From e414f91ed8811f5ff1ba4748e4a49c93c5e95417 Mon Sep 17 00:00:00 2001
From: Jianmin <jianmin@iscas.ac.cn>
Date: Mon, 25 Aug 2025 09:20:12 +0800
Subject: [PATCH] [backport] fix CVE-2023-39325 CVE-2023-44487 CVE-2025-27144

---
 ...180.patch => 0000-fix-CVE-2024-28180.patch |   0
 0002-fix-CVE-2023-39325.patch                 | 130 ++++++++++++++++++
 0003-fix-CVE-2025-27144.patch                 |  49 +++++++
 skopeo.spec                                   |  12 +-
 4 files changed, 189 insertions(+), 2 deletions(-)
 rename 0001-fix-CVE-2024-28180.patch => 0000-fix-CVE-2024-28180.patch (100%)
 create mode 100644 0002-fix-CVE-2023-39325.patch
 create mode 100644 0003-fix-CVE-2025-27144.patch

diff --git a/0001-fix-CVE-2024-28180.patch b/0000-fix-CVE-2024-28180.patch
similarity index 100%
rename from 0001-fix-CVE-2024-28180.patch
rename to 0000-fix-CVE-2024-28180.patch
diff --git a/0002-fix-CVE-2023-39325.patch b/0002-fix-CVE-2023-39325.patch
new file mode 100644
index 0000000..71e2f19
--- /dev/null
+++ b/0002-fix-CVE-2023-39325.patch
@@ -0,0 +1,130 @@
+From 37a23493eba78020d33687e94c57f9e57f096c4c Mon Sep 17 00:00:00 2001
+From: Jianmin <jianmin@iscas.ac.cn>
+Date: Sun, 24 Aug 2025 15:07:07 +0800
+Subject: [PATCH] [backport] fix CVE-2023-39325
+
+From: https://go-review.googlesource.com/c/net/+/534215
+---
+ vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++++++++-
+ 1 file changed, 64 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index e644d9b..63ad5ca 100644
+--- a/vendor/golang.org/x/net/http2/server.go
++++ b/vendor/golang.org/x/net/http2/server.go
+@@ -520,9 +520,11 @@ type serverConn struct {
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+ 	curPushedStreams            uint32 // number of open streams initiated by server push
++	curHandlers                 uint32 // number of running handler goroutines
+ 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
+ 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
+ 	streams                     map[uint32]*stream
++	unstartedHandlers           []unstartedHandler
+ 	initialStreamSendWindowSize int32
+ 	maxFrameSize                int32
+ 	headerTableSize             uint32
+@@ -909,6 +911,8 @@ func (sc *serverConn) serve() {
+ 					return
+ 				case gracefulShutdownMsg:
+ 					sc.startGracefulShutdownInternal()
++				case handlerDoneMsg:
++					sc.handlerDone()
+ 				default:
+ 					panic("unknown timer")
+ 				}
+@@ -954,6 +958,7 @@ var (
+ 	idleTimerMsg        = new(serverMessage)
+ 	shutdownTimerMsg    = new(serverMessage)
+ 	gracefulShutdownMsg = new(serverMessage)
++	handlerDoneMsg      = new(serverMessage)
+ )
+ 
+ func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
+@@ -1911,8 +1916,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
+ 		sc.conn.SetReadDeadline(time.Time{})
+ 	}
+ 
+-	go sc.runHandler(rw, req, handler)
+-	return nil
++	return sc.scheduleHandler(id, rw, req, handler)
+ }
+ 
+ func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error {
+@@ -2159,8 +2163,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r
+ 	return rw, req, nil
+ }
+ 
++type unstartedHandler struct {
++	streamID uint32
++	rw       *responseWriter
++	req      *http.Request
++	handler  func(http.ResponseWriter, *http.Request)
++}
++
++// scheduleHandler starts a handler goroutine,
++// or schedules one to start as soon as an existing handler finishes.
++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error {
++	sc.serveG.check()
++	maxHandlers := sc.advMaxStreams
++	if sc.curHandlers < maxHandlers {
++		sc.curHandlers++
++		go sc.runHandler(rw, req, handler)
++		return nil
++	}
++	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
++		return ConnectionError(ErrCodeEnhanceYourCalm)
++	}
++	sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{
++		streamID: streamID,
++		rw:       rw,
++		req:      req,
++		handler:  handler,
++	})
++	return nil
++}
++
++func (sc *serverConn) handlerDone() {
++	sc.serveG.check()
++	sc.curHandlers--
++	i := 0
++	maxHandlers := sc.advMaxStreams
++	for ; i < len(sc.unstartedHandlers); i++ {
++		u := sc.unstartedHandlers[i]
++		if sc.streams[u.streamID] == nil {
++			// This stream was reset before its goroutine had a chance to start.
++			continue
++		}
++		if sc.curHandlers >= maxHandlers {
++			break
++		}
++		sc.curHandlers++
++		go sc.runHandler(u.rw, u.req, u.handler)
++		sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references
++	}
++	sc.unstartedHandlers = sc.unstartedHandlers[i:]
++	if len(sc.unstartedHandlers) == 0 {
++		sc.unstartedHandlers = nil
++	}
++}
++
+ // Run on its own goroutine.
+ func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
++	defer sc.sendServeMsg(handlerDoneMsg)
+ 	didPanic := true
+ 	defer func() {
+ 		rw.rws.stream.cancelCtx()
+@@ -2923,6 +2981,10 @@ func (sc *serverConn) startPush(msg *startPushRequest) {
+ 			panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err))
+ 		}
+ 
++		// This is the first request on the connection,
++		// so start the handler directly rather than going
++		// through scheduleHandler.
++		sc.curHandlers++
+ 		go sc.runHandler(rw, req, sc.handler.ServeHTTP)
+ 		return promisedID, nil
+ 	}
+-- 
+2.39.5 (Apple Git-154)
+
diff --git a/0003-fix-CVE-2025-27144.patch b/0003-fix-CVE-2025-27144.patch
new file mode 100644
index 0000000..6c5ac06
--- /dev/null
+++ b/0003-fix-CVE-2025-27144.patch
@@ -0,0 +1,49 @@
+From b3d0df5f228ddbb608bf14256889200690c78820 Mon Sep 17 00:00:00 2001
+From: Jianmin <jianmin@iscas.ac.cn>
+Date: Fri, 22 Aug 2025 15:47:51 +0800
+Subject: [PATCH] [backport] fix CVE-2025-27144
+
+---
+ vendor/gopkg.in/square/go-jose.v2/jwe.go | 5 +++--
+ vendor/gopkg.in/square/go-jose.v2/jws.go | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/gopkg.in/square/go-jose.v2/jwe.go b/vendor/gopkg.in/square/go-jose.v2/jwe.go
+index b5a6dcd..cd1de9e 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/jwe.go
++++ b/vendor/gopkg.in/square/go-jose.v2/jwe.go
+@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
+ 
+ // parseEncryptedCompact parses a message in compact format.
+ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
++	// Five parts is four separators
++	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts")
+ 	}
++	parts := strings.SplitN(input, ".", 5)
+ 
+ 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ 	if err != nil {
+diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go
+index 7e261f9..a8d55fb 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/jws.go
++++ b/vendor/gopkg.in/square/go-jose.v2/jws.go
+@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
+ 
+ // parseSignedCompact parses a message in compact format.
+ func parseSignedCompact(input string) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
++	// Three parts is two separators
++	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts")
+ 	}
++	parts := strings.SplitN(input, ".", 3)
+ 
+ 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ 	if err != nil {
+-- 
+2.39.5 (Apple Git-154)
+
diff --git a/skopeo.spec b/skopeo.spec
index e9f2fd0..24426da 100644
--- a/skopeo.spec
+++ b/skopeo.spec
@@ -30,7 +30,7 @@ ExcludeArch: ppc64
 Name: %{repo}
 Epoch: 1
 Version: 1.1.0
-Release: 12
+Release: 13
 Summary: Work with remote images registries - retrieving information, images, signing content
 License: ASL 2.0
 URL: https://github.com/containers/skopeo
@@ -38,8 +38,10 @@ Source0: https://github.com/containers/skopeo/archive/v1.1.0.tar.gz
 Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
 Source2: registries.conf
 Source3: seccomp.json
-Patch0: 0001-fix-CVE-2024-28180.patch
+Patch0: 0000-fix-CVE-2024-28180.patch
 Patch1: 0001-fix-CVE-2023-29406.patch
+Patch2: 0002-fix-CVE-2023-39325.patch
+Patch3: 0003-fix-CVE-2025-27144.patch
 
 BuildRequires: go-srpm-macros golang git pkgconfig(devmapper) make
 BuildRequires: gpgme-devel libassuan-devel btrfs-progs-devel ostree-devel glib2-devel
@@ -343,6 +345,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_datadir}/bash-completion/completions/%{name}
 
 %changelog
+* Mon Aug 25 2025 Jianmin <jianmin@iscas.ac.cn> - 1:1.1.0-13
+- Type:bugfix
+- CVE:CVE-2023-39325 CVE-2023-44487 CVE-2025-27144
+- SUG:NA
+- DESC: fix CVE-2023-39325 CVE-2023-44487 CVE-2025-27144
+
 * Sat May 11 2024 lijian <lijian2@kylinos.cn> - 1:1.1.0-12
 - Type:bugfix
 - CVE:NA
-- 
Gitee