[AUTO-CHERRYPICK] Patch promethes for CVE-2025-22868 [High] - branch 3.0-dev (#12969)

CBL-Mariner-Bot · sandeepkarambelkar · jslobodzian · web-flow · commit 38254e923f39 · 2025-03-27T00:27:32.000-04:00
Co-authored-by: Sandeep Karambelkar &lt;skarambelkar@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/prometheus/CVE-2025-22868.patch b/SPECS/prometheus/CVE-2025-22868.patch
@@ -0,0 +1,38 @@
+From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Thu, 30 Jan 2025 14:10:09 -0500
+Subject: [PATCH] jws: split token into fixed number of parts
+
+Thanks to 'jub0bs' for reporting this issue.
+
+Fixes #71490
+Fixes CVE-2025-22868
+
+Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
+Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+---
+ vendor/golang.org/x/oauth2/jws/jws.go | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go
+index 95015648b..6f03a49d3 100644
+--- a/vendor/golang.org/x/oauth2/jws/jws.go
++++ b/vendor/golang.org/x/oauth2/jws/jws.go
+@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
+ // Verify tests whether the provided JWT token's signature was produced by the private key
+ // associated with the supplied public key.
+ func Verify(token string, key *rsa.PublicKey) error {
+-	parts := strings.Split(token, ".")
+-	if len(parts) != 3 {
++	if strings.Count(token, ".") != 2 {
+ 		return errors.New("jws: invalid token received, token must have 3 parts")
+ 	}
+
++	parts := strings.SplitN(token, ".", 3)
+ 	signedContent := parts[0] + "." + parts[1]
+ 	signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
+ 	if err != nil {
diff --git a/SPECS/prometheus/prometheus.spec b/SPECS/prometheus/prometheus.spec
@@ -4,7 +4,7 @@
 Summary:        Prometheus monitoring system and time series database
 Name:           prometheus
 Version:        2.45.4
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -22,8 +22,9 @@ Patch1:         CVE-2023-45288.patch
 Patch2:         CVE-2024-6104.patch
 Patch3:         CVE-2024-24786.patch
 Patch4:         CVE-2023-44487.patch
-Patch5:         0001-Fix-exit-condition-of-TestQuerierIndexQueriesRace.patch
-Patch6:         0002-Improve-sensitivity-of-TestQuerierIndexQueriesRace.patch
+Patch5:         CVE-2025-22868.patch
+Patch6:         0001-Fix-exit-condition-of-TestQuerierIndexQueriesRace.patch
+Patch7:         0002-Improve-sensitivity-of-TestQuerierIndexQueriesRace.patch
 BuildRequires:  golang
 BuildRequires:  nodejs
 BuildRequires:  nodejs-npm
@@ -140,9 +141,12 @@ fi
 %doc README.md RELEASE.md documentation
 
 %changelog
-* Thu Mar 13 2025 Andrew Phelps <anphel@microsoft.com> - 2.45.4-8
+* Thu Mar 13 2025 Andrew Phelps <anphel@microsoft.com> - 2.45.4-9
 - Add patches to fix test reliability issues with TestQuerierIndexQueriesRace
 
+* Thu Mar 06 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 2.45.4-8
+- Fix CVE-2025-22868
+
 * Tue Mar 04 2025 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 2.45.4-7
 - Fix CVE-2023-44487
 
