diff --git a/SPECS/reaper/CVE-2025-12816.patch b/SPECS/reaper/CVE-2025-12816.patch new file mode 100644 index 00000000000..5c2e962193c --- /dev/null +++ b/SPECS/reaper/CVE-2025-12816.patch @@ -0,0 +1,122 @@ +From a05dd812ec2de46ece35a11ab4b46c9d283d1505 Mon Sep 17 00:00:00 2001 +From: Vijay Sarvepalli +Date: Thu, 6 Nov 2025 22:05:19 -0500 +Subject: [PATCH] Fix for vulnerbaility CVE-2025-12816 + +Upstream Patch Reference: https://app.codecov.io/gh/digitalbazaar/forge/commit/a5ce91d03df4dcfc025b74a5b7f50389942d49c9?dropdown=coverage&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=digitalbazaar +PR link: https://github.com/digitalbazaar/forge/pull/1124 +--- + src/ui/node_modules/node-forge/lib/asn1.js | 72 ++++++++++++++++---- + src/ui/node_modules/node-forge/lib/pkcs12.js | 3 + + 2 files changed, 61 insertions(+), 14 deletions(-) + +diff --git a/src/ui/node_modules/node-forge/lib/asn1.js b/src/ui/node_modules/node-forge/lib/asn1.js +index e0fea0e0..53c77050 100644 +--- a/src/ui/node_modules/node-forge/lib/asn1.js ++++ b/src/ui/node_modules/node-forge/lib/asn1.js +@@ -1148,22 +1148,65 @@ asn1.validate = function(obj, v, capture, errors) { + if(v.value && forge.util.isArray(v.value)) { + var j = 0; + for(var i = 0; rval && i < v.value.length; ++i) { +- rval = v.value[i].optional || false; +- if(obj.value[j]) { +- rval = asn1.validate(obj.value[j], v.value[i], capture, errors); +- if(rval) { +- ++j; +- } else if(v.value[i].optional) { ++ var schemaItem = v.value[i]; ++ rval = !!schemaItem.optional; ++ ++ // current child in the object ++ var objChild = obj.value[j]; ++ ++ // if there is no child left to match ++ if(!objChild) { ++ // if optional, ok (rval already true), else fail below ++ if(!schemaItem.optional) { ++ rval = false; ++ if(errors) { ++ errors.push('[' + v.name + '] ' + ++ 'Missing required element. Expected tag class "' + ++ schemaItem.tagClass + '", type "' + schemaItem.type + '"'); ++ } ++ } ++ continue; ++ } ++ ++ // If schema explicitly specifies tagClass/type, do a quick structural check ++ // to avoid unnecessary recursion/side-effects when tags clearly don't match. ++ var schemaHasTag = (typeof schemaItem.tagClass !== 'undefined' && ++ typeof schemaItem.type !== 'undefined'); ++ ++ if(schemaHasTag && ++ (objChild.tagClass !== schemaItem.tagClass || objChild.type !== schemaItem.type)) { ++ // Tags do not match. ++ if(schemaItem.optional) { ++ // Skip this schema element (don't consume objChild; don't call recursive validate). + rval = true; ++ continue; ++ } else { ++ // Required schema item mismatched - fail. ++ rval = false; ++ if(errors) { ++ errors.push('[' + v.name + '] ' + ++ 'Tag mismatch. Expected (' + ++ schemaItem.tagClass + ',' + schemaItem.type + '), got (' + ++ objChild.tagClass + ',' + objChild.type + ')'); ++ } ++ break; + } + } +- if(!rval && errors) { +- errors.push( +- '[' + v.name + '] ' + +- 'Tag class "' + v.tagClass + '", type "' + +- v.type + '" expected value length "' + +- v.value.length + '", got "' + +- obj.value.length + '"'); ++ ++ // Tags are compatible (or schema did not declare tags) - dive into recursive validate. ++ var childRval = asn1.validate(objChild, schemaItem, capture, errors); ++ if(childRval) { ++ // consume this child ++ ++j; ++ rval = true; ++ } else if(schemaItem.optional) { ++ // validation failed but element is optional => skip schema item (don't consume child) ++ rval = true; ++ } else { ++ // required item failed ++ rval = false; ++ // errors should already be populated by recursive call; keep failing ++ break; + } + } + } +@@ -1209,7 +1252,8 @@ asn1.validate = function(obj, v, capture, errors) { + if(obj.type !== v.type) { + errors.push( + '[' + v.name + '] ' + +- 'Expected type "' + v.type + '", got "' + obj.type + '"'); ++ 'Expected type "' + v.type + '", got "' + ++ obj.type + '"'); + } + } + return rval; +diff --git a/src/ui/node_modules/node-forge/lib/pkcs12.js b/src/ui/node_modules/node-forge/lib/pkcs12.js +index cd06c494..dee8b36a 100644 +--- a/src/ui/node_modules/node-forge/lib/pkcs12.js ++++ b/src/ui/node_modules/node-forge/lib/pkcs12.js +@@ -474,6 +474,9 @@ p12.pkcs12FromAsn1 = function(obj, strict, password) { + if(macValue.getBytes() !== capture.macDigest) { + throw new Error('PKCS#12 MAC could not be verified. Invalid password?'); + } ++ } else if(Array.isArray(obj.value) && obj.value.length > 2) { ++ /* This is pfx data that should have mac and verify macDigest */ ++ throw new Error('Invalid PKCS#12. macData field present but MAC was not validated.'); + } + + _decodeAuthenticatedSafe(pfx, data.value, strict, password); +-- +2.43.0 + diff --git a/SPECS/reaper/CVE-2025-66030.patch b/SPECS/reaper/CVE-2025-66030.patch new file mode 100644 index 00000000000..98eed67ceea --- /dev/null +++ b/SPECS/reaper/CVE-2025-66030.patch @@ -0,0 +1,47 @@ +From 3e0c35ace169cfca529a3e547a7848dc7bf57fdb Mon Sep 17 00:00:00 2001 +From: "David I. Lehn" +Date: Mon, 24 Nov 2025 23:16:22 -0500 +Subject: [PATCH] Fix "ASN.1 OID Integer Truncation" advisory. + +- [asn1] Improve OID handling. + - Error on parsed OID values larger than `2**32 - 1`. + - Error on DER OID values larger than `2**53 - 1 `. + +Upstream Patch Reference: https://github.com/digitalbazaar/forge/commit/3e0c35ace169cfca529a3e547a7848dc7bf57fdb.patch +--- + src/ui/node_modules/node-forge/lib/asn1.js | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/ui/node_modules/node-forge/lib/asn1.js b/src/ui/node_modules/node-forge/lib/asn1.js +index f424f84b..f90c831b 100644 +--- a/src/ui/node_modules/node-forge/lib/asn1.js ++++ b/src/ui/node_modules/node-forge/lib/asn1.js +@@ -770,6 +770,10 @@ asn1.oidToDer = function(oid) { + last = true; + valueBytes = []; + value = parseInt(values[i], 10); ++ // TODO: Change bitwise logic to allow larger values. ++ if(value > 0xffffffff) { ++ throw new Error('OID value too large; max is 32-bits.'); ++ } + do { + b = value & 0x7F; + value = value >>> 7; +@@ -815,8 +819,13 @@ asn1.derToOid = function(bytes) { + // the last byte for each value + var value = 0; + while(bytes.length() > 0) { ++ // error if 7b shift would exceed Number.MAX_SAFE_INTEGER ++ // (Number.MAX_SAFE_INTEGER / 128) ++ if(value > 0x3fffffffffff) { ++ throw new Error('OID value too large; max is 53-bits.'); ++ } + b = bytes.getByte(); +- value = value << 7; ++ value = value * 128; + // not the last byte for the value + if(b & 0x80) { + value += b & 0x7F; +-- +2.43.0 + diff --git a/SPECS/reaper/CVE-2025-66031.patch b/SPECS/reaper/CVE-2025-66031.patch new file mode 100644 index 00000000000..28ec1ada744 --- /dev/null +++ b/SPECS/reaper/CVE-2025-66031.patch @@ -0,0 +1,52 @@ +From 260425c6167a38aae038697132483b5517b26451 Mon Sep 17 00:00:00 2001 +From: wodzen +Date: Sat, 22 Nov 2025 10:35:50 -0800 +Subject: [PATCH] Add ASN.1 recursion depth limit + +Upstream Patch Reference: https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451.patch +--- + src/ui/node_modules/node-forge/lib/asn1.js | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/ui/node_modules/node-forge/lib/asn1.js b/src/ui/node_modules/node-forge/lib/asn1.js +index 97d1a8a1..c766f7e6 100644 +--- a/src/ui/node_modules/node-forge/lib/asn1.js ++++ b/src/ui/node_modules/node-forge/lib/asn1.js +@@ -178,6 +178,11 @@ asn1.Type = { + BMPSTRING: 30 + }; + ++/** ++ * Sets the default maximum recursion depth when parsing ASN.1 structures. ++ */ ++asn1.maxDepth = 256; ++ + /** + * Creates a new asn1 object. + * +@@ -439,6 +444,9 @@ asn1.fromDer = function(bytes, options) { + if(!('decodeBitStrings' in options)) { + options.decodeBitStrings = true; + } ++ if(!('maxDepth' in options)) { ++ options.maxDepth = asn1.maxDepth; ++ } + + // wrap in buffer if needed + if(typeof bytes === 'string') { +@@ -459,6 +467,12 @@ asn1.fromDer = function(bytes, options) { + * @return the parsed asn1 object. + */ + function _fromDer(bytes, remaining, depth, options) { ++ ++ // check depth limit ++ if(depth >= options.maxDepth) { ++ throw new Error('ASN.1 parsing error: Max depth exceeded.'); ++ } ++ + // temporary storage for consumption calculations + var start; + +-- +2.43.0 + diff --git a/SPECS/reaper/reaper.spec b/SPECS/reaper/reaper.spec index 13a64b45169..14546cd4161 100755 --- a/SPECS/reaper/reaper.spec +++ b/SPECS/reaper/reaper.spec @@ -6,7 +6,7 @@ Summary: Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters. Name: reaper Version: 3.1.1 -Release: 20%{?dist} +Release: 21%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -53,6 +53,9 @@ Patch17: CVE-2024-6484.patch Patch18: CVE-2025-48387.patch Patch19: CVE-2018-19827.patch Patch20: CVE-2018-19797.patch +Patch21: CVE-2025-12816.patch +Patch22: CVE-2025-66031.patch +Patch23: CVE-2025-66030.patch BuildRequires: git BuildRequires: javapackages-tools @@ -201,6 +204,9 @@ fi %{_unitdir}/cassandra-%{name}.service %changelog +* Tue Dec 02 2025 Akhila Guruju - 3.1.1-21 +- Patch CVE-2025-12816, CVE-2025-66031 and CVE-2025-66030 + * Fri Nov 28 2025 Akhila Guruju - 3.1.1-20 - Patch CVE-2018-19827 and CVE-2018-19797