[AutoPR- Security] Patch kubernetes for CVE-2025-65637, CVE-2025-13281 [MEDIUM] (#15301)

Co-authored-by: Archana Shettigar <v-shettigara@microsoft.com>

Author: azurelinux-security

SPECS/kubernetes/CVE-2025-13281.patch

@@ -0,0 +1,97 @@
+From d18f6f8ba355fc300aab99fe64ab7ebf73ccdf68 Mon Sep 17 00:00:00 2001
+From: Ankit Gohil <agohil@purestorage.com>
+Date: Mon, 3 Nov 2025 22:38:58 +0000
+Subject: [PATCH] Clean up event messages for errors in Portworx in-tree driver
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/kubernetes/kubernetes/commit/7506ce804c20696ba32cdb72126270ceaed06e24.patch
+---
+ pkg/volume/portworx/portworx.go | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/pkg/volume/portworx/portworx.go b/pkg/volume/portworx/portworx.go
+index 6b9243f5..4866739b 100644
+--- a/pkg/volume/portworx/portworx.go
++++ b/pkg/volume/portworx/portworx.go
+@@ -311,8 +311,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr
+ 	notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
+ 	klog.Infof("Portworx Volume set up. Dir: %s %v %v", dir, !notMnt, err)
+ 	if err != nil && !os.IsNotExist(err) {
+-		klog.Errorf("Cannot validate mountpoint: %s", dir)
+-		return err
++		// don't log error details from client calls in events
++		klog.V(4).Infof("Cannot validate mountpoint %s: %v", dir, err)
++		return fmt.Errorf("failed to validate mountpoint: see kube-controller-manager.log for details")
+ 	}
+ 	if !notMnt {
+ 		return nil
+@@ -322,7 +323,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr
+ 	attachOptions[attachContextKey] = dir
+ 	attachOptions[attachHostKey] = b.plugin.host.GetHostName()
+ 	if _, err := b.manager.AttachVolume(b, attachOptions); err != nil {
+-		return err
++		// don't log error details from client calls in events
++		klog.V(4).Infof("Failed to attach volume %s: %v", b.volumeID, err)
++		return fmt.Errorf("failed to attach volume: see kube-controller-manager.log for details")
+ 	}
+ 
+ 	klog.V(4).Infof("Portworx Volume %s attached", b.volumeID)
+@@ -332,7 +335,9 @@ func (b *portworxVolumeMounter) SetUpAt(dir string, mounterArgs volume.MounterAr
+ 	}
+ 
+ 	if err := b.manager.MountVolume(b, dir); err != nil {
+-		return err
++		// don't log error details from client calls in events
++		klog.V(4).Infof("Failed to mount volume %s: %v", b.volumeID, err)
++		return fmt.Errorf("failed to mount volume: see kube-controller-manager.log for details")
+ 	}
+ 	if !b.readOnly {
+ 		volume.SetVolumeOwnership(b, dir, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy, util.FSGroupCompleteHook(b.plugin, nil))
+@@ -363,12 +368,16 @@ func (c *portworxVolumeUnmounter) TearDownAt(dir string) error {
+ 	klog.Infof("Portworx Volume TearDown of %s", dir)
+ 
+ 	if err := c.manager.UnmountVolume(c, dir); err != nil {
+-		return err
++		// don't log error details from client calls in events
++		klog.V(4).Infof("Failed to unmount volume %s: %v", c.volumeID, err)
++		return fmt.Errorf("failed to unmount volume: see kube-controller-manager.log for details")
+ 	}
+ 
+ 	// Call Portworx Detach Volume.
+ 	if err := c.manager.DetachVolume(c); err != nil {
+-		return err
++		// don't log error details from client calls in events
++		klog.V(4).Infof("Failed to detach volume %s: %v", c.volumeID, err)
++		return fmt.Errorf("failed to detach volume: see kube-controller-manager.log for details")
+ 	}
+ 
+ 	return nil
+@@ -385,7 +394,13 @@ func (d *portworxVolumeDeleter) GetPath() string {
+ }
+ 
+ func (d *portworxVolumeDeleter) Delete() error {
+-	return d.manager.DeleteVolume(d)
++	err := d.manager.DeleteVolume(d)
++	if err != nil {
++		// don't log error details from client calls in events
++		klog.V(4).Infof("Failed to delete volume %s: %v", d.volumeID, err)
++		return fmt.Errorf("failed to delete volume: see kube-controller-manager.log for details")
++	}
++	return nil
+ }
+ 
+ type portworxVolumeProvisioner struct {
+@@ -406,7 +421,9 @@ func (c *portworxVolumeProvisioner) Provision(selectedNode *v1.Node, allowedTopo
+ 
+ 	volumeID, sizeGiB, labels, err := c.manager.CreateVolume(c)
+ 	if err != nil {
+-		return nil, err
++		// don't log error details from client calls in events
++		klog.V(4).Infof("Failed to create volume: %v", err)
++		return nil, fmt.Errorf("failed to create volume: see kube-controller-manager.log for details")
+ 	}
+ 
+ 	pv := &v1.PersistentVolume{
+-- 
+2.45.4
+

SPECS/kubernetes/CVE-2025-65637.patch

@@ -0,0 +1,195 @@
+From a78e87c21580bd4264706f21e2cac6369757ee73 Mon Sep 17 00:00:00 2001
+From: Chris <straight.chris@gmail.com>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 1/2] This commit fixes a potential denial of service
+ vulnerability in logrus.Writer() that could be triggered by logging text
+ longer than 64kb without newlines. Previously, the bufio.Scanner used by
+ Writer() would hang indefinitely when reading such text without newlines,
+ causing the application to become unresponsive.
+
+Upstream Reference : https://github.com/sirupsen/logrus/commit/766cfece3701d0b1737681ffb5e6e40b628b664d.patch
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 33 ++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index 72e8e3a1..36032d06 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -4,6 +4,7 @@ import (
+ 	"bufio"
+ 	"io"
+ 	"runtime"
++	"strings"
+ )
+ 
+ // Writer at INFO level. See WriterLevel for details.
+@@ -20,15 +21,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter {
+ 	return NewEntry(logger).WriterLevel(level)
+ }
+ 
++// Writer returns an io.Writer that writes to the logger at the info log level
+ func (entry *Entry) Writer() *io.PipeWriter {
+ 	return entry.WriterLevel(InfoLevel)
+ }
+ 
++// WriterLevel returns an io.Writer that writes to the logger at the given log level
+ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 	reader, writer := io.Pipe()
+ 
+ 	var printFunc func(args ...interface{})
+ 
++	// Determine which log function to use based on the specified log level
+ 	switch level {
+ 	case TraceLevel:
+ 		printFunc = entry.Trace
+@@ -48,23 +52,50 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 		printFunc = entry.Print
+ 	}
+ 
++	// Start a new goroutine to scan the input and write it to the logger using the specified print function.
++	// It splits the input into chunks of up to 64KB to avoid buffer overflows.
+ 	go entry.writerScanner(reader, printFunc)
++
++	// Set a finalizer function to close the writer when it is garbage collected
+ 	runtime.SetFinalizer(writer, writerFinalizer)
+ 
+ 	return writer
+ }
+ 
++// writerScanner scans the input from the reader and writes it to the logger
+ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) {
+ 	scanner := bufio.NewScanner(reader)
++
++	// Set the buffer size to the maximum token size to avoid buffer overflows
++	scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize)
++
++	// Define a split function to split the input into chunks of up to 64KB
++	chunkSize := 64 * 1024 // 64KB
++	splitFunc := func(data []byte, atEOF bool) (int, []byte, error) {
++		if len(data) > chunkSize {
++			return chunkSize, data[:chunkSize], nil
++		}
++		return 0, nil, nil
++	}
++
++	//Use the custom split function to split the input
++	scanner.Split(splitFunc)
++
++	// Scan the input and write it to the logger using the specified print function
+ 	for scanner.Scan() {
+-		printFunc(scanner.Text())
++		printFunc(strings.TrimRight(scanner.Text(), "\r\n"))
+ 	}
++
++	// If there was an error while scanning the input, log an error
+ 	if err := scanner.Err(); err != nil {
+ 		entry.Errorf("Error while reading from Writer: %s", err)
+ 	}
++
++	// Close the reader when we are done
+ 	reader.Close()
+ }
+ 
++// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected
+ func writerFinalizer(writer *io.PipeWriter) {
+ 	writer.Close()
+ }
+-- 
+2.45.4
+
+
+From 2d51c47131bb31ebe41a9fa85552987bb9225a09 Mon Sep 17 00:00:00 2001
+From: Chris <straight.chris@gmail.com>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 2/2] Scan text in 64KB chunks
+
+This commit fixes a potential denial of service
+vulnerability in logrus.Writer() that could be
+triggered by logging text longer than 64KB
+without newlines. Previously, the bufio.Scanner
+used by Writer() would hang indefinitely when
+reading such text without newlines, causing the
+application to become unresponsive.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/sirupsen/logrus/pull/1376.patch
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index 36032d06..7e7703c7 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -75,7 +75,8 @@ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...
+ 		if len(data) > chunkSize {
+ 			return chunkSize, data[:chunkSize], nil
+ 		}
+-		return 0, nil, nil
++
++		return len(data), data, nil
+ 	}
+ 
+ 	//Use the custom split function to split the input
+-- 
+2.45.4
+
+From d40e25cd45ed9c6b2b66e6b97573a0413e4c23bd Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Wed, 17 May 2023 15:39:49 +0200
+Subject: [PATCH] fix panic in Writer
+
+Commit 766cfece introduced this bug by defining an incorrect split
+function. First it breaks the old behavior because it never splits at
+newlines now. Second, it causes a panic because it never tells the
+scanner to stop. See the bufio.ScanLines function, something like:
+```
+if atEOF && len(data) == 0 {
+	return 0, nil, nil
+}
+```
+is needed to do that.
+
+This commit fixes it by restoring the old behavior and calling
+bufio.ScanLines but also keep the 64KB check in place to avoid buffering
+for to long.
+
+Two tests are added to ensure it is working as expected.
+
+Fixes #1383
+Upstream Reference Patch: https://github.com/sirupsen/logrus/commit/d40e25cd45ed9c6b2b66e6b97573a0413e4c23bd.patch
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index 7e7703c7..074fd4b8 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -70,16 +70,16 @@ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...
+ 	scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize)
+ 
+ 	// Define a split function to split the input into chunks of up to 64KB
+-	chunkSize := 64 * 1024 // 64KB
++	chunkSize := bufio.MaxScanTokenSize // 64KB
+ 	splitFunc := func(data []byte, atEOF bool) (int, []byte, error) {
+-		if len(data) > chunkSize {
++		if len(data) >= chunkSize {
+ 			return chunkSize, data[:chunkSize], nil
+ 		}
+ 
+-		return len(data), data, nil
++		return bufio.ScanLines(data, atEOF)
+ 	}
+ 
+-	//Use the custom split function to split the input
++	// Use the custom split function to split the input
+ 	scanner.Split(splitFunc)
+ 
+ 	// Scan the input and write it to the logger using the specified print function
+-- 
+2.45.4
+

SPECS/kubernetes/kubernetes.spec

@@ -10,7 +10,7 @@
 Summary:        Microsoft Kubernetes
 Name:           kubernetes
 Version:        1.28.4
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -33,6 +33,8 @@ Patch11:        CVE-2025-30204.patch
 Patch12:        CVE-2024-51744.patch
 Patch13:        CVE-2025-22872.patch
 Patch14:        CVE-2025-31133.patch
+Patch15:        CVE-2025-13281.patch
+Patch16:        CVE-2025-65637.patch
 BuildRequires:  flex-devel
 BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  golang
@@ -278,6 +280,9 @@ fi
 %{_exec_prefix}/local/bin/pause
 
 %changelog
+* Tue Dec 16 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.28.4-21
+- Patch for CVE-2025-65637, CVE-2025-13281
+
 * Tue Nov 25 2025 Ratiranjan Behera <v-ratbehera@microsoft.com> - 1.28.4-20
 - Patch CVE-2025-31133