Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package google-guest-agent for openSUSE:Factory checked in at 2025-03-11 20:47:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/google-guest-agent (Old) and /work/SRC/openSUSE:Factory/.google-guest-agent.new.19136 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "google-guest-agent" Tue Mar 11 20:47:19 2025 rev:43 rq:1252128 version:20250116.00 Changes: -------- --- /work/SRC/openSUSE:Factory/google-guest-agent/google-guest-agent.changes 2025-02-12 21:32:16.876096157 +0100 +++ /work/SRC/openSUSE:Factory/.google-guest-agent.new.19136/google-guest-agent.changes 2025-03-11 20:48:05.965171546 +0100 @@ -1,0 +2,7 @@ +Tue Mar 11 11:25:07 UTC 2025 - John Paul Adrian Glaubitz <[email protected]> + +- Add patch to fix unexpected memory consumption during token + parsing in golang.org/x/oauth2 (bsc#1239197, CVE-2025-22868) + * CVE-2025-22868.patch + +------------------------------------------------------------------- New: ---- CVE-2025-22868.patch BETA DEBUG BEGIN: New: parsing in golang.org/x/oauth2 (bsc#1239197, CVE-2025-22868) * CVE-2025-22868.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ google-guest-agent.spec ++++++ --- /var/tmp/diff_new_pack.92DbmD/_old 2025-03-11 20:48:07.733245574 +0100 +++ /var/tmp/diff_new_pack.92DbmD/_new 2025-03-11 20:48:07.753246411 +0100 @@ -34,6 +34,8 @@ Source1: vendor.tar.gz Source2: rpmlintrc Patch0: disable_google_dhclient_script.patch +# PATCH-FIX-UPSTREAM - Fix unexpected memory consumption during token parsing in golang.org/x/oauth2 +Patch1: CVE-2025-22868.patch BuildRequires: golang-packaging BuildRequires: golang(API) = 1.23 Requires: google-guest-configs @@ -51,6 +53,9 @@ %prep %setup -n %{repo}-%{version} -a1 %patch -P 0 -p1 +pushd vendor/golang.org/x/oauth2 +%patch -P 1 -p1 +popd %build %goprep %{import_path} ++++++ CVE-2025-22868.patch ++++++ >From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001 From: Neal Patel <[email protected]> Date: Thu, 30 Jan 2025 14:10:09 -0500 Subject: [PATCH] jws: split token into fixed number of parts Thanks to 'jub0bs' for reporting this issue. Fixes #71490 Fixes CVE-2025-22868 Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> --- jws/jws.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jws/jws.go b/jws/jws.go index 9501564..6f03a49 100644 --- a/jws/jws.go +++ b/jws/jws.go @@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) { // Verify tests whether the provided JWT token's signature was produced by the private key // associated with the supplied public key. func Verify(token string, key *rsa.PublicKey) error { - parts := strings.Split(token, ".") - if len(parts) != 3 { + if strings.Count(token, ".") != 2 { return errors.New("jws: invalid token received, token must have 3 parts") } + parts := strings.SplitN(token, ".", 3) signedContent := parts[0] + "." + parts[1] signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) if err != nil { -- 2.48.1
