Skip to content

[AutoPR- Security] Patch rook for CVE-2025-30204 [MEDIUM] #191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
azurelinux-security wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[AutoPR- Security] Patch rook for CVE-2025-30204 [MEDIUM] #191

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
171 changes: 171 additions & 0 deletions SPECS/rook/CVE-2025-30204.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
From 81405154e9c69ad5e921fc5a5ea1c753e0affbff Mon Sep 17 00:00:00 2001
From: Michael Fridman <mfridman@buf.build>
Date: Fri, 21 Mar 2025 16:42:51 -0400
Subject: [PATCH] Backporting 0951d18 to v4

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84.patch
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://raw.githubusercontent.com/microsoft/azurelinux/main/SPECS/cf-cli/CVE-2025-30204.patch
---
.../form3tech-oss/jwt-go/jwt_test.go | 89 +++++++++++++++++++
.../github.com/form3tech-oss/jwt-go/parser.go | 36 +++++++-
2 files changed, 122 insertions(+), 3 deletions(-)
create mode 100644 vendor/github.com/form3tech-oss/jwt-go/jwt_test.go

diff --git a/vendor/github.com/form3tech-oss/jwt-go/jwt_test.go b/vendor/github.com/form3tech-oss/jwt-go/jwt_test.go
new file mode 100644
index 0000000..b01e899
--- /dev/null
+++ b/vendor/github.com/form3tech-oss/jwt-go/jwt_test.go
@@ -0,0 +1,89 @@
+package jwt
+
+import (
+ "testing"
+)
+
+func TestSplitToken(t *testing.T) {
+ t.Parallel()
+
+ tests := []struct {
+ name string
+ input string
+ expected []string
+ isValid bool
+ }{
+ {
+ name: "valid token with three parts",
+ input: "header.claims.signature",
+ expected: []string{"header", "claims", "signature"},
+ isValid: true,
+ },
+ {
+ name: "invalid token with two parts only",
+ input: "header.claims",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with one part only",
+ input: "header",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with extra delimiter",
+ input: "header.claims.signature.extra",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid empty token",
+ input: "",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "valid token with empty parts",
+ input: "..signature",
+ expected: []string{"", "", "signature"},
+ isValid: true,
+ },
+ {
+ // We are just splitting the token into parts, so we don't care about the actual values.
+ // It is up to the caller to validate the parts.
+ name: "valid token with all parts empty",
+ input: "..",
+ expected: []string{"", "", ""},
+ isValid: true,
+ },
+ {
+ name: "invalid token with just delimiters and extra part",
+ input: "...",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with many delimiters",
+ input: "header.claims.signature..................",
+ expected: nil,
+ isValid: false,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ parts, ok := splitToken(tt.input)
+ if ok != tt.isValid {
+ t.Errorf("expected %t, got %t", tt.isValid, ok)
+ }
+ if ok {
+ for i, part := range tt.expected {
+ if parts[i] != part {
+ t.Errorf("expected %s, got %s", part, parts[i])
+ }
+ }
+ }
+ })
+ }
+}
diff --git a/vendor/github.com/form3tech-oss/jwt-go/parser.go b/vendor/github.com/form3tech-oss/jwt-go/parser.go
index 83f42eb..0e4a63a 100644
--- a/vendor/github.com/form3tech-oss/jwt-go/parser.go
+++ b/vendor/github.com/form3tech-oss/jwt-go/parser.go
@@ -7,6 +7,8 @@ import (
"strings"
)

+const tokenDelimiter = "."
+
type Parser struct {
ValidMethods []string // If populated, only these methods will be considered valid
UseJSONNumber bool // Use JSON Number format in JSON decoder
@@ -100,9 +102,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
// been checked previously in the stack) and you want to extract values from
// it.
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
- parts = strings.Split(tokenString, ".")
- if len(parts) != 3 {
- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ var ok bool
+ parts, ok = splitToken(tokenString)
+ if !ok {
+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
}

token = &Token{Raw: tokenString}
@@ -152,3 +155,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke

return token, parts, nil
}
+
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
+// will return nil parts and false.
+func splitToken(token string) ([]string, bool) {
+ parts := make([]string, 3)
+ header, remain, ok := strings.Cut(token, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[0] = header
+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[1] = claims
+ // One more cut to ensure the signature is the last part of the token and there are no more
+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
+ // causing unecessary overhead parsing tokens.
+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
+ if unexpected {
+ return nil, false
+ }
+ parts[2] = signature
+
+ return parts, true
+}
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/rook/rook.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
Summary: Orchestrator for distributed storage systems in cloud-native environments
Name: rook
Version: 1.6.2
Release: 27%{?dist}
Release: 28%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -62,6 +62,7 @@ Patch5: CVE-2024-28180.patch
Patch6: CVE-2022-3162.patch
Patch7: CVE-2025-27144.patch
Patch8: CVE-2024-51744.patch
Patch9: CVE-2025-30204.patch
# Ceph version is needed to set correct container tag in manifests
BuildRequires: ceph
# Rook requirements
Expand Down Expand Up @@ -260,6 +261,9 @@ sed -i -e "s|\(.*tag: \)VERSION|\1%{helm_appVersion}|" %{values_yaml}
# bother adding docs or changelog or anything

%changelog
* Fri Feb 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.6.2-28
- Patch for CVE-2025-30204

* Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 1.6.2-27
- Bump release to rebuild with golang

Expand Down
Loading