diff --git a/SPECS/prometheus/CVE-2025-30204.patch b/SPECS/prometheus/CVE-2025-30204.patch new file mode 100644 index 00000000000..89385764c24 --- /dev/null +++ b/SPECS/prometheus/CVE-2025-30204.patch @@ -0,0 +1,71 @@ +From 20e897717946a5bb7750e795c245012bddcfa312 Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Fri, 28 Mar 2025 21:29:08 +0000 +Subject: [PATCH] CVE-2025-30204 + +Upstream Patch Reference : v4: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84 +--- + vendor/github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++++++++--- + 1 file changed, 33 insertions(+), 3 deletions(-) + +diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go +index 2f61a69..9484f28 100644 +--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go ++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go +@@ -7,6 +7,8 @@ import ( + "strings" + ) + ++const tokenDelimiter = "." ++ + type Parser struct { + // If populated, only these methods will be considered valid. + // +@@ -116,9 +118,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + // It's only ever useful in cases where you know the signature is valid (because it has + // been checked previously in the stack) and you want to extract values from it. + func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) { +- parts = strings.Split(tokenString, ".") +- if len(parts) != 3 { +- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) ++ var ok bool ++ parts, ok = splitToken(tokenString) ++ if !ok { ++ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) + } + + token = &Token{Raw: tokenString} +@@ -168,3 +171,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke + + return token, parts, nil + } ++ ++// splitToken splits a token string into three parts: header, claims, and signature. It will only ++// return true if the token contains exactly two delimiters and three parts. In all other cases, it ++// will return nil parts and false. ++func splitToken(token string) ([]string, bool) { ++ parts := make([]string, 3) ++ header, remain, ok := strings.Cut(token, tokenDelimiter) ++ if !ok { ++ return nil, false ++ } ++ parts[0] = header ++ claims, remain, ok := strings.Cut(remain, tokenDelimiter) ++ if !ok { ++ return nil, false ++ } ++ parts[1] = claims ++ // One more cut to ensure the signature is the last part of the token and there are no more ++ // delimiters. This avoids an issue where malicious input could contain additional delimiters ++ // causing unecessary overhead parsing tokens. ++ signature, _, unexpected := strings.Cut(remain, tokenDelimiter) ++ if unexpected { ++ return nil, false ++ } ++ parts[2] = signature ++ ++ return parts, true ++} +-- +2.45.2 + diff --git a/SPECS/prometheus/prometheus.spec b/SPECS/prometheus/prometheus.spec index b6621d5a0f6..a54384eb2f7 100644 --- a/SPECS/prometheus/prometheus.spec +++ b/SPECS/prometheus/prometheus.spec @@ -4,7 +4,7 @@ Summary: Prometheus monitoring system and time series database Name: prometheus Version: 2.37.9 -Release: 2%{?dist} +Release: 3%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -22,6 +22,8 @@ Patch1: CVE-2024-6104.patch Patch2: CVE-2024-24786.patch Patch3: CVE-2023-39325.patch Patch4: CVE-2023-45288.patch +Patch5: CVE-2025-30204.patch + BuildRequires: golang BuildRequires: nodejs BuildRequires: systemd-rpm-macros @@ -135,6 +137,9 @@ fi %doc README.md RELEASE.md documentation %changelog +* Sun Mar 30 2025 Kanishk Bansal - 2.37.9-3 +- Patch CVE-2025-30204 + * Wed Nov 06 2024 Nicolas Guibourge - 2.37.9-2 - Patch for CVE-2023-39325 CVE-2023-45288 - Fix previous changelog version number