From 0d9b46e4c1dd964809760ff5c4d94ce845aaf7fa Mon Sep 17 00:00:00 2001 From: "Unniche, BasavarajX" Date: Fri, 9 Jan 2026 21:04:30 +0530 Subject: [PATCH] CVE Fix for x-crypto component in caddy - Applied suggested patch from NVD database for - CVE-2025-58181. Signed-off-by: Unniche, BasavarajX --- SPECS/caddy/CVE-2025-58181.patch | 53 ++++++++++++++++++++++++++++++++ SPECS/caddy/caddy.spec | 6 +++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 SPECS/caddy/CVE-2025-58181.patch diff --git a/SPECS/caddy/CVE-2025-58181.patch b/SPECS/caddy/CVE-2025-58181.patch new file mode 100644 index 000000000..76b17efad --- /dev/null +++ b/SPECS/caddy/CVE-2025-58181.patch @@ -0,0 +1,53 @@ +From e79546e28b85ea53dd37afe1c4102746ef553b9c Mon Sep 17 00:00:00 2001 +From: Neal Patel +Date: Wed, 19 Nov 2025 13:35:12 -0500 +Subject: [PATCH] ssh: curb GSSAPI DoS risk by limiting number of specified + OIDs + +Previously, an attacker could specify an integer up to 0xFFFFFFFF +that would directly allocate memory despite the observability of +the rest of the payload. This change places a hard cap on the +amount of mechanisms that can be specified and encoded in the +payload. Additionally, it performs a small sanity check to deny +payloads whose stated size is contradictory to the observed payload. + +Thank you to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-58181 +Fixes golang/go#76363 + +Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485 +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961 +Auto-Submit: Roland Shoemaker +Reviewed-by: Damien Neil +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/crypto/ssh/ssh_gss.go | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/vendor/golang.org/x/crypto//ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go +index 24bd7c8e83..a6249a1227 100644 +--- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go ++++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go +@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) { + if !ok { + return nil, errors.New("parse uint32 failed") + } ++ // Each ASN.1 encoded OID must have a minimum ++ // of 2 bytes; 64 maximum mechanisms is an ++ // arbitrary, but reasonable ceiling. ++ const maxMechs = 64 ++ if n > maxMechs || int(n)*2 > len(rest) { ++ return nil, errors.New("invalid mechanism count") ++ } + s := &userAuthRequestGSSAPI{ + N: n, + OIDS: make([]asn1.ObjectIdentifier, n), +@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) { + if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil { + return nil, err + } +- + } + return s, nil + } diff --git a/SPECS/caddy/caddy.spec b/SPECS/caddy/caddy.spec index c3f9cad3e..b10ed1b18 100644 --- a/SPECS/caddy/caddy.spec +++ b/SPECS/caddy/caddy.spec @@ -3,7 +3,7 @@ Summary: Web server with automatic HTTPS Name: caddy Version: 2.9.1 -Release: 13%{?dist} +Release: 15%{?dist} Distribution: Edge Microvisor Toolkit Vendor: Intel Corporation # main source code is Apache-2.0 @@ -30,6 +30,7 @@ Patch1: 0001-Disable-commands-that-can-alter-the-binary.patch Patch2: CVE-2025-22869.patch Patch3: CVE-2024-45339.patch Patch4: CVE-2025-22872.patch +Patch5: CVE-2025-58181.patch BuildRequires: go-rpm-macros # https://github.com/caddyserver/caddy/commit/2028da4e74cd41f0f7f94222c6599da1a371d4b8 BuildRequires: golang >= 1.24.4 @@ -453,6 +454,9 @@ fi %{_datadir}/fish/vendor_completions.d/caddy.fish %changelog +* Fri Jan 09 2026 Basavarajx unniche - 2.9.1-15 +- Include patch for CVE-2025-58181. + * Tue DEc 16 2025 Andy - 2.9.1-14 - Update go version to use below 1.25