[AUTO-CHERRYPICK] Patch dcos-cli for CVE-2025-27144 [Medium] - branch 3.0-dev (#13036)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit c180a6f3c07d · 2025-03-26T20:01:50.000-04:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/dcos-cli/CVE-2025-27144.patch b/SPECS/dcos-cli/CVE-2025-27144.patch
@@ -0,0 +1,50 @@
+From fa324fa38481f9d2da9109cb5983326f62ff7507 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Fri, 28 Feb 2025 07:45:53 +0000
+Subject: [PATCH] CVE-2025-27144
+Upstream Ref: https://github.com/go-jose/go-jose/commit/c9ed84d8f0cfadcfad817150158caca6fcbc518b
+
+---
+ vendor/gopkg.in/square/go-jose.v2/jwe.go | 5 +++--
+ vendor/gopkg.in/square/go-jose.v2/jws.go | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/gopkg.in/square/go-jose.v2/jwe.go b/vendor/gopkg.in/square/go-jose.v2/jwe.go
+index b5a6dcd..cd1de9e 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/jwe.go
++++ b/vendor/gopkg.in/square/go-jose.v2/jwe.go
+@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
+ 
+ // parseEncryptedCompact parses a message in compact format.
+ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
++	// Five parts is four separators
++	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts")
+ 	}
++	parts := strings.SplitN(input, ".", 5)
+ 
+ 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ 	if err != nil {
+diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go
+index 7e261f9..a8d55fb 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/jws.go
++++ b/vendor/gopkg.in/square/go-jose.v2/jws.go
+@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
+ 
+ // parseSignedCompact parses a message in compact format.
+ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
++	// Three parts is two separators
++	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts")
+ 	}
++	parts := strings.SplitN(input, ".", 3)
+ 
+ 	if parts[1] != "" && payload != nil {
+ 		return nil, fmt.Errorf("square/go-jose: payload is not detached")
+-- 
+2.45.2
+
diff --git a/SPECS/dcos-cli/dcos-cli.spec b/SPECS/dcos-cli/dcos-cli.spec
@@ -1,7 +1,7 @@
 Summary:        The command line for DC/OS
 Name:           dcos-cli
 Version:        1.2.0
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -10,6 +10,7 @@ URL:            https://github.com/dcos/dcos-cli
 Source0:        https://github.com/dcos/dcos-cli/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         CVE-2020-26160.patch
 Patch1:         CVE-2024-28180.patch
+Patch2:         CVE-2025-27144.patch
 BuildRequires:  golang >= 1.17.1
 BuildRequires:  git
 %global debug_package %{nil}
@@ -46,6 +47,9 @@ go test -mod=vendor
 %{_bindir}/dcos
 
 %changelog
+* Sat Mar 01 2025 Kanishk Bansal <kanbansal@microsoft.com> - 1.2.0-17
+- Fix CVE-2025-27144 with an upstream patch
+
 * Tue Oct 01 2024 Henry Li <lihl@microsoft.com> - 1.2.0-16
 - Add patch to resolve CVE-2024-28180
 
