Merge PR "[AUTO-CHERRYPICK] [HIGH] Patch packer for CVE-2025-47913 - branch 3.0-dev" microsoft#15126

CBL-Mariner-Bot · archana25-ms · web-flow · commit 6862bc2b3e07 · 2025-11-18T08:58:25.000-08:00
Co-authored-by: Archana Shettigar &lt;v-shettigara@microsoft.com&gt;
diff --git a/SPECS/packer/CVE-2025-47913.patch b/SPECS/packer/CVE-2025-47913.patch
@@ -0,0 +1,55 @@
+From 559e062ce8bfd6a39925294620b50906ca2a6f95 Mon Sep 17 00:00:00 2001
+From: Nicola Murino <nicola.murino@gmail.com>
+Date: Sun, 31 Aug 2025 20:07:32 +0200
+Subject: [PATCH] ssh/agent: return an error for unexpected message types
+
+Previously, receiving an unexpected message type in response to a key
+listing or a signing request could cause a panic due to a failed type
+assertion.
+
+This change adds a default case to the type switch in order to detect
+and explicitly handle unknown or invalid message types, returning a
+descriptive error instead of crashing.
+
+Fixes golang/go#75178
+
+Change-Id: Icbc3432adc79fe3c56b1ff23c6724d7a6f710f3a
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/700295
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Reviewed-by: Jakub Ciolek <jakub@ciolek.dev>
+Upstream patch Reference: https://github.com/golang/crypto/commit/559e062ce8bfd6a39925294620b50906ca2a6f95.patch
+---
+ vendor/golang.org/x/crypto/ssh/agent/client.go | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
+index 106708d..31bd7e8 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
++++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
+@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
+ 		return keys, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to list keys")
++	default:
++		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // Sign has the agent sign the data using a protocol 2 key as defined
+@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
+ 		return &sig, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to sign challenge")
++	default:
++		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // unmarshal parses an agent message in packet, returning the parsed
+-- 
+2.45.4
+
diff --git a/SPECS/packer/packer.spec b/SPECS/packer/packer.spec
@@ -4,7 +4,7 @@
 Summary:        Tool for creating identical machine images for multiple platforms from a single source configuration.
 Name:           packer
 Version:        1.9.5
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -44,6 +44,7 @@ Patch9:         CVE-2025-22870.patch
 Patch10:        CVE-2024-51744.patch
 Patch11:        CVE-2025-22872.patch
 Patch12:        CVE-2025-58058.patch
+Patch13:        CVE-2025-47913.patch
 
 BuildRequires:  golang >= 1.21
 BuildRequires:  kernel-headers
@@ -75,6 +76,9 @@ go test -mod=vendor
 %{_bindir}/packer
 
 %changelog
+* Tue Nov 18 2025 Archana Shettigar <v-shettigara@microsoft.com> - 1.9.5-11
+- Patch CVE-2025-47913
+
 * Wed Sep 03 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.9.5-10
 - Patch for CVE-2025-58058
 
