diff --git a/podman-5.6.1-CVE-2025-47914.patch b/podman-5.6.1-CVE-2025-47914.patch new file mode 100644 index 0000000000000000000000000000000000000000..c0bcf053485a78f68c2384185a50005e3f51b9f4 --- /dev/null +++ b/podman-5.6.1-CVE-2025-47914.patch @@ -0,0 +1,54 @@ +From f91f7a7c31bf90b39c1de895ad116a2bacc88748 Mon Sep 17 00:00:00 2001 +From: Neal Patel +Date: Wed, 10 Sep 2025 14:27:42 -0400 +Subject: [PATCH] ssh/agent: prevent panic on malformed constraint + +An attacker could supply a malformed Constraint that +would trigger a panic in a serving agent, effectively +causing denial of service. + +Thank you to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-47914 +Fixes golang/go#76364 + +Change-Id: I195bbc68b1560d4f04897722a6a653a7cbf086eb +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721960 +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Roland Shoemaker +Reviewed-by: Damien Neil + +Adapted-by: PkgAgent (modified to adapt to opencloudos-stream) + +--- + Makefile | 2 +- + vendor/golang.org/x/crypto/ssh/agent/server.go | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index beddc2a..fcbd124 100644 +--- a/Makefile ++++ b/Makefile +@@ -974,7 +974,7 @@ PODMAN_GENERATED_UNIT_FILES = contrib/systemd/system/podman-auto-update.service + contrib/systemd/system/podman-clean-transient.service + + %.service: %.service.in +- sed -e 's;@@PODMAN@@;$(BINDIR)/podman;g' $< >$@.tmp.$$ \ ++ sed -e 's;@@PODMAN@@;/usr/bin/podman;g' $< >$@.tmp.$$ \ + && mv -f $@.tmp.$$ $@ + + install.systemd: $(PODMAN_GENERATED_UNIT_FILES) +diff --git a/vendor/golang.org/x/crypto/ssh/agent/server.go b/vendor/golang.org/x/crypto/ssh/agent/server.go +index 88ce4da..4e8ff86 100644 +--- a/vendor/golang.org/x/crypto/ssh/agent/server.go ++++ b/vendor/golang.org/x/crypto/ssh/agent/server.go +@@ -203,6 +203,9 @@ func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse + for len(constraints) != 0 { + switch constraints[0] { + case agentConstrainLifetime: ++ if len(constraints) < 5 { ++ return 0, false, nil, io.ErrUnexpectedEOF ++ } + lifetimeSecs = binary.BigEndian.Uint32(constraints[1:5]) + constraints = constraints[5:] + case agentConstrainConfirm: diff --git a/podman-5.6.1-CVE-2025-58181.patch b/podman-5.6.1-CVE-2025-58181.patch new file mode 100644 index 0000000000000000000000000000000000000000..302979eed0a382181fcc6778f68f50a4e7419494 --- /dev/null +++ b/podman-5.6.1-CVE-2025-58181.patch @@ -0,0 +1,57 @@ +From e79546e28b85ea53dd37afe1c4102746ef553b9c Mon Sep 17 00:00:00 2001 +From: Neal Patel +Date: Wed, 19 Nov 2025 13:35:12 -0500 +Subject: [PATCH] ssh: curb GSSAPI DoS risk by limiting number of specified + OIDs + +Previously, an attacker could specify an integer up to 0xFFFFFFFF +that would directly allocate memory despite the observability of +the rest of the payload. This change places a hard cap on the +amount of mechanisms that can be specified and encoded in the +payload. Additionally, it performs a small sanity check to deny +payloads whose stated size is contradictory to the observed payload. + +Thank you to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-58181 +Fixes golang/go#76363 + +Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485 +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961 +Auto-Submit: Roland Shoemaker +Reviewed-by: Damien Neil +LUCI-TryBot-Result: Go LUCI + +Adapted-by: PkgAgent (modified to adapt to opencloudos-stream) + +--- + vendor/golang.org/x/crypto/ssh/ssh_gss.go | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go +index 24bd7c8..a6249a1 100644 +--- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go ++++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go +@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) { + if !ok { + return nil, errors.New("parse uint32 failed") + } ++ // Each ASN.1 encoded OID must have a minimum ++ // of 2 bytes; 64 maximum mechanisms is an ++ // arbitrary, but reasonable ceiling. ++ const maxMechs = 64 ++ if n > maxMechs || int(n)*2 > len(rest) { ++ return nil, errors.New("invalid mechanism count") ++ } + s := &userAuthRequestGSSAPI{ + N: n, + OIDS: make([]asn1.ObjectIdentifier, n), +@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) { + if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil { + return nil, err + } +- + } + return s, nil + } + diff --git a/podman.spec b/podman.spec index 7612b2912faac0a8dbbb1fc032b681f2a6576a5a..7647819587d0a195ac3f89bd3818c8aa8fbd6424 100644 --- a/podman.spec +++ b/podman.spec @@ -17,13 +17,17 @@ Summary: Manage Pods, Containers and Container Images Name: podman Version: 5.6.1 -Release: 5%{?dist} +Release: 6%{?dist} License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0 URL: https://%{name}.io/ Source0: https://%{import_path}/archive/refs/tags/v%{version}.tar.gz #/%{name}-%{version}.tar.gz Source1: %{git_plugins}/archive/%{commit_plugins}/%{repo_plugins}-%{commit_plugins}.tar.gz Source2: loongarch-patches.tar.gz +# CVE-2025-58181: golang.org/x/crypto/ssh: parseGSSAPIPayload lacks bounds checks +Patch0001: podman-5.6.1-CVE-2025-58181.patch +Patch0002: podman-5.6.1-CVE-2025-47914.patch + BuildRequires: gcc make autoconf automake pkgconfig libtool BuildRequires: glib2-devel glibc-devel glibc-static git-core BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel @@ -112,7 +116,7 @@ It is a symlink to %{_bindir}/%{name} and execs into the `%{name}sh` container when `%{_bindir}/%{name}sh` is set as a login shell or set as os.Args[0]. %prep -%autosetup -Sgit -n %{name}-%{version} +%autosetup -Sgit -p1 -n %{name}-%{version} sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile tar zxf %{SOURCE1} tar zxf %{SOURCE2} @@ -269,6 +273,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_bindir}/%{name}sh %changelog +* Thu Apr 02 2026 PkgAgent Robot - 5.6.1-6 +- [Type] security +- [DESC] Fix CVE-2025-58181, CVE-2025-47914 + * Tue Feb 3 2026 clarehkli - 5.6.1-5 - [Type] security - [DESC] rebuilt with golang 1.24.11-1 to fix CVE-2025-58183、CVE-2025-58189、