From a3d6050be1b302e3289b5ec173b5378db64ce2cf Mon Sep 17 00:00:00 2001 From: Aninda Date: Thu, 22 May 2025 09:39:31 -0400 Subject: [PATCH] Address CVE-2025-22872 --- SPECS/cri-tools/CVE-2025-22872.patch | 42 ++++++++++++++++++++++++++++ SPECS/cri-tools/cri-tools.spec | 6 +++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 SPECS/cri-tools/CVE-2025-22872.patch diff --git a/SPECS/cri-tools/CVE-2025-22872.patch b/SPECS/cri-tools/CVE-2025-22872.patch new file mode 100644 index 00000000000..16cfad6752d --- /dev/null +++ b/SPECS/cri-tools/CVE-2025-22872.patch @@ -0,0 +1,42 @@ +From 961dbc9f2f6de5c24c53d76248218a4c4a0dd771 Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Wed, 21 May 2025 23:19:37 -0400 +Subject: [PATCH] Address CVE-2025-22872 +Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9 + +--- + vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go +index de67f93..9bbdf7d 100644 +--- a/vendor/golang.org/x/net/html/token.go ++++ b/vendor/golang.org/x/net/html/token.go +@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType { + if raw { + z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) + } +- // Look for a self-closing token like "
". +- if z.err == nil && z.buf[z.raw.end-2] == '/' { ++ // Look for a self-closing token (e.g.
). ++ // ++ // Originally, we did this by just checking that the last character of the ++ // tag (ignoring the closing bracket) was a solidus (/) character, but this ++ // is not always accurate. ++ // ++ // We need to be careful that we don't misinterpret a non-self-closing tag ++ // as self-closing, as can happen if the tag contains unquoted attribute ++ // values (i.e.

). ++ // ++ // To avoid this, we check that the last non-bracket character of the tag ++ // (z.raw.end-2) isn't the same character as the last non-quote character of ++ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has ++ // attributes. ++ nAttrs := len(z.attr) ++ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { + return SelfClosingTagToken + } + return StartTagToken +-- +2.34.1 + diff --git a/SPECS/cri-tools/cri-tools.spec b/SPECS/cri-tools/cri-tools.spec index 0809f998c4b..4b383ac52d6 100644 --- a/SPECS/cri-tools/cri-tools.spec +++ b/SPECS/cri-tools/cri-tools.spec @@ -7,7 +7,7 @@ Summary: CRI tools Name: cri-tools Version: 1.29.0 -Release: 6%{?dist} +Release: 7%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -18,6 +18,7 @@ Patch0: CVE-2024-21626.patch Patch1: CVE-2023-45288.patch Patch2: CVE-2024-24786.patch Patch3: CVE-2024-45338.patch +Patch4: CVE-2025-22872.patch BuildRequires: glib-devel BuildRequires: glibc-devel BuildRequires: golang @@ -48,6 +49,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} "${BUILD_FOLDER}/critest" %{_bindir}/critest %changelog +* Thu May 22 2025 Aninda Pradhan - 1.29.0-7 +- Patch CVE-2025-22872 + * Mon Jan 06 2025 Sumedh Sharma - 1.29.0-6 - Add patch for CVE-2024-45338