[AUTO-CHERRYPICK] gh: Address CVE-2025-25204 [Medium] - branch 3.0-dev (#12552)

Co-authored-by: kgodara912 <kshigodara@outlook.com>

Author: CBL-Mariner-Bot

SPECS/gh/CVE-2025-25204.patch

@@ -0,0 +1,47 @@
+From bf3a40aef3af6919bba73bfeaadac2d0c169628d Mon Sep 17 00:00:00 2001
+From: Fredrik Skogman <kommendorkapten@github.com>
+Date: Tue, 11 Feb 2025 09:07:51 +0100
+Subject: [PATCH] Exit with error if no matching predicate type exists
+
+Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
+---
+ pkg/cmd/attestation/verify/verify.go      |  2 +-
+ pkg/cmd/attestation/verify/verify_test.go | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
+index 90242a9fed2..0a8de8b4599 100644
+--- a/pkg/cmd/attestation/verify/verify.go
++++ b/pkg/cmd/attestation/verify/verify.go
+@@ -236,7 +236,7 @@ func runVerify(opts *Options) error {
+ 	filteredAttestations := verification.FilterAttestations(ec.PredicateType, attestations)
+ 	if len(filteredAttestations) == 0 {
+ 		opts.Logger.Printf(opts.Logger.ColorScheme.Red("✗ No attestations found with predicate type: %s\n"), opts.PredicateType)
+-		return err
++		return fmt.Errorf("no matching predicate found")
+ 	}
+ 	attestations = filteredAttestations
+ 
+diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go
+index 87ffa96f090..092a009d81e 100644
+--- a/pkg/cmd/attestation/verify/verify_test.go
++++ b/pkg/cmd/attestation/verify/verify_test.go
+@@ -501,6 +501,18 @@ func TestRunVerify(t *testing.T) {
+ 		require.Nil(t, runVerify(&customOpts))
+ 	})
+ 
++	t.Run("with valid OCI artifact with UseBundleFromRegistry flag and unknown predicate type", func(t *testing.T) {
++		customOpts := publicGoodOpts
++		customOpts.ArtifactPath = "oci://ghcr.io/github/test"
++		customOpts.BundlePath = ""
++		customOpts.UseBundleFromRegistry = true
++		customOpts.PredicateType = "https://predicate.type"
++
++		err := runVerify(&customOpts)
++		require.Error(t, err)
++		require.ErrorContains(t, err, "no matching predicate found")
++	})
++
+ 	t.Run("with valid OCI artifact with UseBundleFromRegistry flag but no bundle return from registry", func(t *testing.T) {
+ 		customOpts := publicGoodOpts
+ 		customOpts.ArtifactPath = "oci://ghcr.io/github/test"

SPECS/gh/gh.spec

@@ -1,7 +1,7 @@
 Summary:        GitHub official command line tool
 Name:           gh
 Version:        2.62.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -18,6 +18,7 @@ Patch1:         CVE-2024-54132.patch
 Patch2:         CVE-2024-45337.patch
 Patch3:         CVE-2024-45338.patch
 Patch5:         CVE-2024-53859.patch
+Patch6:         CVE-2025-25204.patch
 
 BuildRequires:  golang < 1.23
 BuildRequires:  git
@@ -60,6 +61,9 @@ make test
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
+* Fri Feb 21 2025 Kshitiz Godara <kgodara@microsoft.com> - 2.62.0-6
+- Patch CVE-2025-25204
+
 * Wed Jan 21 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 2.62.0-5
 - Patch CVE-2024-53859, CVE-2024-53858