From 338138806b365890f1a5b489be43ee46193351c7 Mon Sep 17 00:00:00 2001 From: Achilleas Koutsou Date: Thu, 17 Jul 2025 17:31:25 +0200 Subject: [PATCH] Update to 101.4 Resolves RHEL-95416 Patch CVE-2025-30204.patch is included in the released sources. --- .gitignore | 1 + CVE-2025-30204.patch | 391 ------------------------------------------ osbuild-composer.spec | 9 +- sources | 2 +- 4 files changed, 7 insertions(+), 396 deletions(-) delete mode 100644 CVE-2025-30204.patch diff --git a/.gitignore b/.gitignore index e07e631..8fa00dd 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ SOURCES/osbuild-composer-75.tar.gz /osbuild-composer-99.tar.gz /osbuild-composer-100.tar.gz /osbuild-composer-101.tar.gz +/osbuild-composer-101.4.tar.gz diff --git a/CVE-2025-30204.patch b/CVE-2025-30204.patch deleted file mode 100644 index b76cbda..0000000 --- a/CVE-2025-30204.patch +++ /dev/null @@ -1,391 +0,0 @@ -diff --git a/go.mod b/go.mod -index f571516..d3d329f 100644 ---- a/go.mod -+++ b/go.mod -@@ -23,7 +23,7 @@ require ( - github.com/getkin/kin-openapi v0.93.0 - github.com/getsentry/sentry-go v0.26.0 - github.com/gobwas/glob v0.2.3 -- github.com/golang-jwt/jwt/v4 v4.5.0 -+ github.com/golang-jwt/jwt/v4 v4.5.2 - github.com/google/go-cmp v0.6.0 - github.com/google/uuid v1.6.0 - github.com/gophercloud/gophercloud v1.9.0 -@@ -114,7 +114,7 @@ require ( - github.com/go-openapi/validate v0.22.1 // indirect - github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt v3.2.2+incompatible // indirect -- github.com/golang-jwt/jwt/v5 v5.2.0 // indirect -+ github.com/golang-jwt/jwt/v5 v5.2.2 // indirect - github.com/golang/glog v1.1.2 // indirect - github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect -diff --git a/go.sum b/go.sum -index 5996751..488870b 100644 ---- a/go.sum -+++ b/go.sum -@@ -251,10 +251,11 @@ github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keL - github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= - github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= - github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= --github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= - github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= --github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= --github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= -+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= -+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= -+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= - github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= - github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= - github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= -diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go -index c0a6f69..0fc510a 100644 ---- a/vendor/github.com/golang-jwt/jwt/v4/parser.go -+++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go -@@ -7,6 +7,8 @@ import ( - "strings" - ) - -+const tokenDelimiter = "." -+ - type Parser struct { - // If populated, only these methods will be considered valid. - // -@@ -36,19 +38,21 @@ func NewParser(options ...ParserOption) *Parser { - return p - } - --// Parse parses, validates, verifies the signature and returns the parsed token. --// keyFunc will receive the parsed token and should return the key for validating. -+// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will -+// receive the parsed token and should return the key for validating. - func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) { - return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc) - } - --// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims --// interface. This provides default values which can be overridden and allows a caller to use their own type, rather --// than the default MapClaims implementation of Claims. -+// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object -+// implementing the Claims interface. This provides default values which can be overridden and -+// allows a caller to use their own type, rather than the default MapClaims implementation of -+// Claims. - // --// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims), --// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the --// proper memory for it before passing in the overall claims, otherwise you might run into a panic. -+// Note: If you provide a custom claim implementation that embeds one of the standard claims (such -+// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or -+// b) if you are using a pointer, allocate the proper memory for it before passing in the overall -+// claims, otherwise you might run into a panic. - func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) { - token, parts, err := p.ParseUnverified(tokenString, claims) - if err != nil { -@@ -85,12 +89,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable} - } - -+ // Perform validation -+ token.Signature = parts[2] -+ if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { -+ return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid} -+ } -+ - vErr := &ValidationError{} - - // Validate Claims - if !p.SkipClaimsValidation { - if err := token.Claims.Valid(); err != nil { -- - // If the Claims Valid returned an error, check if it is a validation error, - // If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set - if e, ok := err.(*ValidationError); !ok { -@@ -98,22 +107,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - } else { - vErr = e - } -+ return token, vErr - } - } - -- // Perform validation -- token.Signature = parts[2] -- if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { -- vErr.Inner = err -- vErr.Errors |= ValidationErrorSignatureInvalid -- } -- -- if vErr.valid() { -- token.Valid = true -- return token, nil -- } -+ // No errors so far, token is valid. -+ token.Valid = true - -- return token, vErr -+ return token, nil - } - - // ParseUnverified parses the token but doesn't validate the signature. -@@ -123,9 +124,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - // It's only ever useful in cases where you know the signature is valid (because it has - // been checked previously in the stack) and you want to extract values from it. - func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) { -- parts = strings.Split(tokenString, ".") -- if len(parts) != 3 { -- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) -+ var ok bool -+ parts, ok = splitToken(tokenString) -+ if !ok { -+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) - } - - token = &Token{Raw: tokenString} -@@ -175,3 +177,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke - - return token, parts, nil - } -+ -+// splitToken splits a token string into three parts: header, claims, and signature. It will only -+// return true if the token contains exactly two delimiters and three parts. In all other cases, it -+// will return nil parts and false. -+func splitToken(token string) ([]string, bool) { -+ parts := make([]string, 3) -+ header, remain, ok := strings.Cut(token, tokenDelimiter) -+ if !ok { -+ return nil, false -+ } -+ parts[0] = header -+ claims, remain, ok := strings.Cut(remain, tokenDelimiter) -+ if !ok { -+ return nil, false -+ } -+ parts[1] = claims -+ // One more cut to ensure the signature is the last part of the token and there are no more -+ // delimiters. This avoids an issue where malicious input could contain additional delimiters -+ // causing unecessary overhead parsing tokens. -+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter) -+ if unexpected { -+ return nil, false -+ } -+ parts[2] = signature -+ -+ return parts, true -+} -diff --git a/vendor/github.com/golang-jwt/jwt/v5/README.md b/vendor/github.com/golang-jwt/jwt/v5/README.md -index 964598a..0bb636f 100644 ---- a/vendor/github.com/golang-jwt/jwt/v5/README.md -+++ b/vendor/github.com/golang-jwt/jwt/v5/README.md -@@ -10,11 +10,11 @@ implementation of [JSON Web - Tokens](https://datatracker.ietf.org/doc/html/rfc7519). - - Starting with [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0) --this project adds Go module support, but maintains backwards compatibility with -+this project adds Go module support, but maintains backward compatibility with - older `v3.x.y` tags and upstream `github.com/dgrijalva/jwt-go`. See the - [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information. Version - v5.0.0 introduces major improvements to the validation of tokens, but is not --entirely backwards compatible. -+entirely backward compatible. - - > After the original author of the library suggested migrating the maintenance - > of `jwt-go`, a dedicated team of open source maintainers decided to clone the -@@ -24,7 +24,7 @@ entirely backwards compatible. - - - **SECURITY NOTICE:** Some older versions of Go have a security issue in the --crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue -+crypto/elliptic. The recommendation is to upgrade to at least 1.15 See issue - [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more - detail. - -@@ -32,7 +32,7 @@ detail. - what you - expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). - This library attempts to make it easy to do the right thing by requiring key --types match the expected alg, but you should take the extra step to verify it in -+types to match the expected alg, but you should take the extra step to verify it in - your usage. See the examples provided. - - ### Supported Go versions -@@ -41,7 +41,7 @@ Our support of Go versions is aligned with Go's [version release - policy](https://golang.org/doc/devel/release#policy). So we will support a major - version of Go until there are two newer major releases. We no longer support - building jwt-go with unsupported Go versions, as these contain security --vulnerabilities which will not be fixed. -+vulnerabilities that will not be fixed. - - ## What the heck is a JWT? - -@@ -117,7 +117,7 @@ notable differences: - - This library is considered production ready. Feedback and feature requests are - appreciated. The API should be considered stable. There should be very few --backwards-incompatible changes outside of major version updates (and only with -+backward-incompatible changes outside of major version updates (and only with - good reason). - - This project uses [Semantic Versioning 2.0.0](http://semver.org). Accepted pull -@@ -125,8 +125,8 @@ requests will land on `main`. Periodically, versions will be tagged from - `main`. You can find all the releases on [the project releases - page](https://github.com/golang-jwt/jwt/releases). - --**BREAKING CHANGES:*** A full list of breaking changes is available in --`VERSION_HISTORY.md`. See `MIGRATION_GUIDE.md` for more information on updating -+**BREAKING CHANGES:** A full list of breaking changes is available in -+`VERSION_HISTORY.md`. See [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information on updating - your code. - - ## Extensions -diff --git a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md -index b08402c..2740597 100644 ---- a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md -+++ b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md -@@ -2,11 +2,11 @@ - - ## Supported Versions - --As of February 2022 (and until this document is updated), the latest version `v4` is supported. -+As of November 2024 (and until this document is updated), the latest version `v5` is supported. In critical cases, we might supply back-ported patches for `v4`. - - ## Reporting a Vulnerability - --If you think you found a vulnerability, and even if you are not sure, please report it to jwt-go-security@googlegroups.com or one of the other [golang-jwt maintainers](https://github.com/orgs/golang-jwt/people). Please try be explicit, describe steps to reproduce the security issue with code example(s). -+If you think you found a vulnerability, and even if you are not sure, please report it a [GitHub Security Advisory](https://github.com/golang-jwt/jwt/security/advisories/new). Please try be explicit, describe steps to reproduce the security issue with code example(s). - - You will receive a response within a timely manner. If the issue is confirmed, we will do our best to release a patch as soon as possible given the complexity of the problem. - -diff --git a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go -index ca85659..c929e4a 100644 ---- a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go -+++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go -@@ -62,7 +62,7 @@ func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interf - case *ecdsa.PublicKey: - ecdsaKey = k - default: -- return newError("ECDSA verify expects *ecsda.PublicKey", ErrInvalidKeyType) -+ return newError("ECDSA verify expects *ecdsa.PublicKey", ErrInvalidKeyType) - } - - if len(sig) != 2*m.KeySize { -@@ -96,7 +96,7 @@ func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte - case *ecdsa.PrivateKey: - ecdsaKey = k - default: -- return nil, newError("ECDSA sign expects *ecsda.PrivateKey", ErrInvalidKeyType) -+ return nil, newError("ECDSA sign expects *ecdsa.PrivateKey", ErrInvalidKeyType) - } - - // Create the hasher -diff --git a/vendor/github.com/golang-jwt/jwt/v5/hmac.go b/vendor/github.com/golang-jwt/jwt/v5/hmac.go -index 96c6272..aca600c 100644 ---- a/vendor/github.com/golang-jwt/jwt/v5/hmac.go -+++ b/vendor/github.com/golang-jwt/jwt/v5/hmac.go -@@ -91,7 +91,7 @@ func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interfa - func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, error) { - if keyBytes, ok := key.([]byte); ok { - if !m.Hash.Available() { -- return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType) -+ return nil, ErrHashUnavailable - } - - hasher := hmac.New(m.Hash.New, keyBytes) -@@ -100,5 +100,5 @@ func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, - return hasher.Sum(nil), nil - } - -- return nil, ErrInvalidKeyType -+ return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType) - } -diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go -index ecf99af..054c7eb 100644 ---- a/vendor/github.com/golang-jwt/jwt/v5/parser.go -+++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go -@@ -8,6 +8,8 @@ import ( - "strings" - ) - -+const tokenDelimiter = "." -+ - type Parser struct { - // If populated, only these methods will be considered valid. - validMethods []string -@@ -136,9 +138,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - // It's only ever useful in cases where you know the signature is valid (since it has already - // been or will be checked elsewhere in the stack) and you want to extract values from it. - func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) { -- parts = strings.Split(tokenString, ".") -- if len(parts) != 3 { -- return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed) -+ var ok bool -+ parts, ok = splitToken(tokenString) -+ if !ok { -+ return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed) - } - - token = &Token{Raw: tokenString} -@@ -196,6 +199,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke - return token, parts, nil - } - -+// splitToken splits a token string into three parts: header, claims, and signature. It will only -+// return true if the token contains exactly two delimiters and three parts. In all other cases, it -+// will return nil parts and false. -+func splitToken(token string) ([]string, bool) { -+ parts := make([]string, 3) -+ header, remain, ok := strings.Cut(token, tokenDelimiter) -+ if !ok { -+ return nil, false -+ } -+ parts[0] = header -+ claims, remain, ok := strings.Cut(remain, tokenDelimiter) -+ if !ok { -+ return nil, false -+ } -+ parts[1] = claims -+ // One more cut to ensure the signature is the last part of the token and there are no more -+ // delimiters. This avoids an issue where malicious input could contain additional delimiters -+ // causing unecessary overhead parsing tokens. -+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter) -+ if unexpected { -+ return nil, false -+ } -+ parts[2] = signature -+ -+ return parts, true -+} -+ - // DecodeSegment decodes a JWT specific base64url encoding. This function will - // take into account whether the [Parser] is configured with additional options, - // such as [WithStrictDecoding] or [WithPaddingAllowed]. -diff --git a/vendor/github.com/golang-jwt/jwt/v5/token.go b/vendor/github.com/golang-jwt/jwt/v5/token.go -index 352873a..9c7f4ab 100644 ---- a/vendor/github.com/golang-jwt/jwt/v5/token.go -+++ b/vendor/github.com/golang-jwt/jwt/v5/token.go -@@ -75,7 +75,7 @@ func (t *Token) SignedString(key interface{}) (string, error) { - } - - // SigningString generates the signing string. This is the most expensive part --// of the whole deal. Unless you need this for something special, just go -+// of the whole deal. Unless you need this for something special, just go - // straight for the SignedString. - func (t *Token) SigningString() (string, error) { - h, err := json.Marshal(t.Header) -diff --git a/vendor/modules.txt b/vendor/modules.txt -index 35d0433..f49c006 100644 ---- a/vendor/modules.txt -+++ b/vendor/modules.txt -@@ -568,10 +568,10 @@ github.com/gogo/protobuf/proto - # github.com/golang-jwt/jwt v3.2.2+incompatible - ## explicit - github.com/golang-jwt/jwt --# github.com/golang-jwt/jwt/v4 v4.5.0 -+# github.com/golang-jwt/jwt/v4 v4.5.2 - ## explicit; go 1.16 - github.com/golang-jwt/jwt/v4 --# github.com/golang-jwt/jwt/v5 v5.2.0 -+# github.com/golang-jwt/jwt/v5 v5.2.2 - ## explicit; go 1.18 - github.com/golang-jwt/jwt/v5 - # github.com/golang/glog v1.1.2 diff --git a/osbuild-composer.spec b/osbuild-composer.spec index 305fb71..6894f0b 100644 --- a/osbuild-composer.spec +++ b/osbuild-composer.spec @@ -12,7 +12,7 @@ %global goipath github.com/osbuild/osbuild-composer -Version: 101 +Version: 101.4 %gometa @@ -25,7 +25,7 @@ It is compatible with composer-cli and cockpit-composer clients. } Name: osbuild-composer -Release: 4%{?dist} +Release: 1%{?dist} Summary: An image building service based on osbuild # osbuild-composer doesn't have support for building i686 and armv7hl images @@ -36,8 +36,6 @@ License: Apache-2.0 URL: %{gourl} Source0: %{gosource} -Patch0: CVE-2025-30204.patch - BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} BuildRequires: systemd BuildRequires: krb5-devel @@ -423,6 +421,9 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c %endif %changelog +* Thu Jul 17 2025 Achilleas Koutsou - 101.4-1 +- Resolves: RHEL-95416 + * Tue Jun 24 2025 Ondřej Budai - 101-4 - Resolves: RHEL-89279 (CVE-2025-22871) diff --git a/sources b/sources index caafdf5..8eb9145 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (osbuild-composer-101.tar.gz) = f2df537865464cbf3eb2d37b5637797ad47d540784ff066fb2108ea44c941363967862b893fd7c72b6338597c880def4786ba4c552fc5b53ea868a1a341fff39 +SHA512 (osbuild-composer-101.4.tar.gz) = 8c76c27b63cb8242c334537033ae36d53a8b2d4bcffd8d844850f217a1176200d4ecd820ebf70b4f6995ce0db43e818a95759aab1edd7b1b1c3f5323a1c2ec90