From 394394960b37c3f78f6a01ddd5c892bb602a1e13 Mon Sep 17 00:00:00 2001
From: Kanishk Bansal <kbkanishk975@gmail.com>
Date: Fri, 31 Jan 2025 12:55:58 +0000
Subject: [PATCH 1/2] Address CVE-2024-28180 for packer

---
 SPECS/packer/CVE-2024-28180.patch | 88 +++++++++++++++++++++++++++++++
 SPECS/packer/packer.spec          |  7 ++-
 2 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/packer/CVE-2024-28180.patch

diff --git a/SPECS/packer/CVE-2024-28180.patch b/SPECS/packer/CVE-2024-28180.patch
new file mode 100644
index 00000000000..957f169ac23
--- /dev/null
+++ b/SPECS/packer/CVE-2024-28180.patch
@@ -0,0 +1,88 @@
+From 93135333edad88bda698e252c9d30c1f699a1bbe Mon Sep 17 00:00:00 2001
+From: Kanishk Bansal <kbkanishk975@gmail.com>
+Date: Fri, 31 Jan 2025 12:50:41 +0000
+Subject: [PATCH] Address CVE-2024-28180 for packer
+
+---
+ gopkg.in/square/go-jose.v2/crypter.go  |  6 ++++++
+ gopkg.in/square/go-jose.v2/encoding.go | 20 ++++++++++++++++----
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/gopkg.in/square/go-jose.v2/crypter.go b/gopkg.in/square/go-jose.v2/crypter.go
+index be7433e..763eae0 100644
+--- a/gopkg.in/square/go-jose.v2/crypter.go
++++ b/gopkg.in/square/go-jose.v2/crypter.go
+@@ -406,6 +406,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
+ // Decrypt and validate the object and return the plaintext. Note that this
+ // function does not support multi-recipient, if you desire multi-recipient
+ // decryption use DecryptMulti instead.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >10x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
+ 	headers := obj.mergedHeaders(nil)
+ 
+@@ -470,6 +473,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
+ // with support for multiple recipients. It returns the index of the recipient
+ // for which the decryption was successful, the merged headers for that recipient,
+ // and the plaintext.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >3x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
+ 	globalHeaders := obj.mergedHeaders(nil)
+ 
+diff --git a/gopkg.in/square/go-jose.v2/encoding.go b/gopkg.in/square/go-jose.v2/encoding.go
+index 70f7385..2b92116 100644
+--- a/gopkg.in/square/go-jose.v2/encoding.go
++++ b/gopkg.in/square/go-jose.v2/encoding.go
+@@ -21,6 +21,7 @@ import (
+ 	"compress/flate"
+ 	"encoding/base64"
+ 	"encoding/binary"
++	"fmt"
+ 	"io"
+ 	"math/big"
+ 	"strings"
+@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
++// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -97,15 +98,26 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
++// inflate decompresses the input.
++//
++// Errors if the decompressed data would be >250kB or >10x the size of the
++// compressed data, whichever is larger.
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
++	maxCompressedSize := 10 * int64(len(input))
++	if maxCompressedSize < 250000 {
++		maxCompressedSize = 250000
++	}
++	limit := maxCompressedSize + 1
++	n, err := io.CopyN(output, reader, limit)
++	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
++	if n == limit {
++		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
++	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
+-- 
+2.43.0
+
diff --git a/SPECS/packer/packer.spec b/SPECS/packer/packer.spec
index 5223e14d85e..34bcb197c2d 100644
--- a/SPECS/packer/packer.spec
+++ b/SPECS/packer/packer.spec
@@ -4,7 +4,7 @@
 Summary:        Tool for creating identical machine images for multiple platforms from a single source configuration.
 Name:           packer
 Version:        1.9.5
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -35,6 +35,7 @@ Patch0:         CVE-2022-3064.patch
 Patch1:         CVE-2024-6104.patch
 Patch2:         CVE-2024-24786.patch
 Patch3:         CVE-2025-21613.patch
+Patch4 :        CVE-2024-28180.patch
 BuildRequires:  golang >= 1.21
 BuildRequires:  kernel-headers
 BuildRequires:  glibc-devel
@@ -68,6 +69,10 @@ go test -mod=vendor
 %{_bindir}/packer
 
 %changelog
+
+* Fri Jan 31 2025 Kanishk Bansal <kanbansal@microsoft.com> - 1.9.5-6
+- Fix CVE-2024-28180 with an upstream patch
+
 * Thu Jan 09 2025 Sudipta Pandit <sudpandit@microsoft.com> - 1.9.5-5
 - Add patch for CVE-2025-21613 and CVE-2025-21614
 - Remove patch for CVE-2023-45288, CVE-2023-49569, CVE-2024-45337

From 53e972d2a2f4580639c491df2612d48e86601e88 Mon Sep 17 00:00:00 2001
From: Kanishk Bansal <kbkanishk975@gmail.com>
Date: Fri, 31 Jan 2025 13:15:45 +0000
Subject: [PATCH 2/2] Patch Fix

---
 SPECS/packer/CVE-2024-28180.patch | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/SPECS/packer/CVE-2024-28180.patch b/SPECS/packer/CVE-2024-28180.patch
index 957f169ac23..a2207db7693 100644
--- a/SPECS/packer/CVE-2024-28180.patch
+++ b/SPECS/packer/CVE-2024-28180.patch
@@ -4,14 +4,14 @@ Date: Fri, 31 Jan 2025 12:50:41 +0000
 Subject: [PATCH] Address CVE-2024-28180 for packer
 
 ---
- gopkg.in/square/go-jose.v2/crypter.go  |  6 ++++++
- gopkg.in/square/go-jose.v2/encoding.go | 20 ++++++++++++++++----
+ vendor/gopkg.in/square/go-jose.v2/crypter.go  |  6 ++++++
+ vendor/gopkg.in/square/go-jose.v2/encoding.go | 20 ++++++++++++++++----
  2 files changed, 22 insertions(+), 4 deletions(-)
 
-diff --git a/gopkg.in/square/go-jose.v2/crypter.go b/gopkg.in/square/go-jose.v2/crypter.go
+diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go
 index be7433e..763eae0 100644
---- a/gopkg.in/square/go-jose.v2/crypter.go
-+++ b/gopkg.in/square/go-jose.v2/crypter.go
+--- a/vendor/gopkg.in/square/go-jose.v2/crypter.go
++++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go
 @@ -406,6 +406,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
  // Decrypt and validate the object and return the plaintext. Note that this
  // function does not support multi-recipient, if you desire multi-recipient
@@ -32,10 +32,10 @@ index be7433e..763eae0 100644
  func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
  	globalHeaders := obj.mergedHeaders(nil)
  
-diff --git a/gopkg.in/square/go-jose.v2/encoding.go b/gopkg.in/square/go-jose.v2/encoding.go
+diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go
 index 70f7385..2b92116 100644
---- a/gopkg.in/square/go-jose.v2/encoding.go
-+++ b/gopkg.in/square/go-jose.v2/encoding.go
+--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go
++++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go
 @@ -21,6 +21,7 @@ import (
  	"compress/flate"
  	"encoding/base64"