Skip to content

[AutoPR- Security] Patch dcos-cli for CVE-2025-30204 [MEDIUM] #15888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
azurelinux-security wants to merge 2 commits into
base: main
Choose a base branch
from
+174 −1
Open

[AutoPR- Security] Patch dcos-cli for CVE-2025-30204 [MEDIUM] #15888

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
188d7ec
Patch dcos-cli for CVE-2025-30204
azurelinux-security Feb 18, 2026
2c78c50
patch clean
Kanishk-Bansal Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
169 changes: 169 additions & 0 deletions SPECS/dcos-cli/CVE-2025-30204.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,169 @@
From 25facac704f233f2fc77ea281cbe725fc8816b54 Mon Sep 17 00:00:00 2001
From: Michael Fridman <mfridman@buf.build>
Date: Fri, 21 Mar 2025 16:42:51 -0400
Subject: [PATCH] Backporting 0951d18 to v4

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84.patch
---
.../github.com/dgrijalva/jwt-go/jwt_test.go | 89 +++++++++++++++++++
vendor/github.com/dgrijalva/jwt-go/parser.go | 36 +++++++-
2 files changed, 122 insertions(+), 3 deletions(-)
create mode 100644 vendor/github.com/dgrijalva/jwt-go/jwt_test.go

diff --git a/vendor/github.com/dgrijalva/jwt-go/jwt_test.go b/vendor/github.com/dgrijalva/jwt-go/jwt_test.go
new file mode 100644
index 0000000..b01e899
--- /dev/null
+++ b/vendor/github.com/dgrijalva/jwt-go/jwt_test.go
@@ -0,0 +1,89 @@
+package jwt
+
+import (
+ "testing"
+)
+
+func TestSplitToken(t *testing.T) {
+ t.Parallel()
+
+ tests := []struct {
+ name string
+ input string
+ expected []string
+ isValid bool
+ }{
+ {
+ name: "valid token with three parts",
+ input: "header.claims.signature",
+ expected: []string{"header", "claims", "signature"},
+ isValid: true,
+ },
+ {
+ name: "invalid token with two parts only",
+ input: "header.claims",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with one part only",
+ input: "header",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with extra delimiter",
+ input: "header.claims.signature.extra",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid empty token",
+ input: "",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "valid token with empty parts",
+ input: "..signature",
+ expected: []string{"", "", "signature"},
+ isValid: true,
+ },
+ {
+ // We are just splitting the token into parts, so we don't care about the actual values.
+ // It is up to the caller to validate the parts.
+ name: "valid token with all parts empty",
+ input: "..",
+ expected: []string{"", "", ""},
+ isValid: true,
+ },
+ {
+ name: "invalid token with just delimiters and extra part",
+ input: "...",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with many delimiters",
+ input: "header.claims.signature..................",
+ expected: nil,
+ isValid: false,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ parts, ok := splitToken(tt.input)
+ if ok != tt.isValid {
+ t.Errorf("expected %t, got %t", tt.isValid, ok)
+ }
+ if ok {
+ for i, part := range tt.expected {
+ if parts[i] != part {
+ t.Errorf("expected %s, got %s", part, parts[i])
+ }
+ }
+ }
+ })
+ }
+}
diff --git a/vendor/github.com/dgrijalva/jwt-go/parser.go b/vendor/github.com/dgrijalva/jwt-go/parser.go
index 72cf9ee..3943114 100644
--- a/vendor/github.com/dgrijalva/jwt-go/parser.go
+++ b/vendor/github.com/dgrijalva/jwt-go/parser.go
@@ -7,6 +7,8 @@ import (
"strings"
)

+const tokenDelimiter = "."
+
type Parser struct {
ValidMethods []string // If populated, only these methods will be considered valid
UseJSONNumber bool // Use JSON Number format in JSON decoder
@@ -92,9 +94,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
// been checked previously in the stack) and you want to extract values from
// it.
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
- parts = strings.Split(tokenString, ".")
- if len(parts) != 3 {
- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ var ok bool
+ parts, ok = splitToken(tokenString)
+ if !ok {
+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
}

token = &Token{Raw: tokenString}
@@ -144,3 +147,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke

return token, parts, nil
}
+
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
+// will return nil parts and false.
+func splitToken(token string) ([]string, bool) {
+ parts := make([]string, 3)
+ header, remain, ok := strings.Cut(token, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[0] = header
+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[1] = claims
+ // One more cut to ensure the signature is the last part of the token and there are no more
+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
+ // causing unecessary overhead parsing tokens.
+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
+ if unexpected {
+ return nil, false
+ }
+ parts[2] = signature
+
+ return parts, true
+}
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/dcos-cli/dcos-cli.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: The command line for DC/OS
Name: dcos-cli
Version: 1.2.0
Release: 23%{?dist}
Release: 24%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -12,6 +12,7 @@ Patch0: CVE-2024-28180.patch
Patch1: CVE-2025-27144.patch
Patch2: CVE-2024-51744.patch
Patch3: CVE-2025-65637.patch
Patch4: CVE-2025-30204.patch
BuildRequires: golang
BuildRequires: git
%global debug_package %{nil}
Expand Down Expand Up @@ -48,6 +49,9 @@ go test -mod=vendor
%{_bindir}/dcos

%changelog
* Wed Feb 18 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.2.0-24
- Patch for CVE-2025-30204

* Mon Dec 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.2.0-23
- Patch for CVE-2025-65637

Expand Down
Loading