Skip to content

Commit e467606

Browse files
CBL-Mariner-BotKanishk-Bansal
CBL-Mariner-Bot
and
Kanishk-Bansal
authored
[AUTO-CHERRYPICK] Patch telegraf for CVE-2025-30204 [High] - branch 3.0-dev (#13236)
Co-authored-by: Kanishk Bansal <[email protected]>
1 parent 4d50670 commit e467606

File tree

2 files changed

+139
-1
lines changed

2 files changed

+139
-1
lines changed

SPECS/telegraf/CVE-2025-30204.patch

Lines changed: 134 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,134 @@
1+
From 84c7f3d0b9dccb4a20d0ad4de10896d40344ba26 Mon Sep 17 00:00:00 2001
2+
From: Kanishk-Bansal <[email protected]>
3+
Date: Fri, 28 Mar 2025 20:43:26 +0000
4+
Subject: [PATCH] CVE-2025-30204
5+
Upstream Patch Reference :
6+
v4 : https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84
7+
v5 : https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
8+
---
9+
github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++++++++---
10+
github.com/golang-jwt/jwt/v5/parser.go | 36 +++++++++++++++++++++++---
11+
2 files changed, 66 insertions(+), 6 deletions(-)
12+
13+
diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
14+
index c0a6f69..8e7e67c 100644
15+
--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
16+
+++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
17+
@@ -7,6 +7,8 @@ import (
18+
"strings"
19+
)
20+
21+
+const tokenDelimiter = "."
22+
+
23+
type Parser struct {
24+
// If populated, only these methods will be considered valid.
25+
//
26+
@@ -123,9 +125,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
27+
// It's only ever useful in cases where you know the signature is valid (because it has
28+
// been checked previously in the stack) and you want to extract values from it.
29+
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
30+
- parts = strings.Split(tokenString, ".")
31+
- if len(parts) != 3 {
32+
- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
33+
+ var ok bool
34+
+ parts, ok = splitToken(tokenString)
35+
+ if !ok {
36+
+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
37+
}
38+
39+
token = &Token{Raw: tokenString}
40+
@@ -175,3 +178,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
41+
42+
return token, parts, nil
43+
}
44+
+
45+
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
46+
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
47+
+// will return nil parts and false.
48+
+func splitToken(token string) ([]string, bool) {
49+
+ parts := make([]string, 3)
50+
+ header, remain, ok := strings.Cut(token, tokenDelimiter)
51+
+ if !ok {
52+
+ return nil, false
53+
+ }
54+
+ parts[0] = header
55+
+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
56+
+ if !ok {
57+
+ return nil, false
58+
+ }
59+
+ parts[1] = claims
60+
+ // One more cut to ensure the signature is the last part of the token and there are no more
61+
+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
62+
+ // causing unecessary overhead parsing tokens.
63+
+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
64+
+ if unexpected {
65+
+ return nil, false
66+
+ }
67+
+ parts[2] = signature
68+
+
69+
+ return parts, true
70+
+}
71+
diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go
72+
index ecf99af..054c7eb 100644
73+
--- a/vendor/github.com/golang-jwt/jwt/v5/parser.go
74+
+++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go
75+
@@ -8,6 +8,8 @@ import (
76+
"strings"
77+
)
78+
79+
+const tokenDelimiter = "."
80+
+
81+
type Parser struct {
82+
// If populated, only these methods will be considered valid.
83+
validMethods []string
84+
@@ -136,9 +138,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
85+
// It's only ever useful in cases where you know the signature is valid (since it has already
86+
// been or will be checked elsewhere in the stack) and you want to extract values from it.
87+
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
88+
- parts = strings.Split(tokenString, ".")
89+
- if len(parts) != 3 {
90+
- return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed)
91+
+ var ok bool
92+
+ parts, ok = splitToken(tokenString)
93+
+ if !ok {
94+
+ return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed)
95+
}
96+
97+
token = &Token{Raw: tokenString}
98+
@@ -196,6 +199,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
99+
return token, parts, nil
100+
}
101+
102+
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
103+
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
104+
+// will return nil parts and false.
105+
+func splitToken(token string) ([]string, bool) {
106+
+ parts := make([]string, 3)
107+
+ header, remain, ok := strings.Cut(token, tokenDelimiter)
108+
+ if !ok {
109+
+ return nil, false
110+
+ }
111+
+ parts[0] = header
112+
+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
113+
+ if !ok {
114+
+ return nil, false
115+
+ }
116+
+ parts[1] = claims
117+
+ // One more cut to ensure the signature is the last part of the token and there are no more
118+
+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
119+
+ // causing unecessary overhead parsing tokens.
120+
+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
121+
+ if unexpected {
122+
+ return nil, false
123+
+ }
124+
+ parts[2] = signature
125+
+
126+
+ return parts, true
127+
+}
128+
+
129+
// DecodeSegment decodes a JWT specific base64url encoding. This function will
130+
// take into account whether the [Parser] is configured with additional options,
131+
// such as [WithStrictDecoding] or [WithPaddingAllowed].
132+
--
133+
2.45.2
134+

SPECS/telegraf/telegraf.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Summary: agent for collecting, processing, aggregating, and writing metrics.
22
Name: telegraf
33
Version: 1.31.0
4-
Release: 6%{?dist}
4+
Release: 7%{?dist}
55
License: MIT
66
Vendor: Microsoft Corporation
77
Distribution: Azure Linux
@@ -17,6 +17,7 @@ Patch3: CVE-2025-22868.patch
1717
Patch4: CVE-2025-22869.patch
1818
Patch5: CVE-2025-22870.patch
1919
Patch6: CVE-2024-51744.patch
20+
Patch7: CVE-2025-30204.patch
2021
BuildRequires: golang
2122
BuildRequires: systemd-devel
2223
Requires: logrotate
@@ -83,6 +84,9 @@ fi
8384
%dir %{_sysconfdir}/%{name}/telegraf.d
8485

8586
%changelog
87+
* Mon Mar 31 2025 Kanishk Bansal <[email protected]> - 1.31.0-7
88+
- Patch CVE-2025-30204
89+
8690
* Tue Mar 26 2025 Sreeniavsulu Malavathula <[email protected]> - 1.31.0-6
8791
- Fix CVE-2025-22870, CVE-2024-51744 with an upstream patch
8892

0 commit comments

Comments
 (0)