Skip to content

[AutoPR- Security] Patch rook for CVE-2025-11065 [MEDIUM] #15632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
azurelinux-security wants to merge 1 commit into from
Closed

[AutoPR- Security] Patch rook for CVE-2025-11065 [MEDIUM] #15632

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
263 changes: 263 additions & 0 deletions SPECS/rook/CVE-2025-11065.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,263 @@
From fa0f73bd6bb3e82c6c3d2a8a37f1669ab0dd6f0b Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Fri, 30 Jan 2026 09:40:50 +0000
Subject: [PATCH] fix: error message leaks

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch
---
.../mitchellh/mapstructure/decode_hooks.go | 34 ++++-
.../mitchellh/mapstructure/errors_helpers.go | 124 ++++++++++++++++++
.../mitchellh/mapstructure/mapstructure.go | 8 +-
3 files changed, 158 insertions(+), 8 deletions(-)
create mode 100644 vendor/github.com/mitchellh/mapstructure/errors_helpers.go

diff --git a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
index 1f0abc6..07e1332 100644
--- a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
+++ b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
@@ -4,6 +4,7 @@ import (
"errors"
"fmt"
"net"
+ "net/url"
"reflect"
"strconv"
"strings"
@@ -113,10 +114,33 @@ func StringToTimeDurationHookFunc() DecodeHookFunc {
}

// Convert it by parsing
- return time.ParseDuration(data.(string))
+ d, err := time.ParseDuration(data.(string))
+
+ return d, wrapTimeParseDurationError(err)
+ }
+}
+
+// StringToURLHookFunc returns a DecodeHookFunc that converts strings to url.URL
+func StringToURLHookFunc() DecodeHookFunc {
+ return func(
+ f reflect.Type,
+ t reflect.Type,
+ data interface{}) (interface{}, error) {
+ if f.Kind() != reflect.String {
+ return data, nil
+ }
+ if t != reflect.TypeOf(url.URL{}) {
+ return data, nil
+ }
+
+ // Convert it by parsing
+ u, err := url.Parse(data.(string))
+
+ return u, wrapUrlError(err)
}
}

+
// StringToIPHookFunc returns a DecodeHookFunc that converts
// strings to net.IP
func StringToIPHookFunc() DecodeHookFunc {
@@ -134,7 +158,7 @@ func StringToIPHookFunc() DecodeHookFunc {
// Convert it by parsing
ip := net.ParseIP(data.(string))
if ip == nil {
- return net.IP{}, fmt.Errorf("failed parsing ip %v", data)
+ return net.IP{}, fmt.Errorf("failed parsing ip")
}

return ip, nil
@@ -157,7 +181,7 @@ func StringToIPNetHookFunc() DecodeHookFunc {

// Convert it by parsing
_, net, err := net.ParseCIDR(data.(string))
- return net, err
+ return net, wrapNetParseError(err)
}
}

@@ -176,7 +200,9 @@ func StringToTimeHookFunc(layout string) DecodeHookFunc {
}

// Convert it by parsing
- return time.Parse(layout, data.(string))
+ ti, err := time.Parse(layout, data.(string))
+
+ return ti, wrapTimeParseError(err)
}
}

diff --git a/vendor/github.com/mitchellh/mapstructure/errors_helpers.go b/vendor/github.com/mitchellh/mapstructure/errors_helpers.go
new file mode 100644
index 0000000..d1f3ffd
--- /dev/null
+++ b/vendor/github.com/mitchellh/mapstructure/errors_helpers.go
@@ -0,0 +1,124 @@
+package mapstructure
+
+import (
+ "errors"
+ "fmt"
+ "net"
+ "net/url"
+ "strconv"
+ "strings"
+ "time"
+)
+
+// The following helpers wrap various standard library errors to avoid leaking
+// sensitive input data in error messages. They preserve the original error via
+// Unwrap for introspection while presenting sanitized messages.
+
+func wrapStrconvNumError(err error) error {
+ if err == nil {
+ return nil
+ }
+
+ if err, ok := err.(*strconv.NumError); ok {
+ return &strconvNumError{Err: err}
+ }
+
+ return err
+}
+
+type strconvNumError struct {
+ Err *strconv.NumError
+}
+
+func (e *strconvNumError) Error() string {
+ return "strconv." + e.Err.Func + ": " + e.Err.Err.Error()
+}
+
+func (e *strconvNumError) Unwrap() error { return e.Err }
+
+func wrapUrlError(err error) error { // nolint:revive,stylecheck // keep name for compatibility
+ if err == nil {
+ return nil
+ }
+
+ if err, ok := err.(*url.Error); ok {
+ return &urlError{Err: err}
+ }
+
+ return err
+}
+
+type urlError struct {
+ Err *url.Error
+}
+
+func (e *urlError) Error() string {
+ return fmt.Sprintf("%s", e.Err.Err)
+}
+
+func (e *urlError) Unwrap() error { return e.Err }
+
+func wrapNetParseError(err error) error {
+ if err == nil {
+ return nil
+ }
+
+ if err, ok := err.(*net.ParseError); ok {
+ return &netParseError{Err: err}
+ }
+
+ return err
+}
+
+type netParseError struct {
+ Err *net.ParseError
+}
+
+func (e *netParseError) Error() string {
+ return "invalid " + e.Err.Type
+}
+
+func (e *netParseError) Unwrap() error { return e.Err }
+
+func wrapTimeParseError(err error) error {
+ if err == nil {
+ return nil
+ }
+
+ if err, ok := err.(*time.ParseError); ok {
+ return &timeParseError{Err: err}
+ }
+
+ return err
+}
+
+type timeParseError struct {
+ Err *time.ParseError
+}
+
+func (e *timeParseError) Error() string {
+ if e.Err.Message == "" {
+ return fmt.Sprintf("parsing time as %q: cannot parse as %q", e.Err.Layout, e.Err.LayoutElem)
+ }
+
+ return "parsing time " + e.Err.Message
+}
+
+func (e *timeParseError) Unwrap() error { return e.Err }
+
+func wrapTimeParseDurationError(err error) error {
+ if err == nil {
+ return nil
+ }
+
+ errMsg := err.Error()
+ if strings.HasPrefix(errMsg, "time: unknown unit ") {
+ return errors.New("time: unknown unit")
+ } else if strings.HasPrefix(errMsg, "time: ") {
+ idx := strings.LastIndex(errMsg, " ")
+
+ return errors.New(errMsg[:idx])
+ }
+
+ return err
+}
diff --git a/vendor/github.com/mitchellh/mapstructure/mapstructure.go b/vendor/github.com/mitchellh/mapstructure/mapstructure.go
index b384d9d..b27d924 100644
--- a/vendor/github.com/mitchellh/mapstructure/mapstructure.go
+++ b/vendor/github.com/mitchellh/mapstructure/mapstructure.go
@@ -592,7 +592,7 @@ func (d *Decoder) decodeInt(name string, data interface{}, val reflect.Value) er
if err == nil {
val.SetInt(i)
} else {
- return fmt.Errorf("cannot parse '%s' as int: %s", name, err)
+ return fmt.Errorf("cannot parse '%s' as int: %s", name, wrapStrconvNumError(err))
}
case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
jn := data.(json.Number)
@@ -644,7 +644,7 @@ func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) e
if err == nil {
val.SetUint(i)
} else {
- return fmt.Errorf("cannot parse '%s' as uint: %s", name, err)
+ return fmt.Errorf("cannot parse '%s' as uint: %s", name, wrapStrconvNumError(err))
}
case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
jn := data.(json.Number)
@@ -687,7 +687,7 @@ func (d *Decoder) decodeBool(name string, data interface{}, val reflect.Value) e
} else if dataVal.String() == "" {
val.SetBool(false)
} else {
- return fmt.Errorf("cannot parse '%s' as bool: %s", name, err)
+ return fmt.Errorf("cannot parse '%s' as bool: %s", name, wrapStrconvNumError(err))
}
default:
return fmt.Errorf(
@@ -721,7 +721,7 @@ func (d *Decoder) decodeFloat(name string, data interface{}, val reflect.Value)
if err == nil {
val.SetFloat(f)
} else {
- return fmt.Errorf("cannot parse '%s' as float: %s", name, err)
+ return fmt.Errorf("cannot parse '%s' as float: %s", name, wrapStrconvNumError(err))
}
case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
jn := data.(json.Number)
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/rook/rook.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
Summary: Orchestrator for distributed storage systems in cloud-native environments
Name: rook
Version: 1.6.2
Release: 27%{?dist}
Release: 28%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -62,6 +62,7 @@ Patch5: CVE-2024-28180.patch
Patch6: CVE-2022-3162.patch
Patch7: CVE-2025-27144.patch
Patch8: CVE-2024-51744.patch
Patch9: CVE-2025-11065.patch
# Ceph version is needed to set correct container tag in manifests
BuildRequires: ceph
# Rook requirements
Expand Down Expand Up @@ -260,6 +261,9 @@ sed -i -e "s|\(.*tag: \)VERSION|\1%{helm_appVersion}|" %{values_yaml}
# bother adding docs or changelog or anything

%changelog
* Fri Jan 30 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.6.2-28
- Patch for CVE-2025-11065

* Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 1.6.2-27
- Bump release to rebuild with golang

Expand Down
Loading