[AUTO-CHERRYPICK] Patch coredns for CVE-2025-22868 [High] - branch 3.0-dev (#12816)

Co-authored-by: Kanishk Bansal <[email protected]>
Co-authored-by: jslobodzian <[email protected]>

Author: 3 people

SPECS/coredns/CVE-2025-22868.patch

@@ -0,0 +1,38 @@
+From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001
+From: Neal Patel <[email protected]>
+Date: Thu, 30 Jan 2025 14:10:09 -0500
+Subject: [PATCH] jws: split token into fixed number of parts
+
+Thanks to 'jub0bs' for reporting this issue.
+
+Fixes #71490
+Fixes CVE-2025-22868
+
+Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
+Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
+Auto-Submit: Gopher Robot <[email protected]>
+Reviewed-by: Damien Neil <[email protected]>
+Reviewed-by: Roland Shoemaker <[email protected]>
+LUCI-TryBot-Result: Go LUCI <[email protected]>
+---
+ vendor/golang.org/x/oauth2/jws/jws.go | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go
+index 95015648b..6f03a49d3 100644
+--- a/vendor/golang.org/x/oauth2/jws/jws.go
++++ b/vendor/golang.org/x/oauth2/jws/jws.go
+@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
+ // Verify tests whether the provided JWT token's signature was produced by the private key
+ // associated with the supplied public key.
+ func Verify(token string, key *rsa.PublicKey) error {
+-	parts := strings.Split(token, ".")
+-	if len(parts) != 3 {
++	if strings.Count(token, ".") != 2 {
+ 		return errors.New("jws: invalid token received, token must have 3 parts")
+ 	}
+ 
++	parts := strings.SplitN(token, ".", 3)
+ 	signedContent := parts[0] + "." + parts[1]
+ 	signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
+ 	if err != nil {

SPECS/coredns/coredns.spec

@@ -6,7 +6,7 @@
 Summary:        Fast and flexible DNS server
 Name:           coredns
 Version:        1.11.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        Apache License 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -33,6 +33,7 @@ Source0:        %{name}-%{version}.tar.gz
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        %{name}-%{version}-vendor.tar.gz
+Patch0:         CVE-2025-22868.patch
 # Patch to fix the package test suite due to external akamai update
 # https://github.com/coredns/coredns/commit/d8ecde1080e7cbbeb98257ba4e03a271f16b4cd9
 Patch1:         coredns-example-net-test.patch
@@ -80,6 +81,9 @@ go install github.com/fatih/faillint@latest && \
 %{_bindir}/%{name}
 
 %changelog
+* Mon Mar 03 2025 Kanishk Bansal <[email protected]> - 1.11.4-3
+- Fix CVE-2025-22868 with an upstream patch
+
 * Mon Feb 10 2025 Sam Meluch <[email protected]> - 1.11.4-2
 - readd check section from 2.0