From f6eb9c48d6ec0267f13c6c503a369bff592f503e Mon Sep 17 00:00:00 2001
From: pkgagent <pkgagent@tencent.com>
Date: Thu, 2 Apr 2026 11:26:48 +0800
Subject: [PATCH 1/3] fix CVE-2025-58181

---
 kubevirt-1.7.0-CVE-2025-58181.patch | 56 +++++++++++++++++++++++++++++
 kubevirt.spec                       |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 kubevirt-1.7.0-CVE-2025-58181.patch

diff --git a/kubevirt-1.7.0-CVE-2025-58181.patch b/kubevirt-1.7.0-CVE-2025-58181.patch
new file mode 100644
index 0000000..f41b493
--- /dev/null
+++ b/kubevirt-1.7.0-CVE-2025-58181.patch
@@ -0,0 +1,56 @@
+From e79546e28b85ea53dd37afe1c4102746ef553b9c Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Wed, 19 Nov 2025 13:35:12 -0500
+Subject: [PATCH] ssh: curb GSSAPI DoS risk by limiting number of specified
+ OIDs
+
+Previously, an attacker could specify an integer up to 0xFFFFFFFF
+that would directly allocate memory despite the observability of
+the rest of the payload. This change places a hard cap on the
+amount of mechanisms that can be specified and encoded in the
+payload. Additionally, it performs a small sanity check to deny
+payloads whose stated size is contradictory to the observed payload.
+
+Thank you to Jakub Ciolek for reporting this issue.
+
+Fixes CVE-2025-58181
+Fixes golang/go#76363
+
+Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+
+Adapted-by: PkgAgent (modified to adapt to opencloudos-stream)
+
+---
+ vendor/golang.org/x/crypto/ssh/ssh_gss.go |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
+index 24bd7c8..a6249a1 100644
+--- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go
++++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
+@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
+ 	if !ok {
+ 		return nil, errors.New("parse uint32 failed")
+ 	}
++	// Each ASN.1 encoded OID must have a minimum
++	// of 2 bytes; 64 maximum mechanisms is an
++	// arbitrary, but reasonable ceiling.
++	const maxMechs = 64
++	if n > maxMechs || int(n)*2 > len(rest) {
++		return nil, errors.New("invalid mechanism count")
++	}
+ 	s := &userAuthRequestGSSAPI{
+ 		N:    n,
+ 		OIDS: make([]asn1.ObjectIdentifier, n),
+@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
+ 		if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil {
+ 			return nil, err
+ 		}
+-
+ 	}
+ 	return s, nil
+ }
diff --git a/kubevirt.spec b/kubevirt.spec
index 42f155a..f63bb35 100644
--- a/kubevirt.spec
+++ b/kubevirt.spec
@@ -18,6 +18,7 @@ Release:        1%{?dist}
 License:        BSD-3-Clause and ISC and Apache-2.0 and MIT
 URL:            https://github.com/kubevirt/kubevirt
 Source0:        %{url}/archive/refs/tags/v%{version}.tar.gz
+Patch0001:      kubevirt-1.7.0-CVE-2025-58181.patch
 Patch3000:      0001-kubevirt-add-loong64.patch
 
 BuildRequires:  libvirt-devel glibc-static rsync sed
-- 
Gitee


From 2ce7b9a2d836a17faf507fb0236af063a5e481c1 Mon Sep 17 00:00:00 2001
From: pkgagent <pkgagent@tencent.com>
Date: Thu, 2 Apr 2026 11:58:00 +0800
Subject: [PATCH 2/3] fix CVE-2025-47914

---
 kubevirt-1.7.0-CVE-2025-47914.patch | 0
 kubevirt.spec                       | 1 +
 2 files changed, 1 insertion(+)
 create mode 100644 kubevirt-1.7.0-CVE-2025-47914.patch

diff --git a/kubevirt-1.7.0-CVE-2025-47914.patch b/kubevirt-1.7.0-CVE-2025-47914.patch
new file mode 100644
index 0000000..e69de29
diff --git a/kubevirt.spec b/kubevirt.spec
index f63bb35..db08575 100644
--- a/kubevirt.spec
+++ b/kubevirt.spec
@@ -19,6 +19,7 @@ License:        BSD-3-Clause and ISC and Apache-2.0 and MIT
 URL:            https://github.com/kubevirt/kubevirt
 Source0:        %{url}/archive/refs/tags/v%{version}.tar.gz
 Patch0001:      kubevirt-1.7.0-CVE-2025-58181.patch
+Patch0002:      kubevirt-1.7.0-CVE-2025-47914.patch
 Patch3000:      0001-kubevirt-add-loong64.patch
 
 BuildRequires:  libvirt-devel glibc-static rsync sed
-- 
Gitee


From 90f5d5138d0dab64c417e53d97f907c733c04bbf Mon Sep 17 00:00:00 2001
From: pkgagent <pkgagent@tencent.com>
Date: Thu, 2 Apr 2026 11:58:02 +0800
Subject: [PATCH 3/3] fix CVE-2025-58181, CVE-2025-47914

---
 kubevirt.spec | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kubevirt.spec b/kubevirt.spec
index db08575..485bcf0 100644
--- a/kubevirt.spec
+++ b/kubevirt.spec
@@ -14,7 +14,7 @@
 Summary:        kubevirt - Container native virtualization
 Name:           kubevirt
 Version:        1.7.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD-3-Clause and ISC and Apache-2.0 and MIT
 URL:            https://github.com/kubevirt/kubevirt
 Source0:        %{url}/archive/refs/tags/v%{version}.tar.gz
@@ -65,6 +65,10 @@ install -p -m 0755 _out/cmd/virtctl/virtctl-%{kubevirt_version}-linux-%{hostarch
 %{_datadir}/%{name}/linux/
 
 %changelog
+* Thu Apr 02 2026 PkgAgent Robot <pkgagent@opencloudos.tech> - 1.7.0-2
+- [Type] security
+- [DESC] Fix CVE-2025-58181, CVE-2025-47914
+
 * Sun Jan  4 2026 clarehkli <clarehkli@tencent.com> - 1.7.0-1
 - [Type] security
 - [DESC] upgrade to 1.7.0 to fix CVE-2025-64324、CVE-2025-64432、
-- 
Gitee