[Medium] Patch gh for CVE-2025-48938 (microsoft#14015)

Signed-off-by: Sreenivasulu Malavathula <[email protected]>

Author: v-smalavathu

SPECS/gh/CVE-2025-48938.patch

@@ -0,0 +1,98 @@
+From f30373d5ac9c1af048f352ce32eaddc7c83a9156 Mon Sep 17 00:00:00 2001
+From: Sreenivasulu Malavathula <[email protected]>
+Date: Mon, 16 Jun 2025 16:28:52 -0500
+Subject: [PATCH] Address CVE-2025-48938
+Upstream Patch Reference: https://github.com/cli/go-gh/commit/a08820a.diff
+
+---
+ .../cli/go-gh/v2/pkg/browser/browser.go       | 59 +++++++++++++++++++
+ 1 file changed, 59 insertions(+)
+
+diff --git a/vendor/github.com/cli/go-gh/v2/pkg/browser/browser.go b/vendor/github.com/cli/go-gh/v2/pkg/browser/browser.go
+index 4d56710..d17951a 100644
+--- a/vendor/github.com/cli/go-gh/v2/pkg/browser/browser.go
++++ b/vendor/github.com/cli/go-gh/v2/pkg/browser/browser.go
+@@ -2,7 +2,9 @@
+ package browser
+ 
+ import (
++	"fmt"
+ 	"io"
++	"net/url"
+ 	"os"
+ 	"os/exec"
+ 
+@@ -45,9 +47,20 @@ func (b *Browser) Browse(url string) error {
+ }
+ 
+ func (b *Browser) browse(url string, env []string) error {
++	// Ensure the URL is supported including the scheme,
++	// overwrite `url` for use within the function.
++	urlParsed, err := isPossibleProtocol(url)
++	if err != nil {
++		return err
++	}
++
++	url = urlParsed.String()
++
++	// Use default `gh` browsing module for opening URL if not customized.
+ 	if b.launcher == "" {
+ 		return cliBrowser.OpenURL(url)
+ 	}
++
+ 	launcherArgs, err := shlex.Split(b.launcher)
+ 	if err != nil {
+ 		return err
+@@ -78,3 +91,49 @@ func resolveLauncher() string {
+ 	}
+ 	return os.Getenv("BROWSER")
+ }
++
++func isSupportedScheme(scheme string) bool {
++	switch scheme {
++	case "http", "https", "vscode", "vscode-insiders":
++		return true
++	default:
++		return false
++	}
++}
++
++func isPossibleProtocol(u string) (*url.URL, error) {
++	// Parse URL for known supported schemes before handling unknown cases.
++	urlParsed, err := url.Parse(u)
++	if err != nil {
++		return nil, fmt.Errorf("opening unparsable URL is unsupported: %s", u)
++	}
++
++	if isSupportedScheme(urlParsed.Scheme) {
++		return urlParsed, nil
++	}
++
++	// Disallow any unrecognized URL schemes if explicitly present.
++	if urlParsed.Scheme != "" {
++		return nil, fmt.Errorf("opening unsupport URL scheme: %s", u)
++	}
++
++	// Disallow URLs that match existing files or directories on the filesystem
++	// as these could be executables or executed by the launcher browser due to
++	// the file extension and/or associated application.
++	//
++	// Symlinks should not be resolved in order to avoid broken links or other
++	// vulnerabilities trying to resolve them.
++	if fileInfo, _ := os.Lstat(u); fileInfo != nil {
++		return nil, fmt.Errorf("opening files or directories is unsupported: %s", u)
++	}
++
++	// Disallow URLs that match executables found in the user path.
++	exec, _ := safeexec.LookPath(u)
++	if exec != "" {
++		return nil, fmt.Errorf("opening executables is unsupported: %s", u)
++	}
++
++	// Otherwise, assume HTTP URL using `https` to ensure secure browsing.
++	urlParsed.Scheme = "https"
++	return urlParsed, nil
++}
+-- 
+2.45.2
+

SPECS/gh/gh.spec

@@ -1,7 +1,7 @@
 Summary:        GitHub official command line tool
 Name:           gh
 Version:        2.62.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -22,6 +22,7 @@ Patch6:         CVE-2025-25204.patch
 Patch7:         CVE-2025-27144.patch
 Patch8:         CVE-2025-22869.patch
 Patch9:         CVE-2025-22872.patch
+Patch10:        CVE-2025-48938.patch
 
 BuildRequires:  golang < 1.23
 BuildRequires:  git
@@ -64,6 +65,9 @@ make test
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
+* Mon Jun 16 2025 Sreeniavsulu Malavathula <[email protected]> - 2.62.0-9
+- Patch CVE-2025-48938
+
 * Tue Apr 22 2025 Jyoti Kanase <[email protected]> - 2.62.0-8
 - Patch CVE-2025-22872