diff --git a/SPECS/coredns/CVE-2025-68156.patch b/SPECS/coredns/CVE-2025-68156.patch new file mode 100644 index 00000000000..bf8ff967023 --- /dev/null +++ b/SPECS/coredns/CVE-2025-68156.patch @@ -0,0 +1,147 @@ +From 45c789c5baed4906bf5ac28281d58a373f3045b9 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Fri, 19 Dec 2025 11:54:37 +0000 +Subject: [PATCH] fix(builtin): limit recursion depth + +Add builtin.MaxDepth (default 10k) to prevent stack overflows when +processing deeply nested or cyclic structures in builtin functions. +The functions flatten, min, max, mean, and median now return a +"recursion depth exceeded" error instead of crashing the runtime. + +Signed-off-by: Ville Vesilehto +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/expr-lang/expr/pull/870.patch +--- + .../expr-lang/expr/builtin/builtin.go | 13 ++++++++---- + .../github.com/expr-lang/expr/builtin/lib.go | 21 +++++++++++++------ + 2 files changed, 24 insertions(+), 10 deletions(-) + +diff --git a/vendor/github.com/expr-lang/expr/builtin/builtin.go b/vendor/github.com/expr-lang/expr/builtin/builtin.go +index cc6f197..0b6d565 100644 +--- a/vendor/github.com/expr-lang/expr/builtin/builtin.go ++++ b/vendor/github.com/expr-lang/expr/builtin/builtin.go +@@ -3,6 +3,7 @@ package builtin + import ( + "encoding/base64" + "encoding/json" ++ "errors" + "fmt" + "reflect" + "sort" +@@ -16,6 +17,10 @@ import ( + var ( + Index map[string]int + Names []string ++ ++ // MaxDepth limits the recursion depth for nested structures. ++ MaxDepth = 10000 ++ ErrorMaxDepth = errors.New("recursion depth exceeded") + ) + + func init() { +@@ -377,7 +382,7 @@ var Builtins = []*Function{ + { + Name: "max", + Func: func(args ...any) (any, error) { +- return minMax("max", runtime.Less, args...) ++ return minMax("max", runtime.Less, 0, args...) + }, + Validate: func(args []reflect.Type) (reflect.Type, error) { + return validateAggregateFunc("max", args) +@@ -386,7 +391,7 @@ var Builtins = []*Function{ + { + Name: "min", + Func: func(args ...any) (any, error) { +- return minMax("min", runtime.More, args...) ++ return minMax("min", runtime.More, 0, args...) + }, + Validate: func(args []reflect.Type) (reflect.Type, error) { + return validateAggregateFunc("min", args) +@@ -395,7 +400,7 @@ var Builtins = []*Function{ + { + Name: "mean", + Func: func(args ...any) (any, error) { +- count, sum, err := mean(args...) ++ count, sum, err := mean(0, args...) + if err != nil { + return nil, err + } +@@ -411,7 +416,7 @@ var Builtins = []*Function{ + { + Name: "median", + Func: func(args ...any) (any, error) { +- values, err := median(args...) ++ values, err := median(0, args...) + if err != nil { + return nil, err + } +diff --git a/vendor/github.com/expr-lang/expr/builtin/lib.go b/vendor/github.com/expr-lang/expr/builtin/lib.go +index e3cd61b..4dca4ee 100644 +--- a/vendor/github.com/expr-lang/expr/builtin/lib.go ++++ b/vendor/github.com/expr-lang/expr/builtin/lib.go +@@ -258,7 +258,10 @@ func String(arg any) any { + return fmt.Sprintf("%v", arg) + } + +-func minMax(name string, fn func(any, any) bool, args ...any) (any, error) { ++func minMax(name string, fn func(any, any) bool, depth int, args ...any) (any, error) { ++ if depth > MaxDepth { ++ return nil, ErrorMaxDepth ++ } + var val any + for _, arg := range args { + rv := reflect.ValueOf(deref.Deref(arg)) +@@ -266,7 +269,7 @@ func minMax(name string, fn func(any, any) bool, args ...any) (any, error) { + case reflect.Array, reflect.Slice: + size := rv.Len() + for i := 0; i < size; i++ { +- elemVal, err := minMax(name, fn, rv.Index(i).Interface()) ++ elemVal, err := minMax(name, fn, depth+1, rv.Index(i).Interface()) + if err != nil { + return nil, err + } +@@ -299,7 +302,10 @@ func minMax(name string, fn func(any, any) bool, args ...any) (any, error) { + return val, nil + } + +-func mean(args ...any) (int, float64, error) { ++func mean(depth int, args ...any) (int, float64, error) { ++ if depth > MaxDepth { ++ return 0, 0, ErrorMaxDepth ++ } + var total float64 + var count int + +@@ -309,7 +315,7 @@ func mean(args ...any) (int, float64, error) { + case reflect.Array, reflect.Slice: + size := rv.Len() + for i := 0; i < size; i++ { +- elemCount, elemSum, err := mean(rv.Index(i).Interface()) ++ elemCount, elemSum, err := mean(depth+1, rv.Index(i).Interface()) + if err != nil { + return 0, 0, err + } +@@ -332,7 +338,10 @@ func mean(args ...any) (int, float64, error) { + return count, total, nil + } + +-func median(args ...any) ([]float64, error) { ++func median(depth int, args ...any) ([]float64, error) { ++ if depth > MaxDepth { ++ return nil, ErrorMaxDepth ++ } + var values []float64 + + for _, arg := range args { +@@ -341,7 +350,7 @@ func median(args ...any) ([]float64, error) { + case reflect.Array, reflect.Slice: + size := rv.Len() + for i := 0; i < size; i++ { +- elems, err := median(rv.Index(i).Interface()) ++ elems, err := median(depth+1, rv.Index(i).Interface()) + if err != nil { + return nil, err + } +-- +2.45.4 + diff --git a/SPECS/coredns/coredns.spec b/SPECS/coredns/coredns.spec index 7e93ab36196..9f1ca1a4873 100644 --- a/SPECS/coredns/coredns.spec +++ b/SPECS/coredns/coredns.spec @@ -6,7 +6,7 @@ Summary: Fast and flexible DNS server Name: coredns Version: 1.11.4 -Release: 11%{?dist} +Release: 12%{?dist} License: Apache License 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -43,6 +43,7 @@ Patch4: CVE-2024-53259.patch Patch5: CVE-2025-47950.patch Patch6: CVE-2025-58063.patch Patch7: CVE-2025-59530.patch +Patch8: CVE-2025-68156.patch BuildRequires: golang < 1.25 @@ -84,6 +85,9 @@ go install github.com/fatih/faillint@latest && \ %{_bindir}/%{name} %changelog +* Fri Dec 19 2025 Azure Linux Security Servicing Account - 1.11.4-12 +- Patch for CVE-2025-68156 + * Mon Oct 27 2025 Azure Linux Security Servicing Account - 1.11.4-11 - Patch for CVE-2025-59530