Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch flannel for CVE-2025-65637 [HIGH] - branch main" #15317

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 3 people

SPECS/flannel/CVE-2025-65637.patch

@@ -0,0 +1,136 @@
+From 0929ddaa205e193f744d6b023dd882d583d9122c Mon Sep 17 00:00:00 2001
+From: Chris <straight.chris@gmail.com>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 1/2] This commit fixes a potential denial of service
+ vulnerability in logrus.Writer() that could be triggered by logging text
+ longer than 64kb without newlines. Previously, the bufio.Scanner used by
+ Writer() would hang indefinitely when reading such text without newlines,
+ causing the application to become unresponsive.
+
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 33 ++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index 7bdebed..d50ce9c 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -4,6 +4,7 @@ import (
+ 	"bufio"
+ 	"io"
+ 	"runtime"
++	"strings"
+ )
+ 
+ func (logger *Logger) Writer() *io.PipeWriter {
+@@ -14,15 +15,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter {
+ 	return NewEntry(logger).WriterLevel(level)
+ }
+ 
++// Writer returns an io.Writer that writes to the logger at the info log level
+ func (entry *Entry) Writer() *io.PipeWriter {
+ 	return entry.WriterLevel(InfoLevel)
+ }
+ 
++// WriterLevel returns an io.Writer that writes to the logger at the given log level
+ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 	reader, writer := io.Pipe()
+ 
+ 	var printFunc func(args ...interface{})
+ 
++	// Determine which log function to use based on the specified log level
+ 	switch level {
+ 	case DebugLevel:
+ 		printFunc = entry.Debug
+@@ -40,23 +44,50 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 		printFunc = entry.Print
+ 	}
+ 
++	// Start a new goroutine to scan the input and write it to the logger using the specified print function.
++	// It splits the input into chunks of up to 64KB to avoid buffer overflows.
+ 	go entry.writerScanner(reader, printFunc)
++
++	// Set a finalizer function to close the writer when it is garbage collected
+ 	runtime.SetFinalizer(writer, writerFinalizer)
+ 
+ 	return writer
+ }
+ 
++// writerScanner scans the input from the reader and writes it to the logger
+ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) {
+ 	scanner := bufio.NewScanner(reader)
++
++	// Set the buffer size to the maximum token size to avoid buffer overflows
++	scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize)
++
++	// Define a split function to split the input into chunks of up to 64KB
++	chunkSize := 64 * 1024 // 64KB
++	splitFunc := func(data []byte, atEOF bool) (int, []byte, error) {
++		if len(data) > chunkSize {
++			return chunkSize, data[:chunkSize], nil
++		}
++		return 0, nil, nil
++	}
++
++	//Use the custom split function to split the input
++	scanner.Split(splitFunc)
++
++	// Scan the input and write it to the logger using the specified print function
+ 	for scanner.Scan() {
+-		printFunc(scanner.Text())
++		printFunc(strings.TrimRight(scanner.Text(), "\r\n"))
+ 	}
++
++	// If there was an error while scanning the input, log an error
+ 	if err := scanner.Err(); err != nil {
+ 		entry.Errorf("Error while reading from Writer: %s", err)
+ 	}
++
++	// Close the reader when we are done
+ 	reader.Close()
+ }
+ 
++// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected
+ func writerFinalizer(writer *io.PipeWriter) {
+ 	writer.Close()
+ }
+-- 
+2.45.4
+
+
+From dbba3795634c798a716e22c188896ee3e804eeff Mon Sep 17 00:00:00 2001
+From: Chris <straight.chris@gmail.com>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 2/2] Scan text in 64KB chunks
+
+This commit fixes a potential denial of service
+vulnerability in logrus.Writer() that could be
+triggered by logging text longer than 64KB
+without newlines. Previously, the bufio.Scanner
+used by Writer() would hang indefinitely when
+reading such text without newlines, causing the
+application to become unresponsive.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/sirupsen/logrus/pull/1376.patch
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index d50ce9c..7b8c99a 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -67,7 +67,8 @@ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...
+ 		if len(data) > chunkSize {
+ 			return chunkSize, data[:chunkSize], nil
+ 		}
+-		return 0, nil, nil
++
++		return len(data), data, nil
+ 	}
+ 
+ 	//Use the custom split function to split the input
+-- 
+2.45.4
+

SPECS/flannel/flannel.spec

@@ -4,7 +4,7 @@
 Summary:        Simple and easy way to configure a layer 3 network fabric designed for Kubernetes
 Name:           flannel
 Version:        0.14.0
-Release:        26%{?dist}
+Release:        27%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -13,6 +13,7 @@ URL:            https://github.com/flannel-io/flannel
 #Source0:       https://github.com/flannel-io/flannel/archive/refs/tags/v0.14.0.tar.gz
 Source0:        %{name}-%{version}.tar.gz
 Patch0:         CVE-2021-44716.patch
+Patch1:         CVE-2025-65637.patch
 
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
@@ -49,6 +50,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld
 %{_bindir}/flanneld
 
 %changelog
+* Mon Dec 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.14.0-27
+- Patch for CVE-2025-65637
+
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 0.14.0-26
 - Bump release to rebuild with golang