[AutoPR- Security] Patch keda for CVE-2025-11065, CVE-2025-58190, CVE-2025-47911 [MEDIUM]

SPECS/keda/CVE-2025-11065.patch

@@ -0,0 +1,285 @@
+From 1f7531d5b811fc9c9d5acf9f6e6b30b77814a4f1 Mon Sep 17 00:00:00 2001
+From: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
+Date: Sat, 12 Jul 2025 07:25:50 +0200
+Subject: [PATCH] fix: error message leaks
+
+Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
+
+Upstream Patch reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch
+---
+ .../mitchellh/mapstructure/decode_hooks.go    |  12 +-
+ .../mitchellh/mapstructure/error.go           | 156 ++++++++++++++++++
+ .../mitchellh/mapstructure/mapstructure.go    |  10 +-
+ 3 files changed, 169 insertions(+), 9 deletions(-)
+
+diff --git a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
+index 3a754ca7..4dfab7d3 100644
+--- a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
++++ b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
+@@ -134,7 +134,9 @@ func StringToTimeDurationHookFunc() DecodeHookFunc {
+ 		}
+
+ 		// Convert it by parsing
+-		return time.ParseDuration(data.(string))
++		d, err := time.ParseDuration(data.(string))
++
++		return d, wrapTimeParseDurationError(err)
+ 	}
+ }
+
+@@ -155,7 +157,7 @@ func StringToIPHookFunc() DecodeHookFunc {
+ 		// Convert it by parsing
+ 		ip := net.ParseIP(data.(string))
+ 		if ip == nil {
+-			return net.IP{}, fmt.Errorf("failed parsing ip %v", data)
++			return net.IP{}, fmt.Errorf("failed parsing ip")
+ 		}
+
+ 		return ip, nil
+@@ -178,7 +180,7 @@ func StringToIPNetHookFunc() DecodeHookFunc {
+
+ 		// Convert it by parsing
+ 		_, net, err := net.ParseCIDR(data.(string))
+-		return net, err
++		return net, wrapNetParseError(err)
+ 	}
+ }
+
+@@ -197,7 +199,9 @@ func StringToTimeHookFunc(layout string) DecodeHookFunc {
+ 		}
+
+ 		// Convert it by parsing
+-		return time.Parse(layout, data.(string))
++		ti, err := time.Parse(layout, data.(string))
++
++		return ti, wrapTimeParseError(err)
+ 	}
+ }
+
+diff --git a/vendor/github.com/mitchellh/mapstructure/error.go b/vendor/github.com/mitchellh/mapstructure/error.go
+index 47a99e5a..8c3b0786 100644
+--- a/vendor/github.com/mitchellh/mapstructure/error.go
++++ b/vendor/github.com/mitchellh/mapstructure/error.go
+@@ -3,8 +3,12 @@ package mapstructure
+ import (
+ 	"errors"
+ 	"fmt"
++	"net"
++	"net/url"
+ 	"sort"
++	"strconv"
+ 	"strings"
++	"time"
+ )
+
+ // Error implements the error interface and can represents multiple
+@@ -48,3 +52,155 @@ func appendErrors(errors []string, err error) []string {
+ 		return append(errors, e.Error())
+ 	}
+ }
++
++func wrapStrconvNumError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if err, ok := err.(*strconv.NumError); ok {
++		return &strconvNumError{Err: err}
++	}
++
++	return err
++}
++
++type strconvNumError struct {
++	Err *strconv.NumError
++}
++
++func (e *strconvNumError) Error() string {
++	return "strconv." + e.Err.Func + ": " + e.Err.Err.Error()
++}
++
++func (e *strconvNumError) Unwrap() error { return e.Err }
++
++func wrapUrlError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if err, ok := err.(*url.Error); ok {
++		return &urlError{Err: err}
++	}
++
++	return err
++}
++
++type urlError struct {
++	Err *url.Error
++}
++
++func (e *urlError) Error() string {
++	return fmt.Sprintf("%s", e.Err.Err)
++}
++
++func (e *urlError) Unwrap() error { return e.Err }
++
++func wrapNetParseError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if err, ok := err.(*net.ParseError); ok {
++		return &netParseError{Err: err}
++	}
++
++	return err
++}
++
++type netParseError struct {
++	Err *net.ParseError
++}
++
++func (e *netParseError) Error() string {
++	return "invalid " + e.Err.Type
++}
++
++func (e *netParseError) Unwrap() error { return e.Err }
++
++func wrapTimeParseError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if err, ok := err.(*time.ParseError); ok {
++		return &timeParseError{Err: err}
++	}
++
++	return err
++}
++
++type timeParseError struct {
++	Err *time.ParseError
++}
++
++func (e *timeParseError) Error() string {
++	if e.Err.Message == "" {
++		return fmt.Sprintf("parsing time as %q: cannot parse as %q", e.Err.Layout, e.Err.LayoutElem)
++	}
++
++	return "parsing time " + e.Err.Message
++}
++
++func (e *timeParseError) Unwrap() error { return e.Err }
++
++func wrapNetIPParseAddrError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if errMsg := err.Error(); strings.HasPrefix(errMsg, "ParseAddr") {
++		errPieces := strings.Split(errMsg, ": ")
++
++		return fmt.Errorf("ParseAddr: %s", errPieces[len(errPieces)-1])
++	}
++
++	return err
++}
++
++func wrapNetIPParseAddrPortError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	errMsg := err.Error()
++	if strings.HasPrefix(errMsg, "invalid port ") {
++		return errors.New("invalid port")
++	} else if strings.HasPrefix(errMsg, "invalid ip:port ") {
++		return errors.New("invalid ip:port")
++	}
++
++	return err
++}
++
++func wrapNetIPParsePrefixError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	if errMsg := err.Error(); strings.HasPrefix(errMsg, "netip.ParsePrefix") {
++		errPieces := strings.Split(errMsg, ": ")
++
++		return fmt.Errorf("netip.ParsePrefix: %s", errPieces[len(errPieces)-1])
++	}
++
++	return err
++}
++
++func wrapTimeParseDurationError(err error) error {
++	if err == nil {
++		return nil
++	}
++
++	errMsg := err.Error()
++	if strings.HasPrefix(errMsg, "time: unknown unit ") {
++		return errors.New("time: unknown unit")
++	} else if strings.HasPrefix(errMsg, "time: ") {
++		idx := strings.LastIndex(errMsg, " ")
++
++		return errors.New(errMsg[:idx])
++	}
++
++	return err
++}
+diff --git a/vendor/github.com/mitchellh/mapstructure/mapstructure.go b/vendor/github.com/mitchellh/mapstructure/mapstructure.go
+index 1efb22ac..f7717619 100644
+--- a/vendor/github.com/mitchellh/mapstructure/mapstructure.go
++++ b/vendor/github.com/mitchellh/mapstructure/mapstructure.go
+@@ -642,7 +642,7 @@ func (d *Decoder) decodeInt(name string, data interface{}, val reflect.Value) er
+ 		if err == nil {
+ 			val.SetInt(i)
+ 		} else {
+-			return fmt.Errorf("cannot parse '%s' as int: %s", name, err)
++			return fmt.Errorf("cannot parse '%s' as int: %s", name, wrapStrconvNumError(err))
+ 		}
+ 	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
+ 		jn := data.(json.Number)
+@@ -699,14 +699,14 @@ func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) e
+ 		if err == nil {
+ 			val.SetUint(i)
+ 		} else {
+-			return fmt.Errorf("cannot parse '%s' as uint: %s", name, err)
++			return fmt.Errorf("cannot parse '%s' as uint: %s", name, wrapStrconvNumError(err))
+ 		}
+ 	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
+ 		jn := data.(json.Number)
+ 		i, err := strconv.ParseUint(string(jn), 0, 64)
+ 		if err != nil {
+ 			return fmt.Errorf(
+-				"error decoding json.Number into %s: %s", name, err)
++				"error decoding json.Number into %s: %s", name, wrapStrconvNumError(err))
+ 		}
+ 		val.SetUint(i)
+ 	default:
+@@ -738,7 +738,7 @@ func (d *Decoder) decodeBool(name string, data interface{}, val reflect.Value) e
+ 		} else if dataVal.String() == "" {
+ 			val.SetBool(false)
+ 		} else {
+-			return fmt.Errorf("cannot parse '%s' as bool: %s", name, err)
++			return fmt.Errorf("cannot parse '%s' as bool: %s", name, wrapStrconvNumError(err))
+ 		}
+ 	default:
+ 		return fmt.Errorf(
+@@ -777,7 +777,7 @@ func (d *Decoder) decodeFloat(name string, data interface{}, val reflect.Value)
+ 		if err == nil {
+ 			val.SetFloat(f)
+ 		} else {
+-			return fmt.Errorf("cannot parse '%s' as float: %s", name, err)
++			return fmt.Errorf("cannot parse '%s' as float: %s", name, wrapStrconvNumError(err))
+ 		}
+ 	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
+ 		jn := data.(json.Number)
+-- 
+2.45.4
+

SPECS/keda/CVE-2025-47911.patch

@@ -0,0 +1,100 @@
+From f5ece1ed4d14f40acdda14acd48fe2a83f25b487 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 29 Sep 2025 16:33:18 -0700
+Subject: [PATCH] html: impose open element stack size limit
+
+The HTML specification contains a number of algorithms which are
+quadratic in complexity by design. Instead of adding complicated
+workarounds to prevent these cases from becoming extremely expensive in
+pathological cases, we impose a limit of 512 to the size of the stack of
+open elements. It is extremely unlikely that non-adversarial HTML
+documents will ever hit this limit (but if we see cases of this, we may
+want to make the limit configurable via a ParseOption).
+
+Thanks to Guido Vranken and Jakub Ciolek for both independently
+reporting this issue.
+
+Fixes CVE-2025-47911
+Fixes golang/go#75682
+
+Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
+Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d.patch
+---
+ vendor/golang.org/x/net/html/escape.go |  2 +-
+ vendor/golang.org/x/net/html/parse.go  | 21 +++++++++++++++++----
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go
+index 04c6bec2..12f22737 100644
+--- a/vendor/golang.org/x/net/html/escape.go
++++ b/vendor/golang.org/x/net/html/escape.go
+@@ -299,7 +299,7 @@ func escape(w writer, s string) error {
+ 		case '\r':
+ 			esc = "&#13;"
+ 		default:
+-			panic("unrecognized escape character")
++			panic("html: unrecognized escape character")
+ 		}
+ 		s = s[i+1:]
+ 		if _, err := w.WriteString(esc); err != nil {
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 979ef17e..4d12a1c1 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
+ 	}
+
+ 	if n.Type == ElementNode {
+-		p.oe = append(p.oe, n)
++		p.insertOpenElement(n)
++	}
++}
++
++func (p *parser) insertOpenElement(n *Node) {
++	p.oe = append(p.oe, n)
++	if len(p.oe) > 512 {
++		panic("html: open stack of elements exceeds 512 nodes")
+ 	}
+ }
+
+@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
+ 			p.im = inFramesetIM
+ 			return true
+ 		case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
+-			p.oe = append(p.oe, p.head)
++			p.insertOpenElement(p.head)
+ 			defer p.oe.remove(p.head)
+ 			return inHeadIM(p)
+ 		case a.Head:
+@@ -2320,9 +2327,13 @@ func (p *parser) parseCurrentToken() {
+ 	}
+ }
+
+-func (p *parser) parse() error {
++func (p *parser) parse() (err error) {
++	defer func() {
++		if panicErr := recover(); panicErr != nil {
++			err = fmt.Errorf("%s", panicErr)
++		}
++	}()
+ 	// Iterate until EOF. Any other error will cause an early return.
+-	var err error
+ 	for err != io.EOF {
+ 		// CDATA sections are allowed only in foreign content.
+ 		n := p.oe.top()
+@@ -2351,6 +2362,8 @@ func (p *parser) parse() error {
+ // <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
+ // with no corresponding node in the resulting tree.
+ //
++// Parse will reject HTML that is nested deeper than 512 elements.
++//
+ // The input is assumed to be UTF-8 encoded.
+ func Parse(r io.Reader) (*Node, error) {
+ 	return ParseWithOptions(r)
+-- 
+2.45.4
+