Patch blobfuse2 for CVE-2025-30204

Author: azurelinux-security

SPECS/blobfuse2/CVE-2025-30204.patch

@@ -0,0 +1,72 @@
+From 6c3e689ca1426d2b820d1d48f45751ca6a452414 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Fri, 11 Jul 2025 08:35:35 +0000
+Subject: [PATCH] Fix CVE CVE-2025-30204 in blobfuse2
+
+Upstream Patch Reference: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84.patch
+---
+ vendor/github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++--
+ 1 file changed, 33 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+index c0a6f69..8e7e67c 100644
+--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+@@ -7,6 +7,8 @@ import (
+ 	"strings"
+ )
+ 
++const tokenDelimiter = "."
++
+ type Parser struct {
+ 	// If populated, only these methods will be considered valid.
+ 	//
+@@ -123,9 +125,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ // It's only ever useful in cases where you know the signature is valid (because it has
+ // been checked previously in the stack) and you want to extract values from it.
+ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+-	parts = strings.Split(tokenString, ".")
+-	if len(parts) != 3 {
+-		return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
++	var ok bool
++	parts, ok = splitToken(tokenString)
++	if !ok {
++		return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ 	}
+ 
+ 	token = &Token{Raw: tokenString}
+@@ -175,3 +178,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
+ 
+ 	return token, parts, nil
+ }
++
++// splitToken splits a token string into three parts: header, claims, and signature. It will only
++// return true if the token contains exactly two delimiters and three parts. In all other cases, it
++// will return nil parts and false.
++func splitToken(token string) ([]string, bool) {
++	parts := make([]string, 3)
++	header, remain, ok := strings.Cut(token, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[0] = header
++	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[1] = claims
++	// One more cut to ensure the signature is the last part of the token and there are no more
++	// delimiters. This avoids an issue where malicious input could contain additional delimiters
++	// causing unecessary overhead parsing tokens.
++	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
++	if unexpected {
++		return nil, false
++	}
++	parts[2] = signature
++
++	return parts, true
++}
+-- 
+2.45.3
+

SPECS/blobfuse2/blobfuse2.spec

@@ -7,7 +7,7 @@
 Summary:        FUSE adapter - Azure Storage
 Name:           blobfuse2
 Version:        %{blobfuse2_version}
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -38,6 +38,7 @@ Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2023-45288.patch
 Patch1:         CVE-2024-24786.patch
 Patch2:         CVE-2025-22868.patch
+Patch3:         CVE-2025-30204.patch
 BuildRequires:  cmake
 BuildRequires:  fuse3-devel
 BuildRequires:  gcc
@@ -82,6 +83,9 @@ install -D -m 0644 ./setup/blobfuse2-logrotate %{buildroot}%{_sysconfdir}/logrot
 %{_sysconfdir}/logrotate.d/blobfuse2
 
 %changelog
+* Fri Jul 11 2025 Azure Linux Security Servicing Account <[email protected]> - 2.1.2-9
+- Patch for CVE-2025-30204
+
 * Sun Mar 02 2025 Kanishk Bansal <[email protected]> - 2.1.2-8
 - Fix CVE-2025-22868 with an upstream patch