[AutoPR- Security] Patch docker-buildx for CVE-2025-47913 [HIGH] (microsoft#15121)

Co-authored-by: jslobodzian <[email protected]>

Author: azurelinux-security

SPECS/docker-buildx/CVE-2025-47913.patch

@@ -0,0 +1,51 @@
+From e5db42e32d99478b5f123a78f9e93b9a69e32abc Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Tue, 18 Nov 2025 15:59:55 +0000
+Subject: [PATCH] ssh/agent: return an error for unexpected message types
+
+Previously, receiving an unexpected message type in response to a key
+listing or a signing request could cause a panic due to a failed type
+assertion.
+
+This change adds a default case to the type switch in order to detect
+and explicitly handle unknown or invalid message types, returning a
+descriptive error instead of crashing.
+
+Fixes golang/go#75178
+
+Reviewed-by: backport
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/golang/crypto/commit/559e062ce8bfd6a39925294620b50906ca2a6f95.patch
+---
+ vendor/golang.org/x/crypto/ssh/agent/client.go | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
+index fecba8e..6dc73e0 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
++++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
+@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
+ 		return keys, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to list keys")
++	default:
++		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // Sign has the agent sign the data using a protocol 2 key as defined
+@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
+ 		return &sig, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to sign challenge")
++	default:
++		return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // unmarshal parses an agent message in packet, returning the parsed
+-- 
+2.45.4
+

SPECS/docker-buildx/docker-buildx.spec

@@ -4,7 +4,7 @@ Summary:        A Docker CLI plugin for extended build capabilities with BuildKi
 Name:           docker-buildx
 # update "commit_hash" above when upgrading version
 Version:        0.14.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        ASL 2.0
 Group:          Tools/Container
 Vendor:         Microsoft Corporation
@@ -16,6 +16,7 @@ Patch1:         CVE-2024-45338.patch
 Patch2:         CVE-2025-22869.patch
 Patch3:         CVE-2025-0495.patch
 Patch4:         CVE-2025-22872.patch
+Patch5:         CVE-2025-47913.patch
 
 BuildRequires: bash
 BuildRequires: golang < 1.25
@@ -49,6 +50,9 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil
 %{_libexecdir}/docker/cli-plugins/docker-buildx
 
 %changelog
+* Tue Nov 18 2025 Azure Linux Security Servicing Account <[email protected]> - 0.14.0-8
+- Patch for CVE-2025-47913
+
 * Sun Aug 31 2025 Andrew Phelps <[email protected]> - 0.14.0-7
 - Set BR for golang to < 1.25