From 9637a942c931108ddadd04e24bafb0c4a32fc5d4 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Mon, 7 Apr 2025 13:57:20 +0800
Subject: [PATCH] backport fix CVE-2025-27144

(cherry picked from commit 40c2da80389be8fb90ba095f8637ce487a3fe85f)
---
 backport-fix-CVE-2025-27144.patch | 90 +++++++++++++++++++++++++++++++
 buildah.spec                      |  9 +++-
 2 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 backport-fix-CVE-2025-27144.patch

diff --git a/backport-fix-CVE-2025-27144.patch b/backport-fix-CVE-2025-27144.patch
new file mode 100644
index 0000000..9548c88
--- /dev/null
+++ b/backport-fix-CVE-2025-27144.patch
@@ -0,0 +1,90 @@
+From 99b346cec4e86d102284642c5dcbe9bb0cacfc22 Mon Sep 17 00:00:00 2001
+From: Matthew McPherrin <mattm@letsencrypt.org>
+Date: Mon, 24 Feb 2025 15:06:34 -0500
+Subject: [PATCH] Don't allow unbounded amounts of splits (#167)
+
+In compact JWS/JWE, don't allow unbounded number of splits.
+Count to make sure there's the right number, then use SplitN.
+
+---
+ vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++--
+ vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++--
+ vendor/gopkg.in/go-jose/go-jose.v2/jwe.go   | 5 +++--
+ vendor/gopkg.in/go-jose/go-jose.v2/jws.go   | 5 +++--
+ 4 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go
+index bce3045..0126aa6 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go
++++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go
+@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
+ 
+ // parseEncryptedCompact parses a message in compact format.
+ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
++	// Five parts is four separators
++	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ 	}
++	parts := strings.SplitN(input, ".", 5)
+ 
+ 	rawProtected, err := base64URLDecode(parts[0])
+ 	if err != nil {
+diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go
+index 865f16a..bf6e019 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/jws.go
++++ b/vendor/github.com/go-jose/go-jose/v3/jws.go
+@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
+ 
+ // parseSignedCompact parses a message in compact format.
+ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
++	// Three parts is two separators
++	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ 	}
++	parts := strings.SplitN(input, ".", 3)
+ 
+ 	if parts[1] != "" && payload != nil {
+ 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
+index a8966ab..faebb8d 100644
+--- a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
++++ b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
+@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
+ 
+ // parseEncryptedCompact parses a message in compact format.
+ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
++	// Five parts is four separators
++	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ 	}
++	parts := strings.SplitN(input, ".", 5)
+ 
+ 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ 	if err != nil {
+diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
+index 1a24fa4..717f04a 100644
+--- a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
++++ b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
+@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
+ 
+ // parseSignedCompact parses a message in compact format.
+ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
++	// Three parts is two separators
++	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ 	}
++	parts := strings.SplitN(input, ".", 3)
+ 
+ 	if parts[1] != "" && payload != nil {
+ 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+-- 
+2.25.1
+
diff --git a/buildah.spec b/buildah.spec
index 87a9dd9..db28492 100644
--- a/buildah.spec
+++ b/buildah.spec
@@ -22,7 +22,7 @@
 
 Name:           buildah
 Version:        1.34.1
-Release:        6
+Release:        7
 Summary:        A command line tool used for creating OCI Images
 License:        Apache-2.0 and BSD-2-Clause and BSD-3-Clause and ISC and MIT and MPL-2.0
 URL:            https://%{name}.io
@@ -34,6 +34,7 @@ Patch0002:      0002-fix-CVE-2024-1753.patch
 Patch0003:      0003-fix-CVE-2024-28180.patch
 Patch0004:      0004-fix-CVE-2024-3727.patch
 Patch0005:      backport-fix-CVE-2025-22869.patch
+Patch0006:      backport-fix-CVE-2025-27144.patch
 
 BuildRequires:  device-mapper-devel
 BuildRequires:  git-core
@@ -149,6 +150,12 @@ rm %{buildroot}%{_datadir}/%{name}/test/system/tools/build/*
 %{_datadir}/%{name}/test
 
 %changelog
+* Mon Apr 7 2025 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-7
+-Type:cve
+-CVE:CVE-2025-27144
+-SUG:NA
+-DESC:backport CVE-2025-27144
+
 * Fri Mar 28 2025 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-6
 -Type:cve
 -CVE:CVE-2025-22869
-- 
Gitee