Skip to content

Commit 6ba76a7

Browse files
CBL-Mariner-BotKanishk-Bansal
CBL-Mariner-Bot
and
Kanishk-Bansal
authored
[AUTO-CHERRYPICK] Patch kube-vip-cloud-provider for CVE-2025-27144 [Medium] - branch main (#12706)
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
1 parent 46eb7b9 commit 6ba76a7

2 files changed

Lines changed: 54 additions & 1 deletion

File tree

SPECS/kube-vip-cloud-provider/CVE-2025-27144.patch

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
From 0672cedd8b665bd9f56f3080a2c4ea0b2070bbc4 Mon Sep 17 00:00:00 2001
2+
From: Kanishk-Bansal <kbkanishk975@gmail.com>
3+
Date: Fri, 28 Feb 2025 10:19:43 +0000
4+
Subject: [PATCH] CVE-2025-27144
5+
Upstream Reference : https://github.com/go-jose/go-jose/commit/5253038e3b5f64a2200b5b6c72107bf9823f4358
6+
---
7+
vendor/gopkg.in/square/go-jose.v2/jwe.go | 5 +++--
8+
vendor/gopkg.in/square/go-jose.v2/jws.go | 5 +++--
9+
2 files changed, 6 insertions(+), 4 deletions(-)
10+
11+
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwe.go b/vendor/gopkg.in/square/go-jose.v2/jwe.go
12+
index b5a6dcd..cd1de9e 100644
13+
--- a/vendor/gopkg.in/square/go-jose.v2/jwe.go
14+
+++ b/vendor/gopkg.in/square/go-jose.v2/jwe.go
15+
@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
16+
17+
// parseEncryptedCompact parses a message in compact format.
18+
func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
19+
- parts := strings.Split(input, ".")
20+
- if len(parts) != 5 {
21+
+ // Five parts is four separators
22+
+ if strings.Count(input, ".") != 4 {
23+
return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts")
24+
}
25+
+ parts := strings.SplitN(input, ".", 5)
26+
27+
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
28+
if err != nil {
29+
diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go
30+
index 8b59b6a..9646826 100644
31+
--- a/vendor/gopkg.in/square/go-jose.v2/jws.go
32+
+++ b/vendor/gopkg.in/square/go-jose.v2/jws.go
33+
@@ -247,10 +247,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
34+
35+
// parseSignedCompact parses a message in compact format.
36+
func parseSignedCompact(input string) (*JSONWebSignature, error) {
37+
- parts := strings.Split(input, ".")
38+
- if len(parts) != 3 {
39+
+ // Three parts is two separators
40+
+ if strings.Count(input, ".") != 2 {
41+
return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts")
42+
}
43+
+ parts := strings.SplitN(input, ".", 3)
44+
45+
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
46+
if err != nil {
47+
--
48+
2.45.2
49+

SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Summary: The Kube-Vip cloud provider functions as a general-purpose cloud provider for on-premises bare-metal or virtualized setups
22
Name: kube-vip-cloud-provider
33
Version: 0.0.2
4-
Release: 19%{?dist}
4+
Release: 20%{?dist}
55
License: ASL 2.0
66
URL: https://github.com/kube-vip/kube-vip-cloud-provider
77
Group: Applications/Text
@@ -25,6 +25,7 @@ Patch0: CVE-2022-21698.patch
2525
Patch1: CVE-2021-44716.patch
2626
Patch2: CVE-2023-44487.patch
2727
Patch3: CVE-2024-28180.patch
28+
Patch4: CVE-2025-27144.patch
2829
BuildRequires: golang
2930

3031
%description
@@ -50,6 +51,9 @@ go test -mod=vendor ./...
5051
%{_bindir}/kube-vip-cloud-provider
5152

5253
%changelog
54+
* Fri Feb 28 2025 Kanishk Bansal <kanbansal@microsoft.com> - 0.0.2-20
55+
- Apply security fix for CVE-2025-27144 with an upstream patch
56+
5357
* Mon Oct 07 2024 Ahmed Badawi <ahmedbadawi@microsoft.com> - 0.0.2-19
5458
- Apply security fix for CVE-2024-28180 by patching vendored go-jose
5559

0 commit comments

Comments
 (0)