[AUTO-CHERRYPICK] [AutoPR- Security] Patch kubevirt for CVE-2025-47913 [HIGH] - branch 3.0-dev (#15134)

CBL-Mariner-Bot · azurelinux-security · jslobodzian · web-flow · commit 1855b5bf9bfc · 2025-11-25T10:59:50.000-05:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/kubevirt/CVE-2025-47913.patch b/SPECS/kubevirt/CVE-2025-47913.patch
@@ -0,0 +1,50 @@
+From 7d6da779448c01f323cf73e38a18850660c95d2d Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Tue, 18 Nov 2025 16:23:38 +0000
+Subject: [PATCH] ssh/agent: return an error for unexpected message types
+
+Previously, receiving an unexpected message type in response to a key
+listing or a signing request could cause a panic due to a failed type
+assertion.
+
+This change adds a default case to the type switch in order to detect
+and explicitly handle unknown or invalid message types, returning a
+descriptive error instead of crashing.
+
+Fixes golang/go#75178
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/golang/crypto/commit/559e062ce8bfd6a39925294620b50906ca2a6f95.patch
+---
+ vendor/golang.org/x/crypto/ssh/agent/client.go | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
+index 106708d..410e21b 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
++++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
+@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
+ 		return keys, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to list keys")
++	default:
++		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // Sign has the agent sign the data using a protocol 2 key as defined
+@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
+ 		return &sig, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to sign challenge")
++	default:
++		return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // unmarshal parses an agent message in packet, returning the parsed
+-- 
+2.45.4
+
diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec
@@ -30,8 +30,7 @@ Source0:        https://github.com/kubevirt/kubevirt/archive/refs/tags/v%{versio
 # The containers_meta packages and associated files are not required for the Mariner build
 # Nexus team needs these to-be-upstreamed patches for the operator Edge to work
 # correctly.
-
-Patch0:         CVE-2025-22872.patch
+Patch0:         CVE-2025-47913.patch
 
 %global debug_package %{nil}
 BuildRequires:  swtpm-tools
@@ -269,12 +268,15 @@ install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt
 %{_bindir}/virt-tests
 
 %changelog
-* Tue Nov 11 2025 Andrew Phelps <anphel@microsoft.com> - 1.5.3-2
+* Mon Nov 24 2025 Andrew Phelps <anphel@microsoft.com> - 1.5.3-2
 - Bump to rebuild with updated glibc
 
-* Mon Nov 10 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.5.3-1
+* Mon Nov 24 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.5.3-1
 - Auto-upgrade to 1.5.3 - for CVE-2025-64437, CVE-2025-64433, CVE-2025-64434, CVE-2025-64432
 
+* Tue Nov 18 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.5.0-6
+- Patch for CVE-2025-47913
+
 * Thu Oct 23 2025 Kanishk Bansal <kanbansal@microsoft.com> - 1.5.0-5
 - Bump to rebuild with updated glibc
 
