[AutoPR- Security] Patch nvidia-container-toolkit for CVE-2025-22872 [MEDIUM] (microsoft#14404)

Author: azurelinux-security

SPECS/nvidia-container-toolkit/CVE-2025-22872.patch

@@ -0,0 +1,43 @@
+From 5bcb7c0465f965050d6c73a96cd3dceb3b89765e Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Mon, 28 Jul 2025 06:16:16 +0000
+Subject: [PATCH] Fix CVE CVE-2025-22872 in nvidia-container-toolkit
+
+Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9.patch
+---
+ tests/vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/tests/vendor/golang.org/x/net/html/token.go b/tests/vendor/golang.org/x/net/html/token.go
+index 3c57880..6598c1f 100644
+--- a/tests/vendor/golang.org/x/net/html/token.go
++++ b/tests/vendor/golang.org/x/net/html/token.go
+@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ 	if raw {
+ 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ 	}
+-	// Look for a self-closing token like "<br/>".
+-	if z.err == nil && z.buf[z.raw.end-2] == '/' {
++	// Look for a self-closing token (e.g. <br/>).
++	//
++	// Originally, we did this by just checking that the last character of the
++	// tag (ignoring the closing bracket) was a solidus (/) character, but this
++	// is not always accurate.
++	//
++	// We need to be careful that we don't misinterpret a non-self-closing tag
++	// as self-closing, as can happen if the tag contains unquoted attribute
++	// values (i.e. <p a=/>).
++	//
++	// To avoid this, we check that the last non-bracket character of the tag
++	// (z.raw.end-2) isn't the same character as the last non-quote character of
++	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++	// attributes.
++	nAttrs := len(z.attr)
++	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ 		return SelfClosingTagToken
+ 	}
+ 	return StartTagToken
+-- 
+2.45.4
+

SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec

@@ -2,7 +2,7 @@
 Summary:        NVIDIA container runtime hook
 Name:           nvidia-container-toolkit
 Version:        1.17.8
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ALS2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -28,6 +28,7 @@ Source0:        %{name}-%{version}.tar.gz
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        %{name}-%{version}-vendor.tar.gz
+Patch0:         CVE-2025-22872.patch
 BuildRequires:  golang < 1.24.0
 Obsoletes: nvidia-container-runtime <= 3.5.0-1, nvidia-container-runtime-hook <= 1.4.0-2
 Provides: nvidia-container-runtime
@@ -87,6 +88,9 @@ rm -f %{_bindir}/nvidia-container-toolkit
 %{_bindir}/nvidia-cdi-hook
 
 %changelog
+* Mon Jul 28 2025 Azure Linux Security Servicing Account <[email protected]> - 1.17.8-2
+- Patch for CVE-2025-22872
+
 * Thu Jul 24 2025 Sam Meluch <[email protected]> - 1.17.8-1
 - Upgrade to 1.17.8 to resolve CVE-2025-23266