Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch dcos-cli for CVE-2025-65637 [HIGH] - branch main" #15325

CBL-Mariner-Bot · azurelinux-security · Kanishk-Bansal · web-flow · commit 721d99733c78 · 2025-12-16T15:00:38.000-08:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/dcos-cli/CVE-2025-65637.patch b/SPECS/dcos-cli/CVE-2025-65637.patch
@@ -0,0 +1,136 @@
+From b18c7b905068a06307cf5c5b06ad8d631054b17a Mon Sep 17 00:00:00 2001
+From: Chris <straight.chris@gmail.com>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 1/2] This commit fixes a potential denial of service
+ vulnerability in logrus.Writer() that could be triggered by logging text
+ longer than 64kb without newlines. Previously, the bufio.Scanner used by
+ Writer() would hang indefinitely when reading such text without newlines,
+ causing the application to become unresponsive.
+
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 33 ++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index 72e8e3a..36032d0 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -4,6 +4,7 @@ import (
+ 	"bufio"
+ 	"io"
+ 	"runtime"
++	"strings"
+ )
+ 
+ // Writer at INFO level. See WriterLevel for details.
+@@ -20,15 +21,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter {
+ 	return NewEntry(logger).WriterLevel(level)
+ }
+ 
++// Writer returns an io.Writer that writes to the logger at the info log level
+ func (entry *Entry) Writer() *io.PipeWriter {
+ 	return entry.WriterLevel(InfoLevel)
+ }
+ 
++// WriterLevel returns an io.Writer that writes to the logger at the given log level
+ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 	reader, writer := io.Pipe()
+ 
+ 	var printFunc func(args ...interface{})
+ 
++	// Determine which log function to use based on the specified log level
+ 	switch level {
+ 	case TraceLevel:
+ 		printFunc = entry.Trace
+@@ -48,23 +52,50 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 		printFunc = entry.Print
+ 	}
+ 
++	// Start a new goroutine to scan the input and write it to the logger using the specified print function.
++	// It splits the input into chunks of up to 64KB to avoid buffer overflows.
+ 	go entry.writerScanner(reader, printFunc)
++
++	// Set a finalizer function to close the writer when it is garbage collected
+ 	runtime.SetFinalizer(writer, writerFinalizer)
+ 
+ 	return writer
+ }
+ 
++// writerScanner scans the input from the reader and writes it to the logger
+ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) {
+ 	scanner := bufio.NewScanner(reader)
++
++	// Set the buffer size to the maximum token size to avoid buffer overflows
++	scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize)
++
++	// Define a split function to split the input into chunks of up to 64KB
++	chunkSize := 64 * 1024 // 64KB
++	splitFunc := func(data []byte, atEOF bool) (int, []byte, error) {
++		if len(data) > chunkSize {
++			return chunkSize, data[:chunkSize], nil
++		}
++		return 0, nil, nil
++	}
++
++	//Use the custom split function to split the input
++	scanner.Split(splitFunc)
++
++	// Scan the input and write it to the logger using the specified print function
+ 	for scanner.Scan() {
+-		printFunc(scanner.Text())
++		printFunc(strings.TrimRight(scanner.Text(), "\r\n"))
+ 	}
++
++	// If there was an error while scanning the input, log an error
+ 	if err := scanner.Err(); err != nil {
+ 		entry.Errorf("Error while reading from Writer: %s", err)
+ 	}
++
++	// Close the reader when we are done
+ 	reader.Close()
+ }
+ 
++// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected
+ func writerFinalizer(writer *io.PipeWriter) {
+ 	writer.Close()
+ }
+-- 
+2.45.4
+
+
+From 63eeab1cd5aba1961ea49a264c2779a202662aaa Mon Sep 17 00:00:00 2001
+From: Chris <straight.chris@gmail.com>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 2/2] Scan text in 64KB chunks
+
+This commit fixes a potential denial of service
+vulnerability in logrus.Writer() that could be
+triggered by logging text longer than 64KB
+without newlines. Previously, the bufio.Scanner
+used by Writer() would hang indefinitely when
+reading such text without newlines, causing the
+application to become unresponsive.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/sirupsen/logrus/pull/1376.patch
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index 36032d0..7e7703c 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -75,7 +75,8 @@ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...
+ 		if len(data) > chunkSize {
+ 			return chunkSize, data[:chunkSize], nil
+ 		}
+-		return 0, nil, nil
++
++		return len(data), data, nil
+ 	}
+ 
+ 	//Use the custom split function to split the input
+-- 
+2.45.4
+
diff --git a/SPECS/dcos-cli/dcos-cli.spec b/SPECS/dcos-cli/dcos-cli.spec
@@ -1,7 +1,7 @@
 Summary:        The command line for DC/OS
 Name:           dcos-cli
 Version:        1.2.0
-Release:        22%{?dist}
+Release:        23%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,6 +11,7 @@ Source0:        https://github.com/dcos/dcos-cli/archive/refs/tags/%{version}.ta
 Patch0:         CVE-2024-28180.patch
 Patch1:         CVE-2025-27144.patch
 Patch2:         CVE-2024-51744.patch
+Patch3:         CVE-2025-65637.patch
 BuildRequires:  golang
 BuildRequires:  git
 %global debug_package %{nil}
@@ -20,10 +21,7 @@ BuildRequires:  git
 The command line for DC/OS.
 
 %prep
-%autosetup -N
-%autopatch -p1 0 1
-cd vendor/github.com/dgrijalva/jwt-go
-%autopatch 2
+%autosetup -p1
 
 %build
 export GOPATH=%{our_gopath}
@@ -50,6 +48,9 @@ go test -mod=vendor
 %{_bindir}/dcos
 
 %changelog
+* Mon Dec 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.2.0-23
+- Patch for CVE-2025-65637
+
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 1.2.0-22
 - Bump release to rebuild with golang
 
