From 1115a2f3a85a6cbea1fa78c85bac0086e4c24b4e Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Mon, 8 Dec 2025 06:12:22 +0000
Subject: [PATCH] Patch cert-manager for CVE-2025-65637

---
 SPECS/cert-manager/CVE-2025-65637.patch | 102 ++++++++++++++++++++++++
 SPECS/cert-manager/cert-manager.spec    |   6 +-
 2 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/cert-manager/CVE-2025-65637.patch

diff --git a/SPECS/cert-manager/CVE-2025-65637.patch b/SPECS/cert-manager/CVE-2025-65637.patch
new file mode 100644
index 00000000000..36a07b53263
--- /dev/null
+++ b/SPECS/cert-manager/CVE-2025-65637.patch
@@ -0,0 +1,102 @@
+From f9245b75076c4641eb47967e66bcf5425167643f Mon Sep 17 00:00:00 2001
+From: Chris <straight.chris@gmail.com>
+Date: Fri, 10 Mar 2023 13:45:41 -0800
+Subject: [PATCH] This commit fixes a potential denial of service vulnerability
+ in logrus.Writer() that could be triggered by logging text longer than 64kb
+ without newlines. Previously, the bufio.Scanner used by Writer() would hang
+ indefinitely when reading such text without newlines, causing the application
+ to become unresponsive.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://raw.githubusercontent.com/Kanishk-Bansal/tarball/refs/heads/main/CVE-2025-65637.patch
+---
+ vendor/github.com/sirupsen/logrus/writer.go | 34 ++++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
+index 72e8e3a..7e7703c 100644
+--- a/vendor/github.com/sirupsen/logrus/writer.go
++++ b/vendor/github.com/sirupsen/logrus/writer.go
+@@ -4,6 +4,7 @@ import (
+ 	"bufio"
+ 	"io"
+ 	"runtime"
++	"strings"
+ )
+ 
+ // Writer at INFO level. See WriterLevel for details.
+@@ -20,15 +21,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter {
+ 	return NewEntry(logger).WriterLevel(level)
+ }
+ 
++// Writer returns an io.Writer that writes to the logger at the info log level
+ func (entry *Entry) Writer() *io.PipeWriter {
+ 	return entry.WriterLevel(InfoLevel)
+ }
+ 
++// WriterLevel returns an io.Writer that writes to the logger at the given log level
+ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 	reader, writer := io.Pipe()
+ 
+ 	var printFunc func(args ...interface{})
+ 
++	// Determine which log function to use based on the specified log level
+ 	switch level {
+ 	case TraceLevel:
+ 		printFunc = entry.Trace
+@@ -48,23 +52,51 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
+ 		printFunc = entry.Print
+ 	}
+ 
++	// Start a new goroutine to scan the input and write it to the logger using the specified print function.
++	// It splits the input into chunks of up to 64KB to avoid buffer overflows.
+ 	go entry.writerScanner(reader, printFunc)
++
++	// Set a finalizer function to close the writer when it is garbage collected
+ 	runtime.SetFinalizer(writer, writerFinalizer)
+ 
+ 	return writer
+ }
+ 
++// writerScanner scans the input from the reader and writes it to the logger
+ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) {
+ 	scanner := bufio.NewScanner(reader)
++
++	// Set the buffer size to the maximum token size to avoid buffer overflows
++	scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize)
++
++	// Define a split function to split the input into chunks of up to 64KB
++	chunkSize := 64 * 1024 // 64KB
++	splitFunc := func(data []byte, atEOF bool) (int, []byte, error) {
++		if len(data) > chunkSize {
++			return chunkSize, data[:chunkSize], nil
++		}
++
++		return len(data), data, nil
++	}
++
++	//Use the custom split function to split the input
++	scanner.Split(splitFunc)
++
++	// Scan the input and write it to the logger using the specified print function
+ 	for scanner.Scan() {
+-		printFunc(scanner.Text())
++		printFunc(strings.TrimRight(scanner.Text(), "\r\n"))
+ 	}
++
++	// If there was an error while scanning the input, log an error
+ 	if err := scanner.Err(); err != nil {
+ 		entry.Errorf("Error while reading from Writer: %s", err)
+ 	}
++
++	// Close the reader when we are done
+ 	reader.Close()
+ }
+ 
++// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected
+ func writerFinalizer(writer *io.PipeWriter) {
+ 	writer.Close()
+ }
+-- 
+2.45.4
+
diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec
index 805ecd29bef..1bc422c172c 100644
--- a/SPECS/cert-manager/cert-manager.spec
+++ b/SPECS/cert-manager/cert-manager.spec
@@ -1,7 +1,7 @@
 Summary:        Automatically provision and manage TLS certificates in Kubernetes
 Name:           cert-manager
 Version:        1.11.2
-Release:        24%{?dist}
+Release:        25%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -38,6 +38,7 @@ Patch15:        CVE-2025-30204.patch
 Patch16:        CVE-2024-51744.patch
 Patch17:        CVE-2025-32386.patch
 Patch18:        CVE-2025-22872.patch
+Patch19:        CVE-2025-65637.patch
 
 BuildRequires:  golang
 Requires:       %{name}-acmesolver
@@ -131,6 +132,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
 %{_bindir}/webhook
 
 %changelog
+* Mon Dec 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.11.2-25
+- Patch for CVE-2025-65637
+
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 1.11.2-24
 - Bump release to rebuild with golang