From f728e5e6a7cf7bb88d8b8f3f7ff4c7994ef54919 Mon Sep 17 00:00:00 2001 From: Danish Prakash Date: Fri, 28 Feb 2025 12:54:44 +0530 Subject: [PATCH] CVE-2025-27144: vendor: don't allow unbounded amounts of splits In compact JWS/JWE, don't allow unbounded number of splits. Count to make sure there's the right number, then use SplitN. This fixes CVE-2025-27144 This fixes bsc#1237681 Cherry-picked from https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22 Co-authored-by: Matthew McPherrin Signed-off-by: Danish Prakash --- vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++-- vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++-- vendor/gopkg.in/go-jose/go-jose.v2/jwe.go | 5 +++-- vendor/gopkg.in/go-jose/go-jose.v2/jws.go | 5 +++-- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go index 4267ac75025..1ba4ae0c003 100644 --- a/vendor/github.com/go-jose/go-jose/v3/jwe.go +++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go @@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) { // parseEncryptedCompact parses a message in compact format. func parseEncryptedCompact(input string) (*JSONWebEncryption, error) { - parts := strings.Split(input, ".") - if len(parts) != 5 { + // Five parts is four separators + if strings.Count(input, ".") != 4 { return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") } + parts := strings.SplitN(input, ".", 5) rawProtected, err := base64URLDecode(parts[0]) if err != nil { diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go index e37007dbb85..401fc18ac4d 100644 --- a/vendor/github.com/go-jose/go-jose/v3/jws.go +++ b/vendor/github.com/go-jose/go-jose/v3/jws.go @@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) { // parseSignedCompact parses a message in compact format. func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) { - parts := strings.Split(input, ".") - if len(parts) != 3 { + // Three parts is two separators + if strings.Count(input, ".") != 2 { return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") } + parts := strings.SplitN(input, ".", 3) if parts[1] != "" && payload != nil { return nil, fmt.Errorf("go-jose/go-jose: payload is not detached") diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go index a8966ab8e9d..faebb8dd4ca 100644 --- a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go +++ b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go @@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) { // parseEncryptedCompact parses a message in compact format. func parseEncryptedCompact(input string) (*JSONWebEncryption, error) { - parts := strings.Split(input, ".") - if len(parts) != 5 { + // Five parts is four separators + if strings.Count(input, ".") != 4 { return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") } + parts := strings.SplitN(input, ".", 5) rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) if err != nil { diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go index 1a24fa468a3..717f04ace0c 100644 --- a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go +++ b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go @@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) { // parseSignedCompact parses a message in compact format. func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) { - parts := strings.Split(input, ".") - if len(parts) != 3 { + // Three parts is two separators + if strings.Count(input, ".") != 2 { return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") } + parts := strings.SplitN(input, ".", 3) if parts[1] != "" && payload != nil { return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")