Merge branch 'main' into 2.0

Author: jslobodzian

SPECS/jx/CVE-2024-51744.patch

@@ -0,0 +1,88 @@
+From 68de34ae9ace1867680141ae1a3cdd9e9cab9a76 Mon Sep 17 00:00:00 2001
+From: jykanase <[email protected]>
+Date: Thu, 20 Mar 2025 04:11:52 +0000
+Subject: [PATCH] CVE-2024-51744
+
+Source Link: https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c
+---
+ .../github.com/form3tech-oss/jwt-go/parser.go | 37 +++++++++++--------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/vendor/github.com/form3tech-oss/jwt-go/parser.go b/vendor/github.com/form3tech-oss/jwt-go/parser.go
+index d6901d9..9fddb7d 100644
+--- a/vendor/github.com/form3tech-oss/jwt-go/parser.go
++++ b/vendor/github.com/form3tech-oss/jwt-go/parser.go
+@@ -13,13 +13,21 @@ type Parser struct {
+ 	SkipClaimsValidation bool     // Skip claims validation during token parsing
+ }
+ 
+-// Parse, validate, and return a token.
+-// keyFunc will receive the parsed token and should return the key for validating.
+-// If everything is kosher, err will be nil
++// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will
++// receive the parsed token and should return the key for validating.
+ func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
+ 	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
+ }
+ 
++// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object
++// implementing the Claims interface. This provides default values which can be overridden and
++// allows a caller to use their own type, rather than the default MapClaims implementation of
++// Claims.
++//
++// Note: If you provide a custom claim implementation that embeds one of the standard claims (such
++// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or
++// b) if you are using a pointer, allocate the proper memory for it before passing in the overall
++// claims, otherwise you might run into a panic.
+ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
+ 	token, parts, err := p.ParseUnverified(tokenString, claims)
+ 	if err != nil {
+@@ -56,12 +64,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 		return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable}
+ 	}
+ 
++	// Perform validation
++ 	token.Signature = parts[2]
++ 	if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
++ 		return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid}
++ 	}
++
+ 	vErr := &ValidationError{}
+ 
+ 	// Validate Claims
+ 	if !p.SkipClaimsValidation {
+ 		if err := token.Claims.Valid(); err != nil {
+-
+ 			// If the Claims Valid returned an error, check if it is a validation error,
+ 			// If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set
+ 			if e, ok := err.(*ValidationError); !ok {
+@@ -69,22 +82,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 			} else {
+ 				vErr = e
+ 			}
++			return token, vErr
+ 		}
+ 	}
+ 
+-	// Perform validation
+-	token.Signature = parts[2]
+-	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
+-		vErr.Inner = err
+-		vErr.Errors |= ValidationErrorSignatureInvalid
+-	}
+-
+-	if vErr.valid() {
+-		token.Valid = true
+-		return token, nil
+-	}
++	// No errors so far, token is valid.
++ 	token.Valid = true
+ 
+-	return token, vErr
++	return token, nil
+ }
+ 
+ // WARNING: Don't use this method unless you know what you're doing
+-- 
+2.45.2
+

SPECS/jx/jx.spec

@@ -1,7 +1,7 @@
 Summary:        Command line tool for working with Jenkins X.
 Name:           jx
 Version:        3.2.236
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -30,7 +30,7 @@ Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2023-44487.patch
 Patch1:         CVE-2021-44716.patch
 Patch2:         CVE-2023-45288.patch
-
+Patch3:         CVE-2024-51744.patch
 BuildRequires:  golang
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -72,6 +72,9 @@ make test && \
 %{_bindir}/jx
 
 %changelog
+* Thur Mar 20 2025 Jyoti Kanase <[email protected]> - 3.2.236-21
+- Fix CVE-2024-51744
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 3.2.236-20
 - Bump release to rebuild with go 1.22.7