[AUTO-CHERRYPICK] [Low] Patch dcos-cli for CVE-2024-51744 - branch main (#13351)

Co-authored-by: Kevin Lockwood <57274670+kevin-b-lockwood@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/dcos-cli/CVE-2024-51744.patch

@@ -0,0 +1,57 @@
+From 67bf8f996ae5ad8238dba72a4d492708125a1561 Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Tue, 11 Mar 2025 13:56:18 -0700
+Subject: [PATCH] [Low] patch dcos-cli for CVE-2024-51744
+
+Link: https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c.patch
+---
+ vendor/github.com/dgrijalva/jwt-go/parser.go | 22 +++++++++-----------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/vendor/github.com/dgrijalva/jwt-go/parser.go b/vendor/github.com/dgrijalva/jwt-go/parser.go
+index d6901d9..72cf9ee 100644
+--- a/vendor/github.com/dgrijalva/jwt-go/parser.go
++++ b/vendor/github.com/dgrijalva/jwt-go/parser.go
+@@ -56,6 +56,12 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 		return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable}
+ 	}
+ 
++	// Perform validation
++	token.Signature = parts[2]
++	if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
++		return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid}
++	}
++
+ 	vErr := &ValidationError{}
+ 
+ 	// Validate Claims
+@@ -69,22 +75,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 			} else {
+ 				vErr = e
+ 			}
++			return token, vErr
+ 		}
+ 	}
+ 
+-	// Perform validation
+-	token.Signature = parts[2]
+-	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
+-		vErr.Inner = err
+-		vErr.Errors |= ValidationErrorSignatureInvalid
+-	}
+-
+-	if vErr.valid() {
+-		token.Valid = true
+-		return token, nil
+-	}
++	// No errors so far, token is valid.
++	token.Valid = true
+ 
+-	return token, vErr
++	return token, nil
+ }
+ 
+ // WARNING: Don't use this method unless you know what you're doing
+-- 
+2.34.1
+

SPECS/dcos-cli/dcos-cli.spec

@@ -1,7 +1,7 @@
 Summary:        The command line for DC/OS
 Name:           dcos-cli
 Version:        1.2.0
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,7 @@ URL:            https://github.com/dcos/dcos-cli
 Source0:        https://github.com/dcos/dcos-cli/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         CVE-2024-28180.patch
 Patch1:         CVE-2025-27144.patch
+Patch2:         CVE-2024-51744.patch
 BuildRequires:  golang
 BuildRequires:  git
 %global debug_package %{nil}
@@ -19,7 +20,10 @@ BuildRequires:  git
 The command line for DC/OS.
 
 %prep
-%autosetup -p1
+%autosetup -N
+%autopatch -p1 0 1
+cd vendor/github.com/dgrijalva/jwt-go
+%autopatch 2
 
 %build
 export GOPATH=%{our_gopath}
@@ -46,10 +50,13 @@ go test -mod=vendor
 %{_bindir}/dcos
 
 %changelog
+* Tue Mar 11 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 1.2.0-21
+- Add patch for CVE-2024-51744
+
 * Sat Mar 01 2025 Kanishk Bansal <kanbansal@microsoft.com> - 1.2.0-20
 - Fix CVE-2025-27144 with an upstream patch
 
-* Mon Oct 01 2024 Henry Li <lihl@microsoft.com> - 1.2.0-19
+* Tue Oct 01 2024 Henry Li <lihl@microsoft.com> - 1.2.0-19
 - Add patch to resolve CVE-2024-28180
 
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.2.0-18