Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch cf-cli for CVE-2025-65637 [HIGH] - branch main" #15321

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 3 people

SPECS/cf-cli/CVE-2025-65637.patch

@@ -0,0 +1,136 @@
+From 93f4a08fe4b678980b16560eff48b5d0a2fb5488 Mon Sep 17 00:00:00 2001
+From: Chris <straight.chris@gmail.com>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 1/2] This commit fixes a potential denial of service
+ vulnerability in logrus.Writer() that could be triggered by logging text
+ longer than 64kb without newlines. Previously, the bufio.Scanner used by
+ Writer() would hang indefinitely when reading such text without newlines,
+ causing the application to become unresponsive.
+
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 33 ++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index 9e1f751..bbeef80 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -4,6 +4,7 @@ import (
+ 	"bufio"
+ 	"io"
+ 	"runtime"
++	"strings"
+ )
+ 
+ func (logger *Logger) Writer() *io.PipeWriter {
+@@ -14,15 +15,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter {
+ 	return NewEntry(logger).WriterLevel(level)
+ }
+ 
++// Writer returns an io.Writer that writes to the logger at the info log level
+ func (entry *Entry) Writer() *io.PipeWriter {
+ 	return entry.WriterLevel(InfoLevel)
+ }
+ 
++// WriterLevel returns an io.Writer that writes to the logger at the given log level
+ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 	reader, writer := io.Pipe()
+ 
+ 	var printFunc func(args ...interface{})
+ 
++	// Determine which log function to use based on the specified log level
+ 	switch level {
+ 	case TraceLevel:
+ 		printFunc = entry.Trace
+@@ -42,23 +46,50 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 		printFunc = entry.Print
+ 	}
+ 
++	// Start a new goroutine to scan the input and write it to the logger using the specified print function.
++	// It splits the input into chunks of up to 64KB to avoid buffer overflows.
+ 	go entry.writerScanner(reader, printFunc)
++
++	// Set a finalizer function to close the writer when it is garbage collected
+ 	runtime.SetFinalizer(writer, writerFinalizer)
+ 
+ 	return writer
+ }
+ 
++// writerScanner scans the input from the reader and writes it to the logger
+ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) {
+ 	scanner := bufio.NewScanner(reader)
++
++	// Set the buffer size to the maximum token size to avoid buffer overflows
++	scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize)
++
++	// Define a split function to split the input into chunks of up to 64KB
++	chunkSize := 64 * 1024 // 64KB
++	splitFunc := func(data []byte, atEOF bool) (int, []byte, error) {
++		if len(data) > chunkSize {
++			return chunkSize, data[:chunkSize], nil
++		}
++		return 0, nil, nil
++	}
++
++	//Use the custom split function to split the input
++	scanner.Split(splitFunc)
++
++	// Scan the input and write it to the logger using the specified print function
+ 	for scanner.Scan() {
+-		printFunc(scanner.Text())
++		printFunc(strings.TrimRight(scanner.Text(), "\r\n"))
+ 	}
++
++	// If there was an error while scanning the input, log an error
+ 	if err := scanner.Err(); err != nil {
+ 		entry.Errorf("Error while reading from Writer: %s", err)
+ 	}
++
++	// Close the reader when we are done
+ 	reader.Close()
+ }
+ 
++// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected
+ func writerFinalizer(writer *io.PipeWriter) {
+ 	writer.Close()
+ }
+-- 
+2.45.4
+
+
+From 944504874319c871da113e3722fe40b7a361e2a1 Mon Sep 17 00:00:00 2001
+From: Chris <straight.chris@gmail.com>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH 2/2] Scan text in 64KB chunks
+
+This commit fixes a potential denial of service
+vulnerability in logrus.Writer() that could be
+triggered by logging text longer than 64KB
+without newlines. Previously, the bufio.Scanner
+used by Writer() would hang indefinitely when
+reading such text without newlines, causing the
+application to become unresponsive.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/sirupsen/logrus/pull/1376.patch
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index bbeef80..bc6c19c 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -69,7 +69,8 @@ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...
+ 		if len(data) > chunkSize {
+ 			return chunkSize, data[:chunkSize], nil
+ 		}
+-		return 0, nil, nil
++
++		return len(data), data, nil
+ 	}
+ 
+ 	//Use the custom split function to split the input
+-- 
+2.45.4
+

SPECS/cf-cli/cf-cli.spec

@@ -1,7 +1,7 @@
 Summary:        The official command line client for Cloud Foundry.
 Name:           cf-cli
 Version:        8.4.0
-Release:        25%{?dist}
+Release:        26%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -36,6 +36,7 @@ Patch3:         CVE-2022-32149.patch
 Patch4:         CVE-2024-24786.patch
 Patch5:         CVE-2024-45338.patch
 Patch6:         CVE-2024-51744.patch
+Patch7:         CVE-2025-65637.patch
 
 BuildRequires:  golang
 %global debug_package %{nil}
@@ -70,6 +71,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf
 %{_bindir}/cf
 
 %changelog
+* Mon Dec 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 8.4.0-26
+- Patch for CVE-2025-65637
+
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 8.4.0-25
 - Bump release to rebuild with golang