Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package podman for openSUSE:Factory checked in at 2025-03-11 20:43:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/podman (Old) and /work/SRC/openSUSE:Factory/.podman.new.19136 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "podman" Tue Mar 11 20:43:59 2025 rev:153 rq:1251752 version:5.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/podman/podman.changes 2025-02-20 16:30:15.984652572 +0100 +++ /work/SRC/openSUSE:Factory/.podman.new.19136/podman.changes 2025-03-11 20:44:23.603877899 +0100 @@ -1,0 +2,6 @@ +Mon Mar 10 08:22:39 UTC 2025 - Danish Prakash <danish.prak...@suse.com> + +- Add patch for CVE-2025-27144 (bsc#1237641): + * 0001-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch + +------------------------------------------------------------------- New: ---- 0001-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch BETA DEBUG BEGIN: New:- Add patch for CVE-2025-27144 (bsc#1237641): * 0001-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ podman.spec ++++++ --- /var/tmp/diff_new_pack.OiO3vG/_old 2025-03-11 20:44:24.743925505 +0100 +++ /var/tmp/diff_new_pack.OiO3vG/_new 2025-03-11 20:44:24.747925673 +0100 @@ -30,6 +30,7 @@ URL: https://%{project} Source0: %{name}-%{version}.tar.gz Source1: podman.conf +Patch0: 0001-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch BuildRequires: man BuildRequires: bash-completion BuildRequires: device-mapper-devel ++++++ 0001-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch ++++++ >From 30b8c23e81ef0328586b49075e78ca4ea1a11bc7 Mon Sep 17 00:00:00 2001 From: Matthew McPherrin <g...@mcpherrin.ca> Date: Mon, 24 Feb 2025 14:42:50 -0500 Subject: [PATCH] CVE-2025-27144: vendor: don't allow unbounded amounts of splits In compact JWS/JWE, don't allow unbounded number of splits. Count to make sure there's the right number, then use SplitN. This fixes CVE-2025-27144 This fixes bsc#1237641 Cherry-picked from go-jose/go-jose@99b346c Signed-off-by: Danish Prakash <cont...@danishpraka.sh> --- vendor/github.com/go-jose/go-jose/v4/jwe.go | 5 +++-- vendor/github.com/go-jose/go-jose/v4/jws.go | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go index 89f03ee3e1e6..9f1322dccc9c 100644 --- a/vendor/github.com/go-jose/go-jose/v4/jwe.go +++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go @@ -288,10 +288,11 @@ func ParseEncryptedCompact( keyAlgorithms []KeyAlgorithm, contentEncryption []ContentEncryption, ) (*JSONWebEncryption, error) { - parts := strings.Split(input, ".") - if len(parts) != 5 { + // Five parts is four separators + if strings.Count(input, ".") != 4 { return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") } + parts := strings.SplitN(input, ".", 5) rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) if err != nil { diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go index 3a912301afc2..d09d8ba5078c 100644 --- a/vendor/github.com/go-jose/go-jose/v4/jws.go +++ b/vendor/github.com/go-jose/go-jose/v4/jws.go @@ -327,10 +327,11 @@ func parseSignedCompact( payload []byte, signatureAlgorithms []SignatureAlgorithm, ) (*JSONWebSignature, error) { - parts := strings.Split(input, ".") - if len(parts) != 3 { + // Three parts is two separators + if strings.Count(input, ".") != 2 { return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") } + parts := strings.SplitN(input, ".", 3) if parts[1] != "" && payload != nil { return nil, fmt.Errorf("go-jose/go-jose: payload is not detached") -- 2.46.0
