[Low] Patch moby-engine for CVE-2024-51744 (#13884)

akhila-guruju · web-flow · commit 07f3e6df7193 · 2025-05-30T13:34:28.000+05:30
diff --git a/SPECS/moby-engine/CVE-2024-51744.patch b/SPECS/moby-engine/CVE-2024-51744.patch
@@ -0,0 +1,64 @@
+From c0a8f88b3e611b0a2533319636115226b6c3ee35 Mon Sep 17 00:00:00 2001
+From: akhila-guruju <v-guakhila@microsoft.com>
+Date: Thu, 22 May 2025 12:13:45 +0000
+Subject: [PATCH] Address CVE-2024-51744
+
+Upstream Patch reference: https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c
+
+---
+ vendor/github.com/golang-jwt/jwt/v4/parser.go | 23 ++++++++-----------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+index 9484f28..d6e75db 100644
+--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
+@@ -80,12 +80,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 		return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable}
+ 	}
+ 
++	// Perform validation
++	token.Signature = parts[2]
++	if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
++		return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid}
++	}
++
+ 	vErr := &ValidationError{}
+ 
+ 	// Validate Claims
+ 	if !p.SkipClaimsValidation {
+ 		if err := token.Claims.Valid(); err != nil {
+-
+ 			// If the Claims Valid returned an error, check if it is a validation error,
+ 			// If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set
+ 			if e, ok := err.(*ValidationError); !ok {
+@@ -93,22 +98,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ 			} else {
+ 				vErr = e
+ 			}
++			return token, vErr
+ 		}
+ 	}
+ 
+-	// Perform validation
+-	token.Signature = parts[2]
+-	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
+-		vErr.Inner = err
+-		vErr.Errors |= ValidationErrorSignatureInvalid
+-	}
+-
+-	if vErr.valid() {
+-		token.Valid = true
+-		return token, nil
+-	}
++	// No errors so far, token is valid.
++	token.Valid = true
+ 
+-	return token, vErr
++	return token, nil
+ }
+ 
+ // ParseUnverified parses the token but doesn't validate the signature.
+-- 
+2.45.2
+
diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec
@@ -3,7 +3,7 @@
 Summary: The open-source application container engine
 Name:    moby-engine
 Version: 24.0.9
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: ASL 2.0
 Group:   Tools/Container
 URL: https://mobyproject.org
@@ -32,6 +32,7 @@ Patch12: CVE-2024-23650.patch
 Patch13: CVE-2025-22868.patch
 Patch14: CVE-2025-22869.patch
 Patch15: CVE-2025-30204.patch
+Patch16: CVE-2024-51744.patch
 
 %{?systemd_requires}
 
@@ -132,6 +133,9 @@ fi
 %{_unitdir}/*
 
 %changelog
+* Thu May 22 2025 Akhila Guruju <v-guakhila@microsoft.com> - 24.0.9-17
+- Patch CVE-2024-51744
+
 * Mon Apr 21 2025 Dallas Delaney <dadelan@microsoft.com> - 24.0.9-16
 - Patch CVE-2025-30204
 
