From 7c8b765caf478fb43bef76f489bf1d8f7a13e80d Mon Sep 17 00:00:00 2001 From: Jianmin Date: Mon, 25 Aug 2025 11:00:50 +0800 Subject: [PATCH] Fix CVE-2025-27144 (cherry picked from commit fdd740f3f0df0d87e0be74dc86d49b68fe779ca9) --- 0005-fix-CVE-2025-27144.patch | 51 +++++++++++++++++++++++++++++++++++ skopeo.spec | 6 ++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 0005-fix-CVE-2025-27144.patch diff --git a/0005-fix-CVE-2025-27144.patch b/0005-fix-CVE-2025-27144.patch new file mode 100644 index 0000000..0025645 --- /dev/null +++ b/0005-fix-CVE-2025-27144.patch @@ -0,0 +1,51 @@ +From 99b346cec4e86d102284642c5dcbe9bb0cacfc22 Mon Sep 17 00:00:00 2001 +From: Matthew McPherrin +Date: Mon, 24 Feb 2025 15:06:34 -0500 +Subject: [PATCH] Don't allow unbounded amounts of splits (#167) + +In compact JWS/JWE, don't allow unbounded number of splits. +Count to make sure there's the right number, then use SplitN. + +--- + vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++-- + vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++-- + 4 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go +index bce3045..0126aa6 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go ++++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go +@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) { + + // parseEncryptedCompact parses a message in compact format. + func parseEncryptedCompact(input string) (*JSONWebEncryption, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 5 { ++ // Five parts is four separators ++ if strings.Count(input, ".") != 4 { + return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") + } ++ parts := strings.SplitN(input, ".", 5) + + rawProtected, err := base64URLDecode(parts[0]) + if err != nil { +diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go +index 865f16a..bf6e019 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/jws.go ++++ b/vendor/github.com/go-jose/go-jose/v3/jws.go +@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) { + + // parseSignedCompact parses a message in compact format. + func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 3 { ++ // Three parts is two separators ++ if strings.Count(input, ".") != 2 { + return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") + } ++ parts := strings.SplitN(input, ".", 3) + + if parts[1] != "" && payload != nil { + return nil, fmt.Errorf("go-jose/go-jose: payload is not detached") +-- +2.25.1 diff --git a/skopeo.spec b/skopeo.spec index d181843..67eeb76 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -12,7 +12,7 @@ ExcludeArch: ppc64 Name: skopeo Epoch: 1 Version: 1.14.2 -Release: 5 +Release: 6 Summary: Work with remote images registries - retrieving information, images, signing content License: Apache-2.0 URL: https://github.com/containers/skopeo @@ -23,6 +23,7 @@ Patch0001: 0001-fix-CVE-2024-24786.patch Patch0002: 0002-fix-CVE-2024-28180.patch Patch0003: 0003-add-sw64-support.patch Patch0004: 0004-Bump-containers-image-v5-to-v5.29.5.patch +Patch0005: 0005-fix-CVE-2025-27144.patch BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make BuildRequires: golang >= 1.19 @@ -130,6 +131,9 @@ cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/ %{_datadir}/%{name}/test %changelog +* Mon Aug 25 2025 Jianmin - 1:1.14.2-6 +- Fix CVE-2025-27144 + * Sun Aug 24 2025 Jianmin - 1:1.14.2-5 - Bump containers/image/v5 to v5.29.5 to fix CVE-2024-3727 -- Gitee