Skip to content

[AutoPR- Security] Patch kube-vip-cloud-provider for CVE-2025-30204 [MEDIUM] #15901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
azurelinux-security wants to merge 2 commits into
base: main
Choose a base branch
from
+174 −1
Open

[AutoPR- Security] Patch kube-vip-cloud-provider for CVE-2025-30204 [MEDIUM] #15901

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1e859f7
Patch kube-vip-cloud-provider for CVE-2025-30204
azurelinux-security Feb 18, 2026
59f6b1c
update patch
Kanishk-Bansal Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
169 changes: 169 additions & 0 deletions SPECS/kube-vip-cloud-provider/CVE-2025-30204.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,169 @@
From 8babcf6543088c7b25a83dd9ef88ffee44be15c7 Mon Sep 17 00:00:00 2001
From: Michael Fridman <mfridman@buf.build>
Date: Fri, 21 Mar 2025 16:42:51 -0400
Subject: [PATCH] Backporting 0951d18 to v4

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84.patch
---
.../github.com/dgrijalva/jwt-go/jwt_test.go | 89 +++++++++++++++++++
vendor/github.com/dgrijalva/jwt-go/parser.go | 36 +++++++-
2 files changed, 122 insertions(+), 3 deletions(-)
create mode 100644 vendor/github.com/dgrijalva/jwt-go/jwt_test.go

diff --git a/vendor/github.com/dgrijalva/jwt-go/jwt_test.go b/vendor/github.com/dgrijalva/jwt-go/jwt_test.go
new file mode 100644
index 0000000..b01e899
--- /dev/null
+++ b/vendor/github.com/dgrijalva/jwt-go/jwt_test.go
@@ -0,0 +1,89 @@
+package jwt
+
+import (
+ "testing"
+)
+
+func TestSplitToken(t *testing.T) {
+ t.Parallel()
+
+ tests := []struct {
+ name string
+ input string
+ expected []string
+ isValid bool
+ }{
+ {
+ name: "valid token with three parts",
+ input: "header.claims.signature",
+ expected: []string{"header", "claims", "signature"},
+ isValid: true,
+ },
+ {
+ name: "invalid token with two parts only",
+ input: "header.claims",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with one part only",
+ input: "header",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with extra delimiter",
+ input: "header.claims.signature.extra",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid empty token",
+ input: "",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "valid token with empty parts",
+ input: "..signature",
+ expected: []string{"", "", "signature"},
+ isValid: true,
+ },
+ {
+ // We are just splitting the token into parts, so we don't care about the actual values.
+ // It is up to the caller to validate the parts.
+ name: "valid token with all parts empty",
+ input: "..",
+ expected: []string{"", "", ""},
+ isValid: true,
+ },
+ {
+ name: "invalid token with just delimiters and extra part",
+ input: "...",
+ expected: nil,
+ isValid: false,
+ },
+ {
+ name: "invalid token with many delimiters",
+ input: "header.claims.signature..................",
+ expected: nil,
+ isValid: false,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ parts, ok := splitToken(tt.input)
+ if ok != tt.isValid {
+ t.Errorf("expected %t, got %t", tt.isValid, ok)
+ }
+ if ok {
+ for i, part := range tt.expected {
+ if parts[i] != part {
+ t.Errorf("expected %s, got %s", part, parts[i])
+ }
+ }
+ }
+ })
+ }
+}
diff --git a/vendor/github.com/dgrijalva/jwt-go/parser.go b/vendor/github.com/dgrijalva/jwt-go/parser.go
index 9fddb7d..dbee074 100644
--- a/vendor/github.com/dgrijalva/jwt-go/parser.go
+++ b/vendor/github.com/dgrijalva/jwt-go/parser.go
@@ -7,6 +7,8 @@ import (
"strings"
)

+const tokenDelimiter = "."
+
type Parser struct {
ValidMethods []string // If populated, only these methods will be considered valid
UseJSONNumber bool // Use JSON Number format in JSON decoder
@@ -99,9 +101,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
// been checked previously in the stack) and you want to extract values from
// it.
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
- parts = strings.Split(tokenString, ".")
- if len(parts) != 3 {
- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ var ok bool
+ parts, ok = splitToken(tokenString)
+ if !ok {
+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
}

token = &Token{Raw: tokenString}
@@ -151,3 +154,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke

return token, parts, nil
}
+
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
+// will return nil parts and false.
+func splitToken(token string) ([]string, bool) {
+ parts := make([]string, 3)
+ header, remain, ok := strings.Cut(token, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[0] = header
+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[1] = claims
+ // One more cut to ensure the signature is the last part of the token and there are no more
+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
+ // causing unecessary overhead parsing tokens.
+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
+ if unexpected {
+ return nil, false
+ }
+ parts[2] = signature
+
+ return parts, true
+}
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: The Kube-Vip cloud provider functions as a general-purpose cloud provider for on-premises bare-metal or virtualized setups
Name: kube-vip-cloud-provider
Version: 0.0.2
Release: 25%{?dist}
Release: 26%{?dist}
License: ASL 2.0
URL: https://github.com/kube-vip/kube-vip-cloud-provider
Group: Applications/Text
Expand Down Expand Up @@ -30,6 +30,7 @@ Patch5: CVE-2022-3162.patch
Patch6: CVE-2024-51744.patch
Patch7: CVE-2025-65637.patch
Patch8: CVE-2025-11065.patch
Patch9: CVE-2025-30204.patch
BuildRequires: golang

%description
Expand All @@ -52,6 +53,9 @@ go test -mod=vendor ./...
%{_bindir}/kube-vip-cloud-provider

%changelog
* Wed Feb 18 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.0.2-26
- Patch for CVE-2025-30204

* Wed Feb 04 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.0.2-25
- Patch for CVE-2025-11065

Expand Down
Loading