diff --git a/SPECS/keda/CVE-2025-11065.patch b/SPECS/keda/CVE-2025-11065.patch new file mode 100644 index 00000000000..9097ed9e219 --- /dev/null +++ b/SPECS/keda/CVE-2025-11065.patch @@ -0,0 +1,285 @@ +From 1f7531d5b811fc9c9d5acf9f6e6b30b77814a4f1 Mon Sep 17 00:00:00 2001 +From: Mark Sagi-Kazar +Date: Sat, 12 Jul 2025 07:25:50 +0200 +Subject: [PATCH] fix: error message leaks + +Signed-off-by: Mark Sagi-Kazar + +Upstream Patch reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch +--- + .../mitchellh/mapstructure/decode_hooks.go | 12 +- + .../mitchellh/mapstructure/error.go | 156 ++++++++++++++++++ + .../mitchellh/mapstructure/mapstructure.go | 10 +- + 3 files changed, 169 insertions(+), 9 deletions(-) + +diff --git a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go +index 3a754ca7..4dfab7d3 100644 +--- a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go ++++ b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go +@@ -134,7 +134,9 @@ func StringToTimeDurationHookFunc() DecodeHookFunc { + } + + // Convert it by parsing +- return time.ParseDuration(data.(string)) ++ d, err := time.ParseDuration(data.(string)) ++ ++ return d, wrapTimeParseDurationError(err) + } + } + +@@ -155,7 +157,7 @@ func StringToIPHookFunc() DecodeHookFunc { + // Convert it by parsing + ip := net.ParseIP(data.(string)) + if ip == nil { +- return net.IP{}, fmt.Errorf("failed parsing ip %v", data) ++ return net.IP{}, fmt.Errorf("failed parsing ip") + } + + return ip, nil +@@ -178,7 +180,7 @@ func StringToIPNetHookFunc() DecodeHookFunc { + + // Convert it by parsing + _, net, err := net.ParseCIDR(data.(string)) +- return net, err ++ return net, wrapNetParseError(err) + } + } + +@@ -197,7 +199,9 @@ func StringToTimeHookFunc(layout string) DecodeHookFunc { + } + + // Convert it by parsing +- return time.Parse(layout, data.(string)) ++ ti, err := time.Parse(layout, data.(string)) ++ ++ return ti, wrapTimeParseError(err) + } + } + +diff --git a/vendor/github.com/mitchellh/mapstructure/error.go b/vendor/github.com/mitchellh/mapstructure/error.go +index 47a99e5a..8c3b0786 100644 +--- a/vendor/github.com/mitchellh/mapstructure/error.go ++++ b/vendor/github.com/mitchellh/mapstructure/error.go +@@ -3,8 +3,12 @@ package mapstructure + import ( + "errors" + "fmt" ++ "net" ++ "net/url" + "sort" ++ "strconv" + "strings" ++ "time" + ) + + // Error implements the error interface and can represents multiple +@@ -48,3 +52,155 @@ func appendErrors(errors []string, err error) []string { + return append(errors, e.Error()) + } + } ++ ++func wrapStrconvNumError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if err, ok := err.(*strconv.NumError); ok { ++ return &strconvNumError{Err: err} ++ } ++ ++ return err ++} ++ ++type strconvNumError struct { ++ Err *strconv.NumError ++} ++ ++func (e *strconvNumError) Error() string { ++ return "strconv." + e.Err.Func + ": " + e.Err.Err.Error() ++} ++ ++func (e *strconvNumError) Unwrap() error { return e.Err } ++ ++func wrapUrlError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if err, ok := err.(*url.Error); ok { ++ return &urlError{Err: err} ++ } ++ ++ return err ++} ++ ++type urlError struct { ++ Err *url.Error ++} ++ ++func (e *urlError) Error() string { ++ return fmt.Sprintf("%s", e.Err.Err) ++} ++ ++func (e *urlError) Unwrap() error { return e.Err } ++ ++func wrapNetParseError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if err, ok := err.(*net.ParseError); ok { ++ return &netParseError{Err: err} ++ } ++ ++ return err ++} ++ ++type netParseError struct { ++ Err *net.ParseError ++} ++ ++func (e *netParseError) Error() string { ++ return "invalid " + e.Err.Type ++} ++ ++func (e *netParseError) Unwrap() error { return e.Err } ++ ++func wrapTimeParseError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if err, ok := err.(*time.ParseError); ok { ++ return &timeParseError{Err: err} ++ } ++ ++ return err ++} ++ ++type timeParseError struct { ++ Err *time.ParseError ++} ++ ++func (e *timeParseError) Error() string { ++ if e.Err.Message == "" { ++ return fmt.Sprintf("parsing time as %q: cannot parse as %q", e.Err.Layout, e.Err.LayoutElem) ++ } ++ ++ return "parsing time " + e.Err.Message ++} ++ ++func (e *timeParseError) Unwrap() error { return e.Err } ++ ++func wrapNetIPParseAddrError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if errMsg := err.Error(); strings.HasPrefix(errMsg, "ParseAddr") { ++ errPieces := strings.Split(errMsg, ": ") ++ ++ return fmt.Errorf("ParseAddr: %s", errPieces[len(errPieces)-1]) ++ } ++ ++ return err ++} ++ ++func wrapNetIPParseAddrPortError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ errMsg := err.Error() ++ if strings.HasPrefix(errMsg, "invalid port ") { ++ return errors.New("invalid port") ++ } else if strings.HasPrefix(errMsg, "invalid ip:port ") { ++ return errors.New("invalid ip:port") ++ } ++ ++ return err ++} ++ ++func wrapNetIPParsePrefixError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if errMsg := err.Error(); strings.HasPrefix(errMsg, "netip.ParsePrefix") { ++ errPieces := strings.Split(errMsg, ": ") ++ ++ return fmt.Errorf("netip.ParsePrefix: %s", errPieces[len(errPieces)-1]) ++ } ++ ++ return err ++} ++ ++func wrapTimeParseDurationError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ errMsg := err.Error() ++ if strings.HasPrefix(errMsg, "time: unknown unit ") { ++ return errors.New("time: unknown unit") ++ } else if strings.HasPrefix(errMsg, "time: ") { ++ idx := strings.LastIndex(errMsg, " ") ++ ++ return errors.New(errMsg[:idx]) ++ } ++ ++ return err ++} +diff --git a/vendor/github.com/mitchellh/mapstructure/mapstructure.go b/vendor/github.com/mitchellh/mapstructure/mapstructure.go +index 1efb22ac..f7717619 100644 +--- a/vendor/github.com/mitchellh/mapstructure/mapstructure.go ++++ b/vendor/github.com/mitchellh/mapstructure/mapstructure.go +@@ -642,7 +642,7 @@ func (d *Decoder) decodeInt(name string, data interface{}, val reflect.Value) er + if err == nil { + val.SetInt(i) + } else { +- return fmt.Errorf("cannot parse '%s' as int: %s", name, err) ++ return fmt.Errorf("cannot parse '%s' as int: %s", name, wrapStrconvNumError(err)) + } + case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number": + jn := data.(json.Number) +@@ -699,14 +699,14 @@ func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) e + if err == nil { + val.SetUint(i) + } else { +- return fmt.Errorf("cannot parse '%s' as uint: %s", name, err) ++ return fmt.Errorf("cannot parse '%s' as uint: %s", name, wrapStrconvNumError(err)) + } + case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number": + jn := data.(json.Number) + i, err := strconv.ParseUint(string(jn), 0, 64) + if err != nil { + return fmt.Errorf( +- "error decoding json.Number into %s: %s", name, err) ++ "error decoding json.Number into %s: %s", name, wrapStrconvNumError(err)) + } + val.SetUint(i) + default: +@@ -738,7 +738,7 @@ func (d *Decoder) decodeBool(name string, data interface{}, val reflect.Value) e + } else if dataVal.String() == "" { + val.SetBool(false) + } else { +- return fmt.Errorf("cannot parse '%s' as bool: %s", name, err) ++ return fmt.Errorf("cannot parse '%s' as bool: %s", name, wrapStrconvNumError(err)) + } + default: + return fmt.Errorf( +@@ -777,7 +777,7 @@ func (d *Decoder) decodeFloat(name string, data interface{}, val reflect.Value) + if err == nil { + val.SetFloat(f) + } else { +- return fmt.Errorf("cannot parse '%s' as float: %s", name, err) ++ return fmt.Errorf("cannot parse '%s' as float: %s", name, wrapStrconvNumError(err)) + } + case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number": + jn := data.(json.Number) +-- +2.45.4 + diff --git a/SPECS/keda/CVE-2025-47911.patch b/SPECS/keda/CVE-2025-47911.patch new file mode 100644 index 00000000000..c2918aa982e --- /dev/null +++ b/SPECS/keda/CVE-2025-47911.patch @@ -0,0 +1,100 @@ +From f5ece1ed4d14f40acdda14acd48fe2a83f25b487 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 29 Sep 2025 16:33:18 -0700 +Subject: [PATCH] html: impose open element stack size limit + +The HTML specification contains a number of algorithms which are +quadratic in complexity by design. Instead of adding complicated +workarounds to prevent these cases from becoming extremely expensive in +pathological cases, we impose a limit of 512 to the size of the stack of +open elements. It is extremely unlikely that non-adversarial HTML +documents will ever hit this limit (but if we see cases of this, we may +want to make the limit configurable via a ParseOption). + +Thanks to Guido Vranken and Jakub Ciolek for both independently +reporting this issue. + +Fixes CVE-2025-47911 +Fixes golang/go#75682 + +Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad +Reviewed-on: https://go-review.googlesource.com/c/net/+/709876 +Reviewed-by: Damien Neil +LUCI-TryBot-Result: Go LUCI +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d.patch +--- + vendor/golang.org/x/net/html/escape.go | 2 +- + vendor/golang.org/x/net/html/parse.go | 21 +++++++++++++++++---- + 2 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go +index 04c6bec2..12f22737 100644 +--- a/vendor/golang.org/x/net/html/escape.go ++++ b/vendor/golang.org/x/net/html/escape.go +@@ -299,7 +299,7 @@ func escape(w writer, s string) error { + case '\r': + esc = " " + default: +- panic("unrecognized escape character") ++ panic("html: unrecognized escape character") + } + s = s[i+1:] + if _, err := w.WriteString(esc); err != nil { +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 979ef17e..4d12a1c1 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) { + } + + if n.Type == ElementNode { +- p.oe = append(p.oe, n) ++ p.insertOpenElement(n) ++ } ++} ++ ++func (p *parser) insertOpenElement(n *Node) { ++ p.oe = append(p.oe, n) ++ if len(p.oe) > 512 { ++ panic("html: open stack of elements exceeds 512 nodes") + } + } + +@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool { + p.im = inFramesetIM + return true + case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title: +- p.oe = append(p.oe, p.head) ++ p.insertOpenElement(p.head) + defer p.oe.remove(p.head) + return inHeadIM(p) + case a.Head: +@@ -2320,9 +2327,13 @@ func (p *parser) parseCurrentToken() { + } + } + +-func (p *parser) parse() error { ++func (p *parser) parse() (err error) { ++ defer func() { ++ if panicErr := recover(); panicErr != nil { ++ err = fmt.Errorf("%s", panicErr) ++ } ++ }() + // Iterate until EOF. Any other error will cause an early return. +- var err error + for err != io.EOF { + // CDATA sections are allowed only in foreign content. + n := p.oe.top() +@@ -2351,6 +2362,8 @@ func (p *parser) parse() error { + // s. Conversely, explicit s in r's data can be silently dropped, + // with no corresponding node in the resulting tree. + // ++// Parse will reject HTML that is nested deeper than 512 elements. ++// + // The input is assumed to be UTF-8 encoded. + func Parse(r io.Reader) (*Node, error) { + return ParseWithOptions(r) +-- +2.45.4 + diff --git a/SPECS/keda/CVE-2025-58190.patch b/SPECS/keda/CVE-2025-58190.patch new file mode 100644 index 00000000000..914ff8e1b1f --- /dev/null +++ b/SPECS/keda/CVE-2025-58190.patch @@ -0,0 +1,126 @@ +From 85cfdf6c6d7c2894727ad2258e58f001501d7978 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 29 Sep 2025 19:38:24 -0700 +Subject: [PATCH] html: align in row insertion mode with spec + +Update inRowIM to match the HTML specification. This fixes an issue +where a specific HTML document could cause the parser to enter an +infinite loop when trying to parse a and implied next to +each other. + +Fixes CVE-2025-58190 +Fixes golang/go#70179 + +Change-Id: Idcb133c87c7d475cc8c7eb1f1550ea21d8bdddea +Reviewed-on: https://go-review.googlesource.com/c/net/+/709875 +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Damien Neil +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/golang/net/commit/6ec8895aa5f6594da7356da7d341b98133629009.patch +--- + vendor/golang.org/x/net/html/parse.go | 36 ++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 5b8374bf..979ef17e 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s scope, matchTags ...a.Atom) int { + return -1 + } + default: +- panic("unreachable") ++ panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s)) + } + } + switch s { +@@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s scope) { + return + } + default: +- panic("unreachable") ++ panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s)) + } + } + } +@@ -1674,7 +1674,7 @@ func inTableBodyIM(p *parser) bool { + return inTableIM(p) + } + +-// Section 12.2.6.4.14. ++// Section 13.2.6.4.14. + func inRowIM(p *parser) bool { + switch p.tok.Type { + case StartTagToken: +@@ -1686,7 +1686,9 @@ func inRowIM(p *parser) bool { + p.im = inCellIM + return true + case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr: +- if p.popUntil(tableScope, a.Tr) { ++ if p.elementInScope(tableScope, a.Tr) { ++ p.clearStackToContext(tableRowScope) ++ p.oe.pop() + p.im = inTableBodyIM + return false + } +@@ -1696,22 +1698,28 @@ func inRowIM(p *parser) bool { + case EndTagToken: + switch p.tok.DataAtom { + case a.Tr: +- if p.popUntil(tableScope, a.Tr) { ++ if p.elementInScope(tableScope, a.Tr) { ++ p.clearStackToContext(tableRowScope) ++ p.oe.pop() + p.im = inTableBodyIM + return true + } + // Ignore the token. + return true + case a.Table: +- if p.popUntil(tableScope, a.Tr) { ++ if p.elementInScope(tableScope, a.Tr) { ++ p.clearStackToContext(tableRowScope) ++ p.oe.pop() + p.im = inTableBodyIM + return false + } + // Ignore the token. + return true + case a.Tbody, a.Tfoot, a.Thead: +- if p.elementInScope(tableScope, p.tok.DataAtom) { +- p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String()) ++ if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) { ++ p.clearStackToContext(tableRowScope) ++ p.oe.pop() ++ p.im = inTableBodyIM + return false + } + // Ignore the token. +@@ -2218,16 +2226,20 @@ func parseForeignContent(p *parser) bool { + p.acknowledgeSelfClosingTag() + } + case EndTagToken: ++ if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) { ++ p.oe = p.oe[:len(p.oe)-1] ++ return true ++ } + for i := len(p.oe) - 1; i >= 0; i-- { +- if p.oe[i].Namespace == "" { +- return p.im(p) +- } + if strings.EqualFold(p.oe[i].Data, p.tok.Data) { + p.oe = p.oe[:i] ++ return true ++ } ++ if i > 0 && p.oe[i-1].Namespace == "" { + break + } + } +- return true ++ return p.im(p) + default: + // Ignore the token. + } +-- +2.45.4 + diff --git a/SPECS/keda/keda.spec b/SPECS/keda/keda.spec index b4bc280b5df..0a99541b37f 100644 --- a/SPECS/keda/keda.spec +++ b/SPECS/keda/keda.spec @@ -1,7 +1,7 @@ Summary: Kubernetes-based Event Driven Autoscaling Name: keda Version: 2.14.1 -Release: 9%{?dist} +Release: 10%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -34,6 +34,9 @@ Patch8: CVE-2024-51744.patch Patch9: CVE-2025-22872.patch Patch10: CVE-2025-68156.patch Patch11: CVE-2025-68476.patch +Patch12: CVE-2025-11065.patch +Patch13: CVE-2025-47911.patch +Patch14: CVE-2025-58190.patch BuildRequires: golang >= 1.15 %description @@ -69,6 +72,10 @@ cp ./bin/keda-admission-webhooks %{buildroot}%{_bindir} %{_bindir}/%{name}-admission-webhooks %changelog +* Tue Feb 10 2026 Azure Linux Security Servicing Account - 2.14.1-10 +- Patch for CVE-2025-11065 +- Patch for CVE-2025-58190, CVE-2025-47911 + * Fri Jan 02 2026 Azure Linux Security Servicing Account - 2.14.1-9 - Patch for CVE-2025-68476