunc := func(data []byte, atEOF bool) (int, []byte, error) {
++		if len(data) > chunkSize {
++			return chunkSize, data[:chunkSize], nil
++		}
++
++		return len(data), data, nil
++	}
++
++	//Use the custom split function to split the input
++	scanner.Split(splitFunc)
++
++	// Scan the input and write it to the logger using the specified print function
+ 	for scanner.Scan() {
+-		printFunc(scanner.Text())
++		printFunc(strings.TrimRight(scanner.Text(), "\r\n"))
+ 	}
++
++	// If there was an error while scanning the input, log an error
+ 	if err := scanner.Err(); err != nil {
+ 		logger.Errorf("Error while reading from Writer: %s", err)
+ 	}
++
++	// Close the reader when we are done
+ 	reader.Close()
+ }
+ 
++// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected
+ func writerFinalizer(writer *io.PipeWriter) {
+ 	writer.Close()
+ }
+-- 
+2.45.4
+
diff --git a/SPECS/local-path-provisioner/local-path-provisioner.spec b/SPECS/local-path-provisioner/local-path-provisioner.spec
@@ -1,7 +1,7 @@
 Summary:        Provides a way for the Kubernetes users to utilize the local storage in each node
 Name:           local-path-provisioner
 Version:        0.0.21
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        ASL 2.0
 URL:            https://github.com/rancher/local-path-provisioner
 Group:          Applications/Text
@@ -13,6 +13,7 @@ Source0:        https://github.com/rancher/%{name}/archive/refs/tags/v%{version}
 Patch0:         CVE-2022-21698.patch
 Patch1:         CVE-2021-44716.patch
 Patch2:         CVE-2023-44487.patch
+Patch3:         CVE-2025-65637.patch
 
 BuildRequires: golang
 
@@ -34,6 +35,9 @@ install local-path-provisioner %{buildroot}%{_bindir}/local-path-provisioner
 %{_bindir}/local-path-provisioner
 
 %changelog
+* Mon Dec 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.0.21-20
+- Patch for CVE-2025-65637
+
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 0.0.21-19
 - Bump release to rebuild with golang
 
