diff --git a/kubevirt-1.7.0-CVE-2025-47914.patch b/kubevirt-1.7.0-CVE-2025-47914.patch new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/kubevirt-1.7.0-CVE-2025-58181.patch b/kubevirt-1.7.0-CVE-2025-58181.patch new file mode 100644 index 0000000000000000000000000000000000000000..f41b493bda21b0db62517c6ee4c0377900f8241c --- /dev/null +++ b/kubevirt-1.7.0-CVE-2025-58181.patch @@ -0,0 +1,56 @@ +From e79546e28b85ea53dd37afe1c4102746ef553b9c Mon Sep 17 00:00:00 2001 +From: Neal Patel +Date: Wed, 19 Nov 2025 13:35:12 -0500 +Subject: [PATCH] ssh: curb GSSAPI DoS risk by limiting number of specified + OIDs + +Previously, an attacker could specify an integer up to 0xFFFFFFFF +that would directly allocate memory despite the observability of +the rest of the payload. This change places a hard cap on the +amount of mechanisms that can be specified and encoded in the +payload. Additionally, it performs a small sanity check to deny +payloads whose stated size is contradictory to the observed payload. + +Thank you to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-58181 +Fixes golang/go#76363 + +Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485 +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961 +Auto-Submit: Roland Shoemaker +Reviewed-by: Damien Neil +LUCI-TryBot-Result: Go LUCI + +Adapted-by: PkgAgent (modified to adapt to opencloudos-stream) + +--- + vendor/golang.org/x/crypto/ssh/ssh_gss.go | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go +index 24bd7c8..a6249a1 100644 +--- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go ++++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go +@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) { + if !ok { + return nil, errors.New("parse uint32 failed") + } ++ // Each ASN.1 encoded OID must have a minimum ++ // of 2 bytes; 64 maximum mechanisms is an ++ // arbitrary, but reasonable ceiling. ++ const maxMechs = 64 ++ if n > maxMechs || int(n)*2 > len(rest) { ++ return nil, errors.New("invalid mechanism count") ++ } + s := &userAuthRequestGSSAPI{ + N: n, + OIDS: make([]asn1.ObjectIdentifier, n), +@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) { + if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil { + return nil, err + } +- + } + return s, nil + } diff --git a/kubevirt.spec b/kubevirt.spec index 42f155addd9380b69e5af1522bd5ae6e5c10a863..485bcf07aad5e7dd389af98e385380bdebdc1b67 100644 --- a/kubevirt.spec +++ b/kubevirt.spec @@ -14,10 +14,12 @@ Summary: kubevirt - Container native virtualization Name: kubevirt Version: 1.7.0 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD-3-Clause and ISC and Apache-2.0 and MIT URL: https://github.com/kubevirt/kubevirt Source0: %{url}/archive/refs/tags/v%{version}.tar.gz +Patch0001: kubevirt-1.7.0-CVE-2025-58181.patch +Patch0002: kubevirt-1.7.0-CVE-2025-47914.patch Patch3000: 0001-kubevirt-add-loong64.patch BuildRequires: libvirt-devel glibc-static rsync sed @@ -63,6 +65,10 @@ install -p -m 0755 _out/cmd/virtctl/virtctl-%{kubevirt_version}-linux-%{hostarch %{_datadir}/%{name}/linux/ %changelog +* Thu Apr 02 2026 PkgAgent Robot - 1.7.0-2 +- [Type] security +- [DESC] Fix CVE-2025-58181, CVE-2025-47914 + * Sun Jan 4 2026 clarehkli - 1.7.0-1 - [Type] security - [DESC] upgrade to 1.7.0 to fix CVE-2025-64324、CVE-2025-64432、