Skip to content

Commit 75c2a47

Browse files
CBL-Mariner-BotKanishk-Bansal
CBL-Mariner-Bot
and
Kanishk-Bansal
authored
[AUTO-CHERRYPICK] Patch skopeo for CVE-2025-27144 [Medium] - branch 3.0-dev (#13034)
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
1 parent 3706907 commit 75c2a47

2 files changed

Lines changed: 93 additions & 1 deletion

File tree

SPECS/skopeo/CVE-2025-27144.patch

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
From 4da065cd7a4f7263e96bc7028f674c7730177035 Mon Sep 17 00:00:00 2001
2+
From: Kanishk-Bansal <kbkanishk975@gmail.com>
3+
Date: Fri, 28 Feb 2025 19:31:53 +0000
4+
Subject: [PATCH] CVE-2025-27144
5+
Upstream Reference: https://github.com/go-jose/go-jose/commit/5253038e3b5f64a2200b5b6c72107bf9823f4358
6+
7+
---
8+
vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++--
9+
vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++--
10+
vendor/gopkg.in/go-jose/go-jose.v2/jwe.go | 5 +++--
11+
vendor/gopkg.in/go-jose/go-jose.v2/jws.go | 5 +++--
12+
4 files changed, 12 insertions(+), 8 deletions(-)
13+
14+
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go
15+
index 4267ac7..1ba4ae0 100644
16+
--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go
17+
+++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go
18+
@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
19+
20+
// parseEncryptedCompact parses a message in compact format.
21+
func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
22+
- parts := strings.Split(input, ".")
23+
- if len(parts) != 5 {
24+
+ // Five parts is four separators
25+
+ if strings.Count(input, ".") != 4 {
26+
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
27+
}
28+
+ parts := strings.SplitN(input, ".", 5)
29+
30+
rawProtected, err := base64URLDecode(parts[0])
31+
if err != nil {
32+
diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go
33+
index e37007d..401fc18 100644
34+
--- a/vendor/github.com/go-jose/go-jose/v3/jws.go
35+
+++ b/vendor/github.com/go-jose/go-jose/v3/jws.go
36+
@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
37+
38+
// parseSignedCompact parses a message in compact format.
39+
func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
40+
- parts := strings.Split(input, ".")
41+
- if len(parts) != 3 {
42+
+ // Three parts is two separators
43+
+ if strings.Count(input, ".") != 2 {
44+
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
45+
}
46+
+ parts := strings.SplitN(input, ".", 3)
47+
48+
if parts[1] != "" && payload != nil {
49+
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
50+
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
51+
index a8966ab..faebb8d 100644
52+
--- a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
53+
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
54+
@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
55+
56+
// parseEncryptedCompact parses a message in compact format.
57+
func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
58+
- parts := strings.Split(input, ".")
59+
- if len(parts) != 5 {
60+
+ // Five parts is four separators
61+
+ if strings.Count(input, ".") != 4 {
62+
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
63+
}
64+
+ parts := strings.SplitN(input, ".", 5)
65+
66+
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
67+
if err != nil {
68+
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
69+
index 1a24fa4..717f04a 100644
70+
--- a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
71+
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
72+
@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
73+
74+
// parseSignedCompact parses a message in compact format.
75+
func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
76+
- parts := strings.Split(input, ".")
77+
- if len(parts) != 3 {
78+
+ // Three parts is two separators
79+
+ if strings.Count(input, ".") != 2 {
80+
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
81+
}
82+
+ parts := strings.SplitN(input, ".", 3)
83+
84+
if parts[1] != "" && payload != nil {
85+
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
86+
--
87+
2.45.2
88+

SPECS/skopeo/skopeo.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Summary: Inspect container images and repositories on registries
22
Name: skopeo
33
Version: 1.14.4
4-
Release: 3%{?dist}
4+
Release: 4%{?dist}
55
License: Apache-2.0
66
Vendor: Microsoft Corporation
77
Distribution: Azure Linux
@@ -12,6 +12,7 @@ Patch0: CVE-2022-2879.patch
1212
Patch1: CVE-2024-6104.patch
1313
Patch2: CVE-2023-45288.patch
1414
Patch3: CVE-2024-9676.patch
15+
Patch4: CVE-2025-27144.patch
1516

1617
%global debug_package %{nil}
1718
%define our_gopath %{_topdir}/.gopath
@@ -51,6 +52,9 @@ make test-unit-local
5152
%{_mandir}/man1/%%{name}*
5253

5354
%changelog
55+
* Sat Mar 01 2025 Kanishk Bansal <kanbansal@microsoft.com> - 1.14.4-4
56+
- Fix CVE-2025-27144 with an upstream patch
57+
5458
* Mon Nov 11 2024 Rohit Rawat <rohitrawat@microsoft.com> - 1.14.4-3
5559
- Fix CVE-2023-45288 and CVE-2024-9676
5660

0 commit comments

Comments
 (0)