Skip to content

Commit a924b8a

Browse files
authored
[MEDIUM] Patch containerized-data-importer for CVE-2025-22872 (#13535)
1 parent 914e595 commit a924b8a

File tree

2 files changed

+47
-1
lines changed

2 files changed

+47
-1
lines changed
Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
From c87c77a12e5554d376945bd488e56d4fc5b9e5ac Mon Sep 17 00:00:00 2001
2+
From: archana25-ms <[email protected]>
3+
Date: Tue, 22 Apr 2025 06:32:35 +0000
4+
Subject: [PATCH] Address CVE-2025-22872
5+
Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9
6+
7+
---
8+
vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
9+
1 file changed, 16 insertions(+), 2 deletions(-)
10+
11+
diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
12+
index 3c57880..6598c1f 100644
13+
--- a/vendor/golang.org/x/net/html/token.go
14+
+++ b/vendor/golang.org/x/net/html/token.go
15+
@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
16+
if raw {
17+
z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
18+
}
19+
- // Look for a self-closing token like "<br/>".
20+
- if z.err == nil && z.buf[z.raw.end-2] == '/' {
21+
+ // Look for a self-closing token (e.g. <br/>).
22+
+ //
23+
+ // Originally, we did this by just checking that the last character of the
24+
+ // tag (ignoring the closing bracket) was a solidus (/) character, but this
25+
+ // is not always accurate.
26+
+ //
27+
+ // We need to be careful that we don't misinterpret a non-self-closing tag
28+
+ // as self-closing, as can happen if the tag contains unquoted attribute
29+
+ // values (i.e. <p a=/>).
30+
+ //
31+
+ // To avoid this, we check that the last non-bracket character of the tag
32+
+ // (z.raw.end-2) isn't the same character as the last non-quote character of
33+
+ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
34+
+ // attributes.
35+
+ nAttrs := len(z.attr)
36+
+ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
37+
return SelfClosingTagToken
38+
}
39+
return StartTagToken
40+
--
41+
2.45.3
42+

SPECS/containerized-data-importer/containerized-data-importer.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
Summary: Container native virtualization
1919
Name: containerized-data-importer
2020
Version: 1.57.0
21-
Release: 13%{?dist}
21+
Release: 14%{?dist}
2222
License: ASL 2.0
2323
Vendor: Microsoft Corporation
2424
Distribution: Azure Linux
@@ -36,6 +36,7 @@ Patch7: CVE-2023-45288.patch
3636
Patch8: CVE-2023-3978.patch
3737
Patch9: CVE-2025-27144.patch
3838
Patch10: CVE-2025-22868.patch
39+
Patch11: CVE-2025-22872.patch
3940
BuildRequires: golang
4041
BuildRequires: golang-packaging
4142
BuildRequires: libnbd-devel
@@ -230,6 +231,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m
230231
%{_datadir}/cdi/manifests
231232

232233
%changelog
234+
* Tue Apr 22 2025 Archana Shettigar <[email protected]> - 1.57.0-14
235+
- Patch CVE-2025-22872
236+
233237
* Mon Mar 03 2025 Kanishk Bansal <[email protected]> - 1.57.0-13
234238
- Fix CVE-2025-27144, CVE-2025-22868
235239

0 commit comments

Comments
 (0)