Merge branch 'main' into 2.0

Author: jslobodzian

SPECS-SIGNED/hvloader-signed/hvloader-signed.spec

@@ -6,7 +6,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           hvloader-signed-%{buildarch}
 Version:        1.0.1
-Release:        6%{?dist}
+Release:        10%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -38,8 +38,8 @@ Group:          Applications/System
 %description -n hvloader
 HvLoader.efi is an EFI application for loading an external hypervisor loader.
 
-HvLoader.efi loads a given hypervisor loader binary (DLL, EFI, etc.), and 
-calls it's entry point passing HvLoader.efi ImageHandle. This way the 
+HvLoader.efi loads a given hypervisor loader binary (DLL, EFI, etc.), and
+calls it's entry point passing HvLoader.efi ImageHandle. This way the
 hypervisor loader binary has access to HvLoader.efi's command line options,
 and use those as configuration parameters. The first HvLoader.efi command line
 option is the path to hypervisor loader binary.
@@ -69,6 +69,18 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Wed Mar 26 2025 Tobias Brick <[email protected]> - 1.0.1-10
+- Bump release for consistency with hvloader spec.
+
+* Fri Mar 21 2025 Daniel McIlvaney <[email protected]> - 1.0.1-9
+- Update version for consistency with hvloader spec
+
+* Tue Mar 04 2025 Sreeniavsulu Malavathula <[email protected]> - 1.0.1-8
+- Update version for consistency with hvloader spec
+
+* Mon Feb 24 2025 Kevin Lockwood <[email protected]> - 1.0.1-7
+- Update version for consistency with hvloader spec
+
 * Mon Nov 25 2024 Zhichun Wan <[email protected]> - 1.0.1-6
 - Update version for consistency with hvloader spec
 

SPECS/azcopy/CVE-2024-51744.patch

@@ -0,0 +1,92 @@
+From 82929346de41771c3c3e3db7970644afdefa5369 Mon Sep 17 00:00:00 2001
+From: Sreenivasulu Malavathula <[email protected]>
+Date: Mon, 17 Mar 2025 14:33:58 -0500
+Subject: [PATCH] Addressing CVE-2024-51744.patch
+
+---
+ vendor/github.com/golang-jwt/jwt/v4/parser.go | 41 +++++++++----------
+ 1 file changed, 20 insertions(+), 21 deletions(-)
+
+diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+index c0a6f69..9dd36e5 100644
+--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+@@ -36,19 +36,21 @@ func NewParser(options ...ParserOption) *Parser {
+ 	return p
+ }
+ 
+-// Parse parses, validates, verifies the signature and returns the parsed token.
+-// keyFunc will receive the parsed token and should return the key for validating.
++// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will
++// receive the parsed token and should return the key for validating.
+ func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
+ 	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
+ }
+ 
+-// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims
+-// interface. This provides default values which can be overridden and allows a caller to use their own type, rather
+-// than the default MapClaims implementation of Claims.
++// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object
++// implementing the Claims interface. This provides default values which can be overridden and
++// allows a caller to use their own type, rather than the default MapClaims implementation of
++// Claims.
+ //
+-// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
+-// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
+-// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
++// Note: If you provide a custom claim implementation that embeds one of the standard claims (such
++// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or
++// b) if you are using a pointer, allocate the proper memory for it before passing in the overall
++// claims, otherwise you might run into a panic.
+ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
+ 	token, parts, err := p.ParseUnverified(tokenString, claims)
+ 	if err != nil {
+@@ -85,12 +87,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 		return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable}
+ 	}
+ 
++	// Perform validation
++	token.Signature = parts[2]
++	if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
++		return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid}
++	}
++
+ 	vErr := &ValidationError{}
+ 
+ 	// Validate Claims
+ 	if !p.SkipClaimsValidation {
+ 		if err := token.Claims.Valid(); err != nil {
+-
+ 			// If the Claims Valid returned an error, check if it is a validation error,
+ 			// If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set
+ 			if e, ok := err.(*ValidationError); !ok {
+@@ -98,22 +105,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 			} else {
+ 				vErr = e
+ 			}
++			return token, vErr
+ 		}
+ 	}
+ 
+-	// Perform validation
+-	token.Signature = parts[2]
+-	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
+-		vErr.Inner = err
+-		vErr.Errors |= ValidationErrorSignatureInvalid
+-	}
+-
+-	if vErr.valid() {
+-		token.Valid = true
+-		return token, nil
+-	}
++	// No errors so far, token is valid.
++	token.Valid = true
+ 
+-	return token, vErr
++	return token, nil
+ }
+ 
+ // ParseUnverified parses the token but doesn't validate the signature.
+-- 
+2.45.2
+

SPECS/azcopy/CVE-2025-22868.patch

@@ -0,0 +1,38 @@
+From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001
+From: Neal Patel <[email protected]>
+Date: Thu, 30 Jan 2025 14:10:09 -0500
+Subject: [PATCH] jws: split token into fixed number of parts
+
+Thanks to 'jub0bs' for reporting this issue.
+
+Fixes #71490
+Fixes CVE-2025-22868
+
+Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
+Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
+Auto-Submit: Gopher Robot <[email protected]>
+Reviewed-by: Damien Neil <[email protected]>
+Reviewed-by: Roland Shoemaker <[email protected]>
+LUCI-TryBot-Result: Go LUCI <[email protected]>
+---
+ vendor/golang.org/x/oauth2/jws/jws.go | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go
+index 95015648b..6f03a49d3 100644
+--- a/vendor/golang.org/x/oauth2/jws/jws.go
++++ b/vendor/golang.org/x/oauth2/jws/jws.go
+@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
+ // Verify tests whether the provided JWT token's signature was produced by the private key
+ // associated with the supplied public key.
+ func Verify(token string, key *rsa.PublicKey) error {
+-	parts := strings.Split(token, ".")
+-	if len(parts) != 3 {
++	if strings.Count(token, ".") != 2 {
+ 		return errors.New("jws: invalid token received, token must have 3 parts")
+ 	}
+ 
++	parts := strings.SplitN(token, ".", 3)
+ 	signedContent := parts[0] + "." + parts[1]
+ 	signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
+ 	if err != nil {

SPECS/azcopy/CVE-2025-22870.patch

@@ -0,0 +1,47 @@
+From 9e740dda3b87118fdd86a8afea6f3b8e01ed2aa2 Mon Sep 17 00:00:00 2001
+From: Sreenivasulu Malavathula <[email protected]>
+Date: Mon, 17 Mar 2025 14:32:13 -0500
+Subject: [PATCH] Addressing CVE-2025-22870
+
+---
+ vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http/httpproxy/proxy.go b/vendor/golang.org/x/net/http/httpproxy/proxy.go
+index 6404aaf..d89c257 100644
+--- a/vendor/golang.org/x/net/http/httpproxy/proxy.go
++++ b/vendor/golang.org/x/net/http/httpproxy/proxy.go
+@@ -14,6 +14,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"net"
++	"net/netip"
+ 	"net/url"
+ 	"os"
+ 	"strings"
+@@ -177,8 +178,10 @@ func (cfg *config) useProxy(addr string) bool {
+ 	if host == "localhost" {
+ 		return false
+ 	}
+-	ip := net.ParseIP(host)
+-	if ip != nil {
++	nip, err := netip.ParseAddr(host)
++	var ip net.IP
++	if err == nil {
++		ip = net.IP(nip.AsSlice())
+ 		if ip.IsLoopback() {
+ 			return false
+ 		}
+@@ -360,6 +363,9 @@ type domainMatch struct {
+ }
+ 
+ func (m domainMatch) match(host, port string, ip net.IP) bool {
++	if ip != nil {
++		return false
++	}
+ 	if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
+ 		return m.port == "" || m.port == port
+ 	}
+-- 
+2.45.2
+

SPECS/azcopy/CVE-2025-30204.patch

@@ -0,0 +1,134 @@
+From 84c7f3d0b9dccb4a20d0ad4de10896d40344ba26 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <[email protected]>
+Date: Fri, 28 Mar 2025 20:43:26 +0000
+Subject: [PATCH] CVE-2025-30204
+Upstream Patch Reference  : 
+v4 : https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84
+v5 : https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
+---
+ github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++++++++---
+ github.com/golang-jwt/jwt/v5/parser.go | 36 +++++++++++++++++++++++---
+ 2 files changed, 66 insertions(+), 6 deletions(-)
+
+diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+index c0a6f69..8e7e67c 100644
+--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+@@ -7,6 +7,8 @@ import (
+ 	"strings"
+ )
+ 
++const tokenDelimiter = "."
++
+ type Parser struct {
+ 	// If populated, only these methods will be considered valid.
+ 	//
+@@ -123,9 +125,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ // It's only ever useful in cases where you know the signature is valid (because it has
+ // been checked previously in the stack) and you want to extract values from it.
+ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+-	parts = strings.Split(tokenString, ".")
+-	if len(parts) != 3 {
+-		return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
++	var ok bool
++	parts, ok = splitToken(tokenString)
++	if !ok {
++		return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ 	}
+ 
+ 	token = &Token{Raw: tokenString}
+@@ -175,3 +178,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
+ 
+ 	return token, parts, nil
+ }
++
++// splitToken splits a token string into three parts: header, claims, and signature. It will only
++// return true if the token contains exactly two delimiters and three parts. In all other cases, it
++// will return nil parts and false.
++func splitToken(token string) ([]string, bool) {
++	parts := make([]string, 3)
++	header, remain, ok := strings.Cut(token, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[0] = header
++	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[1] = claims
++	// One more cut to ensure the signature is the last part of the token and there are no more
++	// delimiters. This avoids an issue where malicious input could contain additional delimiters
++	// causing unecessary overhead parsing tokens.
++	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
++	if unexpected {
++		return nil, false
++	}
++	parts[2] = signature
++
++	return parts, true
++}
+diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go
+index ecf99af..054c7eb 100644
+--- a/vendor/github.com/golang-jwt/jwt/v5/parser.go
++++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go
+@@ -8,6 +8,8 @@ import (
+ 	"strings"
+ )
+ 
++const tokenDelimiter = "."
++
+ type Parser struct {
+ 	// If populated, only these methods will be considered valid.
+ 	validMethods []string
+@@ -136,9 +138,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ // It's only ever useful in cases where you know the signature is valid (since it has already
+ // been or will be checked elsewhere in the stack) and you want to extract values from it.
+ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+-	parts = strings.Split(tokenString, ".")
+-	if len(parts) != 3 {
+-		return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed)
++	var ok bool
++	parts, ok = splitToken(tokenString)
++	if !ok {
++		return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed)
+ 	}
+ 
+ 	token = &Token{Raw: tokenString}
+@@ -196,6 +199,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
+ 	return token, parts, nil
+ }
+ 
++// splitToken splits a token string into three parts: header, claims, and signature. It will only
++// return true if the token contains exactly two delimiters and three parts. In all other cases, it
++// will return nil parts and false.
++func splitToken(token string) ([]string, bool) {
++	parts := make([]string, 3)
++	header, remain, ok := strings.Cut(token, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[0] = header
++	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[1] = claims
++	// One more cut to ensure the signature is the last part of the token and there are no more
++	// delimiters. This avoids an issue where malicious input could contain additional delimiters
++	// causing unecessary overhead parsing tokens.
++	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
++	if unexpected {
++		return nil, false
++	}
++	parts[2] = signature
++
++	return parts, true
++}
++
+ // DecodeSegment decodes a JWT specific base64url encoding. This function will
+ // take into account whether the [Parser] is configured with additional options,
+ // such as [WithStrictDecoding] or [WithPaddingAllowed].
+-- 
+2.45.2
+

SPECS/azcopy/azcopy.spec

@@ -1,7 +1,7 @@
 Summary:        The new Azure Storage data transfer utility - AzCopy v10
 Name:           azcopy
 Version:        10.25.1
-Release:        2%{?dist}
+Release:        5%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -27,6 +27,10 @@ Source0:        https://github.com/Azure/azure-storage-azcopy/archive/refs/tags/
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        azure-storage-%{name}-%{version}-vendor.tar.gz
+Patch0:         CVE-2025-22868.patch
+Patch1:         CVE-2025-22870.patch
+Patch2:         CVE-2024-51744.patch
+Patch3:         CVE-2025-30204.patch
 
 BuildRequires:  golang
 BuildRequires:  git
@@ -63,6 +67,15 @@ go test -mod=vendor
 %{_bindir}/azcopy
 
 %changelog
+* Fri Mar 28 2025 Kanishk Bansal <[email protected]> - 10.25.1-5
+- Patch CVE-2025-30204
+
+* Mon Mar 17 2025 Sreeniavsulu Malavathula <[email protected]> - 10.25.1-4
+- Fix CVE-2025-22870, CVE-2024-51744 with an upstream patch
+
+* Tue Mar 04 2025 Kanishk Bansal <[email protected]> - 10.25.1-3
+- Fix CVE-2025-22868 with an upstream patch
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 10.25.1-2
 - Bump release to rebuild with go 1.22.7