diff --git a/SPECS/moby-engine/CVE-2024-51744.patch b/SPECS/moby-engine/CVE-2024-51744.patch new file mode 100644 index 00000000000..e179f3e471d --- /dev/null +++ b/SPECS/moby-engine/CVE-2024-51744.patch @@ -0,0 +1,64 @@ +From c0a8f88b3e611b0a2533319636115226b6c3ee35 Mon Sep 17 00:00:00 2001 +From: akhila-guruju +Date: Thu, 22 May 2025 12:13:45 +0000 +Subject: [PATCH] Address CVE-2024-51744 + +Upstream Patch reference: https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c + +--- + vendor/github.com/golang-jwt/jwt/v4/parser.go | 23 ++++++++----------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go +index 9484f28..d6e75db 100644 +--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go ++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go +@@ -80,12 +80,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable} + } + ++ // Perform validation ++ token.Signature = parts[2] ++ if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { ++ return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid} ++ } ++ + vErr := &ValidationError{} + + // Validate Claims + if !p.SkipClaimsValidation { + if err := token.Claims.Valid(); err != nil { +- + // If the Claims Valid returned an error, check if it is a validation error, + // If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set + if e, ok := err.(*ValidationError); !ok { +@@ -93,22 +98,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + } else { + vErr = e + } ++ return token, vErr + } + } + +- // Perform validation +- token.Signature = parts[2] +- if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { +- vErr.Inner = err +- vErr.Errors |= ValidationErrorSignatureInvalid +- } +- +- if vErr.valid() { +- token.Valid = true +- return token, nil +- } ++ // No errors so far, token is valid. ++ token.Valid = true + +- return token, vErr ++ return token, nil + } + + // ParseUnverified parses the token but doesn't validate the signature. +-- +2.45.2 + diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index f7972ccc555..2435766f726 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine Name: moby-engine Version: 24.0.9 -Release: 16%{?dist} +Release: 17%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://mobyproject.org @@ -32,6 +32,7 @@ Patch12: CVE-2024-23650.patch Patch13: CVE-2025-22868.patch Patch14: CVE-2025-22869.patch Patch15: CVE-2025-30204.patch +Patch16: CVE-2024-51744.patch %{?systemd_requires} @@ -132,6 +133,9 @@ fi %{_unitdir}/* %changelog +* Thu May 22 2025 Akhila Guruju - 24.0.9-17 +- Patch CVE-2024-51744 + * Mon Apr 21 2025 Dallas Delaney - 24.0.9-16 - Patch CVE-2025-30204