diff --git a/SOURCES/CVE-2025-30204.patch b/SOURCES/CVE-2025-30204.patch new file mode 100644 index 0000000..b76cbda --- /dev/null +++ b/SOURCES/CVE-2025-30204.patch @@ -0,0 +1,391 @@ +diff --git a/go.mod b/go.mod +index f571516..d3d329f 100644 +--- a/go.mod ++++ b/go.mod +@@ -23,7 +23,7 @@ require ( + github.com/getkin/kin-openapi v0.93.0 + github.com/getsentry/sentry-go v0.26.0 + github.com/gobwas/glob v0.2.3 +- github.com/golang-jwt/jwt/v4 v4.5.0 ++ github.com/golang-jwt/jwt/v4 v4.5.2 + github.com/google/go-cmp v0.6.0 + github.com/google/uuid v1.6.0 + github.com/gophercloud/gophercloud v1.9.0 +@@ -114,7 +114,7 @@ require ( + github.com/go-openapi/validate v0.22.1 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt v3.2.2+incompatible // indirect +- github.com/golang-jwt/jwt/v5 v5.2.0 // indirect ++ github.com/golang-jwt/jwt/v5 v5.2.2 // indirect + github.com/golang/glog v1.1.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.3 // indirect +diff --git a/go.sum b/go.sum +index 5996751..488870b 100644 +--- a/go.sum ++++ b/go.sum +@@ -251,10 +251,11 @@ github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keL + github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= + github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= + github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= + github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +-github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= +-github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= ++github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= ++github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= ++github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= ++github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= + github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= + github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= + github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= +diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go +index c0a6f69..0fc510a 100644 +--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go ++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go +@@ -7,6 +7,8 @@ import ( + "strings" + ) + ++const tokenDelimiter = "." ++ + type Parser struct { + // If populated, only these methods will be considered valid. + // +@@ -36,19 +38,21 @@ func NewParser(options ...ParserOption) *Parser { + return p + } + +-// Parse parses, validates, verifies the signature and returns the parsed token. +-// keyFunc will receive the parsed token and should return the key for validating. ++// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will ++// receive the parsed token and should return the key for validating. + func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) { + return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc) + } + +-// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims +-// interface. This provides default values which can be overridden and allows a caller to use their own type, rather +-// than the default MapClaims implementation of Claims. ++// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object ++// implementing the Claims interface. This provides default values which can be overridden and ++// allows a caller to use their own type, rather than the default MapClaims implementation of ++// Claims. + // +-// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims), +-// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the +-// proper memory for it before passing in the overall claims, otherwise you might run into a panic. ++// Note: If you provide a custom claim implementation that embeds one of the standard claims (such ++// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or ++// b) if you are using a pointer, allocate the proper memory for it before passing in the overall ++// claims, otherwise you might run into a panic. + func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) { + token, parts, err := p.ParseUnverified(tokenString, claims) + if err != nil { +@@ -85,12 +89,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable} + } + ++ // Perform validation ++ token.Signature = parts[2] ++ if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { ++ return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid} ++ } ++ + vErr := &ValidationError{} + + // Validate Claims + if !p.SkipClaimsValidation { + if err := token.Claims.Valid(); err != nil { +- + // If the Claims Valid returned an error, check if it is a validation error, + // If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set + if e, ok := err.(*ValidationError); !ok { +@@ -98,22 +107,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + } else { + vErr = e + } ++ return token, vErr + } + } + +- // Perform validation +- token.Signature = parts[2] +- if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { +- vErr.Inner = err +- vErr.Errors |= ValidationErrorSignatureInvalid +- } +- +- if vErr.valid() { +- token.Valid = true +- return token, nil +- } ++ // No errors so far, token is valid. ++ token.Valid = true + +- return token, vErr ++ return token, nil + } + + // ParseUnverified parses the token but doesn't validate the signature. +@@ -123,9 +124,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + // It's only ever useful in cases where you know the signature is valid (because it has + // been checked previously in the stack) and you want to extract values from it. + func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) { +- parts = strings.Split(tokenString, ".") +- if len(parts) != 3 { +- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) ++ var ok bool ++ parts, ok = splitToken(tokenString) ++ if !ok { ++ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) + } + + token = &Token{Raw: tokenString} +@@ -175,3 +177,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke + + return token, parts, nil + } ++ ++// splitToken splits a token string into three parts: header, claims, and signature. It will only ++// return true if the token contains exactly two delimiters and three parts. In all other cases, it ++// will return nil parts and false. ++func splitToken(token string) ([]string, bool) { ++ parts := make([]string, 3) ++ header, remain, ok := strings.Cut(token, tokenDelimiter) ++ if !ok { ++ return nil, false ++ } ++ parts[0] = header ++ claims, remain, ok := strings.Cut(remain, tokenDelimiter) ++ if !ok { ++ return nil, false ++ } ++ parts[1] = claims ++ // One more cut to ensure the signature is the last part of the token and there are no more ++ // delimiters. This avoids an issue where malicious input could contain additional delimiters ++ // causing unecessary overhead parsing tokens. ++ signature, _, unexpected := strings.Cut(remain, tokenDelimiter) ++ if unexpected { ++ return nil, false ++ } ++ parts[2] = signature ++ ++ return parts, true ++} +diff --git a/vendor/github.com/golang-jwt/jwt/v5/README.md b/vendor/github.com/golang-jwt/jwt/v5/README.md +index 964598a..0bb636f 100644 +--- a/vendor/github.com/golang-jwt/jwt/v5/README.md ++++ b/vendor/github.com/golang-jwt/jwt/v5/README.md +@@ -10,11 +10,11 @@ implementation of [JSON Web + Tokens](https://datatracker.ietf.org/doc/html/rfc7519). + + Starting with [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0) +-this project adds Go module support, but maintains backwards compatibility with ++this project adds Go module support, but maintains backward compatibility with + older `v3.x.y` tags and upstream `github.com/dgrijalva/jwt-go`. See the + [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information. Version + v5.0.0 introduces major improvements to the validation of tokens, but is not +-entirely backwards compatible. ++entirely backward compatible. + + > After the original author of the library suggested migrating the maintenance + > of `jwt-go`, a dedicated team of open source maintainers decided to clone the +@@ -24,7 +24,7 @@ entirely backwards compatible. + + + **SECURITY NOTICE:** Some older versions of Go have a security issue in the +-crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue ++crypto/elliptic. The recommendation is to upgrade to at least 1.15 See issue + [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more + detail. + +@@ -32,7 +32,7 @@ detail. + what you + expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). + This library attempts to make it easy to do the right thing by requiring key +-types match the expected alg, but you should take the extra step to verify it in ++types to match the expected alg, but you should take the extra step to verify it in + your usage. See the examples provided. + + ### Supported Go versions +@@ -41,7 +41,7 @@ Our support of Go versions is aligned with Go's [version release + policy](https://golang.org/doc/devel/release#policy). So we will support a major + version of Go until there are two newer major releases. We no longer support + building jwt-go with unsupported Go versions, as these contain security +-vulnerabilities which will not be fixed. ++vulnerabilities that will not be fixed. + + ## What the heck is a JWT? + +@@ -117,7 +117,7 @@ notable differences: + + This library is considered production ready. Feedback and feature requests are + appreciated. The API should be considered stable. There should be very few +-backwards-incompatible changes outside of major version updates (and only with ++backward-incompatible changes outside of major version updates (and only with + good reason). + + This project uses [Semantic Versioning 2.0.0](http://semver.org). Accepted pull +@@ -125,8 +125,8 @@ requests will land on `main`. Periodically, versions will be tagged from + `main`. You can find all the releases on [the project releases + page](https://github.com/golang-jwt/jwt/releases). + +-**BREAKING CHANGES:*** A full list of breaking changes is available in +-`VERSION_HISTORY.md`. See `MIGRATION_GUIDE.md` for more information on updating ++**BREAKING CHANGES:** A full list of breaking changes is available in ++`VERSION_HISTORY.md`. See [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information on updating + your code. + + ## Extensions +diff --git a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md +index b08402c..2740597 100644 +--- a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md ++++ b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md +@@ -2,11 +2,11 @@ + + ## Supported Versions + +-As of February 2022 (and until this document is updated), the latest version `v4` is supported. ++As of November 2024 (and until this document is updated), the latest version `v5` is supported. In critical cases, we might supply back-ported patches for `v4`. + + ## Reporting a Vulnerability + +-If you think you found a vulnerability, and even if you are not sure, please report it to jwt-go-security@googlegroups.com or one of the other [golang-jwt maintainers](https://github.com/orgs/golang-jwt/people). Please try be explicit, describe steps to reproduce the security issue with code example(s). ++If you think you found a vulnerability, and even if you are not sure, please report it a [GitHub Security Advisory](https://github.com/golang-jwt/jwt/security/advisories/new). Please try be explicit, describe steps to reproduce the security issue with code example(s). + + You will receive a response within a timely manner. If the issue is confirmed, we will do our best to release a patch as soon as possible given the complexity of the problem. + +diff --git a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go +index ca85659..c929e4a 100644 +--- a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go ++++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go +@@ -62,7 +62,7 @@ func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interf + case *ecdsa.PublicKey: + ecdsaKey = k + default: +- return newError("ECDSA verify expects *ecsda.PublicKey", ErrInvalidKeyType) ++ return newError("ECDSA verify expects *ecdsa.PublicKey", ErrInvalidKeyType) + } + + if len(sig) != 2*m.KeySize { +@@ -96,7 +96,7 @@ func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte + case *ecdsa.PrivateKey: + ecdsaKey = k + default: +- return nil, newError("ECDSA sign expects *ecsda.PrivateKey", ErrInvalidKeyType) ++ return nil, newError("ECDSA sign expects *ecdsa.PrivateKey", ErrInvalidKeyType) + } + + // Create the hasher +diff --git a/vendor/github.com/golang-jwt/jwt/v5/hmac.go b/vendor/github.com/golang-jwt/jwt/v5/hmac.go +index 96c6272..aca600c 100644 +--- a/vendor/github.com/golang-jwt/jwt/v5/hmac.go ++++ b/vendor/github.com/golang-jwt/jwt/v5/hmac.go +@@ -91,7 +91,7 @@ func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interfa + func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, error) { + if keyBytes, ok := key.([]byte); ok { + if !m.Hash.Available() { +- return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType) ++ return nil, ErrHashUnavailable + } + + hasher := hmac.New(m.Hash.New, keyBytes) +@@ -100,5 +100,5 @@ func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, + return hasher.Sum(nil), nil + } + +- return nil, ErrInvalidKeyType ++ return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType) + } +diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go +index ecf99af..054c7eb 100644 +--- a/vendor/github.com/golang-jwt/jwt/v5/parser.go ++++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go +@@ -8,6 +8,8 @@ import ( + "strings" + ) + ++const tokenDelimiter = "." ++ + type Parser struct { + // If populated, only these methods will be considered valid. + validMethods []string +@@ -136,9 +138,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + // It's only ever useful in cases where you know the signature is valid (since it has already + // been or will be checked elsewhere in the stack) and you want to extract values from it. + func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) { +- parts = strings.Split(tokenString, ".") +- if len(parts) != 3 { +- return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed) ++ var ok bool ++ parts, ok = splitToken(tokenString) ++ if !ok { ++ return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed) + } + + token = &Token{Raw: tokenString} +@@ -196,6 +199,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke + return token, parts, nil + } + ++// splitToken splits a token string into three parts: header, claims, and signature. It will only ++// return true if the token contains exactly two delimiters and three parts. In all other cases, it ++// will return nil parts and false. ++func splitToken(token string) ([]string, bool) { ++ parts := make([]string, 3) ++ header, remain, ok := strings.Cut(token, tokenDelimiter) ++ if !ok { ++ return nil, false ++ } ++ parts[0] = header ++ claims, remain, ok := strings.Cut(remain, tokenDelimiter) ++ if !ok { ++ return nil, false ++ } ++ parts[1] = claims ++ // One more cut to ensure the signature is the last part of the token and there are no more ++ // delimiters. This avoids an issue where malicious input could contain additional delimiters ++ // causing unecessary overhead parsing tokens. ++ signature, _, unexpected := strings.Cut(remain, tokenDelimiter) ++ if unexpected { ++ return nil, false ++ } ++ parts[2] = signature ++ ++ return parts, true ++} ++ + // DecodeSegment decodes a JWT specific base64url encoding. This function will + // take into account whether the [Parser] is configured with additional options, + // such as [WithStrictDecoding] or [WithPaddingAllowed]. +diff --git a/vendor/github.com/golang-jwt/jwt/v5/token.go b/vendor/github.com/golang-jwt/jwt/v5/token.go +index 352873a..9c7f4ab 100644 +--- a/vendor/github.com/golang-jwt/jwt/v5/token.go ++++ b/vendor/github.com/golang-jwt/jwt/v5/token.go +@@ -75,7 +75,7 @@ func (t *Token) SignedString(key interface{}) (string, error) { + } + + // SigningString generates the signing string. This is the most expensive part +-// of the whole deal. Unless you need this for something special, just go ++// of the whole deal. Unless you need this for something special, just go + // straight for the SignedString. + func (t *Token) SigningString() (string, error) { + h, err := json.Marshal(t.Header) +diff --git a/vendor/modules.txt b/vendor/modules.txt +index 35d0433..f49c006 100644 +--- a/vendor/modules.txt ++++ b/vendor/modules.txt +@@ -568,10 +568,10 @@ github.com/gogo/protobuf/proto + # github.com/golang-jwt/jwt v3.2.2+incompatible + ## explicit + github.com/golang-jwt/jwt +-# github.com/golang-jwt/jwt/v4 v4.5.0 ++# github.com/golang-jwt/jwt/v4 v4.5.2 + ## explicit; go 1.16 + github.com/golang-jwt/jwt/v4 +-# github.com/golang-jwt/jwt/v5 v5.2.0 ++# github.com/golang-jwt/jwt/v5 v5.2.2 + ## explicit; go 1.18 + github.com/golang-jwt/jwt/v5 + # github.com/golang/glog v1.1.2 diff --git a/SPECS/osbuild-composer.spec b/SPECS/osbuild-composer.spec index eb452e7..06e3995 100644 --- a/SPECS/osbuild-composer.spec +++ b/SPECS/osbuild-composer.spec @@ -25,7 +25,7 @@ It is compatible with composer-cli and cockpit-composer clients. } Name: osbuild-composer -Release: 1%{?dist} +Release: 3%{?dist} Summary: An image building service based on osbuild # osbuild-composer doesn't have support for building i686 and armv7hl images @@ -36,6 +36,7 @@ License: Apache-2.0 URL: %{gourl} Source0: %{gosource} +Patch0: CVE-2025-30204.patch BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} BuildRequires: systemd @@ -422,6 +423,16 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c %endif %changelog +* Tue Apr 22 2025 Tomáš Hozza - 101-3 +- Resolve RHEL-84643 (CVE-2025-30204) + +* Wed Sep 25 2024 Tomáš Hozza - 101-2 +- Rebuilt to fix: + - CVE-2024-34156 + - CVE-2024-1394 + - RHEL-24303 + - RHEL-57905 + * Mon Feb 26 2024 imagebuilder-bot - 101-1 - New upstream release