diff --git a/SPECS/blobfuse2/CVE-2025-30204.patch b/SPECS/blobfuse2/CVE-2025-30204.patch new file mode 100644 index 00000000000..bfca8a54d7a --- /dev/null +++ b/SPECS/blobfuse2/CVE-2025-30204.patch @@ -0,0 +1,72 @@ +From 6c3e689ca1426d2b820d1d48f45751ca6a452414 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Fri, 11 Jul 2025 08:35:35 +0000 +Subject: [PATCH] Fix CVE CVE-2025-30204 in blobfuse2 + +Upstream Patch Reference: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84.patch +--- + vendor/github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++-- + 1 file changed, 33 insertions(+), 3 deletions(-) + +diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go +index c0a6f69..8e7e67c 100644 +--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go ++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go +@@ -7,6 +7,8 @@ import ( + "strings" + ) + ++const tokenDelimiter = "." ++ + type Parser struct { + // If populated, only these methods will be considered valid. + // +@@ -123,9 +125,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + // It's only ever useful in cases where you know the signature is valid (because it has + // been checked previously in the stack) and you want to extract values from it. + func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) { +- parts = strings.Split(tokenString, ".") +- if len(parts) != 3 { +- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) ++ var ok bool ++ parts, ok = splitToken(tokenString) ++ if !ok { ++ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) + } + + token = &Token{Raw: tokenString} +@@ -175,3 +178,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke + + return token, parts, nil + } ++ ++// splitToken splits a token string into three parts: header, claims, and signature. It will only ++// return true if the token contains exactly two delimiters and three parts. In all other cases, it ++// will return nil parts and false. ++func splitToken(token string) ([]string, bool) { ++ parts := make([]string, 3) ++ header, remain, ok := strings.Cut(token, tokenDelimiter) ++ if !ok { ++ return nil, false ++ } ++ parts[0] = header ++ claims, remain, ok := strings.Cut(remain, tokenDelimiter) ++ if !ok { ++ return nil, false ++ } ++ parts[1] = claims ++ // One more cut to ensure the signature is the last part of the token and there are no more ++ // delimiters. This avoids an issue where malicious input could contain additional delimiters ++ // causing unecessary overhead parsing tokens. ++ signature, _, unexpected := strings.Cut(remain, tokenDelimiter) ++ if unexpected { ++ return nil, false ++ } ++ parts[2] = signature ++ ++ return parts, true ++} +-- +2.45.3 + diff --git a/SPECS/blobfuse2/blobfuse2.spec b/SPECS/blobfuse2/blobfuse2.spec index 27f205926e0..d2119cb0e5f 100644 --- a/SPECS/blobfuse2/blobfuse2.spec +++ b/SPECS/blobfuse2/blobfuse2.spec @@ -7,7 +7,7 @@ Summary: FUSE adapter - Azure Storage Name: blobfuse2 Version: %{blobfuse2_version} -Release: 8%{?dist} +Release: 9%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -38,6 +38,7 @@ Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2023-45288.patch Patch1: CVE-2024-24786.patch Patch2: CVE-2025-22868.patch +Patch3: CVE-2025-30204.patch BuildRequires: cmake BuildRequires: fuse3-devel BuildRequires: gcc @@ -82,6 +83,9 @@ install -D -m 0644 ./setup/blobfuse2-logrotate %{buildroot}%{_sysconfdir}/logrot %{_sysconfdir}/logrotate.d/blobfuse2 %changelog +* Fri Jul 11 2025 Azure Linux Security Servicing Account - 2.1.2-9 +- Patch for CVE-2025-30204 + * Sun Mar 02 2025 Kanishk Bansal - 2.1.2-8 - Fix CVE-2025-22868 with an upstream patch