[AUTO-CHERRYPICK] Patch keda for CVE-2025-22868 & CVE-2025-27144 [High] - branch 3.0-dev (#12784)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit 06c7772cd040 · 2025-03-04T09:14:08.000-05:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/keda/CVE-2025-22868.patch b/SPECS/keda/CVE-2025-22868.patch
@@ -0,0 +1,38 @@
+From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Thu, 30 Jan 2025 14:10:09 -0500
+Subject: [PATCH] jws: split token into fixed number of parts
+
+Thanks to 'jub0bs' for reporting this issue.
+
+Fixes #71490
+Fixes CVE-2025-22868
+
+Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
+Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+---
+ vendor/golang.org/x/oauth2/jws/jws.go | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go
+index 95015648b..6f03a49d3 100644
+--- a/vendor/golang.org/x/oauth2/jws/jws.go
++++ b/vendor/golang.org/x/oauth2/jws/jws.go
+@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
+ // Verify tests whether the provided JWT token's signature was produced by the private key
+ // associated with the supplied public key.
+ func Verify(token string, key *rsa.PublicKey) error {
+-	parts := strings.Split(token, ".")
+-	if len(parts) != 3 {
++	if strings.Count(token, ".") != 2 {
+ 		return errors.New("jws: invalid token received, token must have 3 parts")
+ 	}
+ 
++	parts := strings.SplitN(token, ".", 3)
+ 	signedContent := parts[0] + "." + parts[1]
+ 	signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
+ 	if err != nil {
diff --git a/SPECS/keda/CVE-2025-27144.patch b/SPECS/keda/CVE-2025-27144.patch
@@ -0,0 +1,49 @@
+From 72e5dc031b9ecdc0ba2db04b715bb43b8eefcf59 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Fri, 28 Feb 2025 09:57:57 +0000
+Subject: [PATCH] CVE-2025-27144
+
+---
+ vendor/github.com/go-jose/go-jose/v4/jwe.go | 5 +++--
+ vendor/github.com/go-jose/go-jose/v4/jws.go | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
+index 89f03ee3..9f1322dc 100644
+--- a/vendor/github.com/go-jose/go-jose/v4/jwe.go
++++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
+@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
+ 	keyAlgorithms []KeyAlgorithm,
+ 	contentEncryption []ContentEncryption,
+ ) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
++	// Five parts is four separators
++	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ 	}
++	parts := strings.SplitN(input, ".", 5)
+ 
+ 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ 	if err != nil {
+diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
+index 3a912301..d09d8ba5 100644
+--- a/vendor/github.com/go-jose/go-jose/v4/jws.go
++++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
+@@ -327,10 +327,11 @@ func parseSignedCompact(
+ 	payload []byte,
+ 	signatureAlgorithms []SignatureAlgorithm,
+ ) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
++	// Three parts is two separators
++	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ 	}
++	parts := strings.SplitN(input, ".", 3)
+ 
+ 	if parts[1] != "" && payload != nil {
+ 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+-- 
+2.45.2
+
diff --git a/SPECS/keda/keda.spec b/SPECS/keda/keda.spec
@@ -1,7 +1,7 @@
 Summary:        Kubernetes-based Event Driven Autoscaling
 Name:           keda
 Version:        2.14.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -24,6 +24,8 @@ Source0:        %{name}-%{version}.tar.gz
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2024-6104.patch
 Patch1:         CVE-2024-45338.patch
+Patch2:         CVE-2025-27144.patch
+Patch3:         CVE-2025-22868.patch
 BuildRequires:  golang >= 1.15
 
 %description
@@ -61,6 +63,9 @@ cp ./bin/keda-admission-webhooks %{buildroot}%{_bindir}
 %{_bindir}/%{name}-admission-webhooks
 
 %changelog
+* Mon Mar 03 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.14.1-3
+- Fix CVE-2025-27144, CVE-2025-22868 with an upstream patch
+
 * Wed Jan 08 2025 <rohitrawat@microsoft.com> - 2.14.1-2
 - Add patch for CVE-2024-45338
 
