[AutoPR- Security] Patch docker-cli for CVE-2025-11065 [MEDIUM] #15680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

azurelinux-security wants to merge 2 commits into microsoft:3.0-dev from azurelinux-security:azure-autosec/docker-cli/3.0/1042057

+291 −3

SPECS/docker-cli/CVE-2025-11065.patch

-Original file line number
+Diff line change
@@ -0,0 +1,285 @@
+    From 87323f38f4073be7ab9dcc66603598d0c7d827fe Mon Sep 17 00:00:00 2001
+    From: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
+    Date: Sat, 12 Jul 2025 07:25:50 +0200
+    Subject: [PATCH] fix: error message leaks
+    Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
+    Upstream Patch reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch
+    Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+    Upstream-reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch
+    ---
+     .../mitchellh/mapstructure/decode_hooks.go    |  12 +-
+     .../mitchellh/mapstructure/error.go           | 156 ++++++++++++++++++
+     .../mitchellh/mapstructure/mapstructure.go    |  10 +-
+files changed, 169 insertions(+), 9 deletions(-)
+    diff --git a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
+    index 3a754ca..4dfab7d 100644
+    --- a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
+    +++ b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go
+    @@ -134,7 +134,9 @@ func StringToTimeDurationHookFunc() DecodeHookFunc {
+     		}
+     		// Convert it by parsing
+    -		return time.ParseDuration(data.(string))
+    +		d, err := time.ParseDuration(data.(string))
+    +
+    +		return d, wrapTimeParseDurationError(err)
+     	}
+     }
+    @@ -155,7 +157,7 @@ func StringToIPHookFunc() DecodeHookFunc {
+     		// Convert it by parsing
+     		ip := net.ParseIP(data.(string))
+     		if ip == nil {
+    -			return net.IP{}, fmt.Errorf("failed parsing ip %v", data)
+    +			return net.IP{}, fmt.Errorf("failed parsing ip")
+     		}
+     		return ip, nil
+    @@ -178,7 +180,7 @@ func StringToIPNetHookFunc() DecodeHookFunc {
+     		// Convert it by parsing
+     		_, net, err := net.ParseCIDR(data.(string))
+    -		return net, err
+    +		return net, wrapNetParseError(err)
+     	}
+     }
+    @@ -197,7 +199,9 @@ func StringToTimeHookFunc(layout string) DecodeHookFunc {
+     		}
+     		// Convert it by parsing
+    -		return time.Parse(layout, data.(string))
+    +		ti, err := time.Parse(layout, data.(string))
+    +
+    +		return ti, wrapTimeParseError(err)
+     	}
+     }
+    diff --git a/vendor/github.com/mitchellh/mapstructure/error.go b/vendor/github.com/mitchellh/mapstructure/error.go
+    index 47a99e5..8c3b078 100644
+    --- a/vendor/github.com/mitchellh/mapstructure/error.go
+    +++ b/vendor/github.com/mitchellh/mapstructure/error.go
+    @@ -3,8 +3,12 @@ package mapstructure
+     import (
+     	"errors"
+     	"fmt"
+    +	"net"
+    +	"net/url"
+     	"sort"
+    +	"strconv"
+     	"strings"
+    +	"time"
+     )
+     // Error implements the error interface and can represents multiple
+    @@ -48,3 +52,155 @@ func appendErrors(errors []string, err error) []string {
+     		return append(errors, e.Error())
+     	}
+     }
+    +
+    +func wrapStrconvNumError(err error) error {
+    +	if err == nil {
+    +		return nil
+    +	}
+    +
+    +	if err, ok := err.(*strconv.NumError); ok {
+    +		return &strconvNumError{Err: err}
+    +	}
+    +
+    +	return err
+    +}
+    +
+    +type strconvNumError struct {
+    +	Err *strconv.NumError
+    +}
+    +
+    +func (e *strconvNumError) Error() string {
+    +	return "strconv." + e.Err.Func + ": " + e.Err.Err.Error()
+    +}
+    +
+    +func (e *strconvNumError) Unwrap() error { return e.Err }
+    +
+    +func wrapUrlError(err error) error {
+    +	if err == nil {
+    +		return nil
+    +	}
+    +
+    +	if err, ok := err.(*url.Error); ok {
+    +		return &urlError{Err: err}
+    +	}
+    +
+    +	return err
+    +}
+    +
+    +type urlError struct {
+    +	Err *url.Error
+    +}
+    +
+    +func (e *urlError) Error() string {
+    +	return fmt.Sprintf("%s", e.Err.Err)
+    +}
+    +
+    +func (e *urlError) Unwrap() error { return e.Err }
+    +
+    +func wrapNetParseError(err error) error {
+    +	if err == nil {
+    +		return nil
+    +	}
+    +
+    +	if err, ok := err.(*net.ParseError); ok {
+    +		return &netParseError{Err: err}
+    +	}
+    +
+    +	return err
+    +}
+    +
+    +type netParseError struct {
+    +	Err *net.ParseError
+    +}
+    +
+    +func (e *netParseError) Error() string {
+    +	return "invalid " + e.Err.Type
+    +}
+    +
+    +func (e *netParseError) Unwrap() error { return e.Err }
+    +
+    +func wrapTimeParseError(err error) error {
+    +	if err == nil {
+    +		return nil
+    +	}
+    +
+    +	if err, ok := err.(*time.ParseError); ok {
+    +		return &timeParseError{Err: err}
+    +	}
+    +
+    +	return err
+    +}
+    +
+    +type timeParseError struct {
+    +	Err *time.ParseError
+    +}
+    +
+    +func (e *timeParseError) Error() string {
+    +	if e.Err.Message == "" {
+    +		return fmt.Sprintf("parsing time as %q: cannot parse as %q", e.Err.Layout, e.Err.LayoutElem)
+    +	}
+    +
+    +	return "parsing time " + e.Err.Message
+    +}
+    +
+    +func (e *timeParseError) Unwrap() error { return e.Err }
+    +
+    +func wrapNetIPParseAddrError(err error) error {
+    +	if err == nil {
+    +		return nil
+    +	}
+    +
+    +	if errMsg := err.Error(); strings.HasPrefix(errMsg, "ParseAddr") {
+    +		errPieces := strings.Split(errMsg, ": ")
+    +
+    +		return fmt.Errorf("ParseAddr: %s", errPieces[len(errPieces)-1])
+    +	}
+    +
+    +	return err
+    +}
+    +
+    +func wrapNetIPParseAddrPortError(err error) error {
+    +	if err == nil {
+    +		return nil
+    +	}
+    +
+    +	errMsg := err.Error()
+    +	if strings.HasPrefix(errMsg, "invalid port ") {
+    +		return errors.New("invalid port")
+    +	} else if strings.HasPrefix(errMsg, "invalid ip:port ") {
+    +		return errors.New("invalid ip:port")
+    +	}
+    +
+    +	return err
+    +}
+    +
+    +func wrapNetIPParsePrefixError(err error) error {
+    +	if err == nil {
+    +		return nil
+    +	}
+    +
+    +	if errMsg := err.Error(); strings.HasPrefix(errMsg, "netip.ParsePrefix") {
+    +		errPieces := strings.Split(errMsg, ": ")
+    +
+    +		return fmt.Errorf("netip.ParsePrefix: %s", errPieces[len(errPieces)-1])
+    +	}
+    +
+    +	return err
+    +}
+    +
+    +func wrapTimeParseDurationError(err error) error {
+    +	if err == nil {
+    +		return nil
+    +	}
+    +
+    +	errMsg := err.Error()
+    +	if strings.HasPrefix(errMsg, "time: unknown unit ") {
+    +		return errors.New("time: unknown unit")
+    +	} else if strings.HasPrefix(errMsg, "time: ") {
+    +		idx := strings.LastIndex(errMsg, " ")
+    +
+    +		return errors.New(errMsg[:idx])
+    +	}
+    +
+    +	return err
+    +}
+    diff --git a/vendor/github.com/mitchellh/mapstructure/mapstructure.go b/vendor/github.com/mitchellh/mapstructure/mapstructure.go
+    index 1efb22a..f771761 100644
+    --- a/vendor/github.com/mitchellh/mapstructure/mapstructure.go
+    +++ b/vendor/github.com/mitchellh/mapstructure/mapstructure.go
+    @@ -642,7 +642,7 @@ func (d *Decoder) decodeInt(name string, data interface{}, val reflect.Value) er
+     		if err == nil {
+     			val.SetInt(i)
+     		} else {
+    -			return fmt.Errorf("cannot parse '%s' as int: %s", name, err)
+    +			return fmt.Errorf("cannot parse '%s' as int: %s", name, wrapStrconvNumError(err))
+     		}
+     	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
+     		jn := data.(json.Number)
+    @@ -699,14 +699,14 @@ func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) e
+     		if err == nil {
+     			val.SetUint(i)
+     		} else {
+    -			return fmt.Errorf("cannot parse '%s' as uint: %s", name, err)
+    +			return fmt.Errorf("cannot parse '%s' as uint: %s", name, wrapStrconvNumError(err))
+     		}
+     	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
+     		jn := data.(json.Number)
+     		i, err := strconv.ParseUint(string(jn), 0, 64)
+     		if err != nil {
+     			return fmt.Errorf(
+    -				"error decoding json.Number into %s: %s", name, err)
+    +				"error decoding json.Number into %s: %s", name, wrapStrconvNumError(err))
+     		}
+     		val.SetUint(i)
+     	default:
+    @@ -738,7 +738,7 @@ func (d *Decoder) decodeBool(name string, data interface{}, val reflect.Value) e
+     		} else if dataVal.String() == "" {
+     			val.SetBool(false)
+     		} else {
+    -			return fmt.Errorf("cannot parse '%s' as bool: %s", name, err)
+    +			return fmt.Errorf("cannot parse '%s' as bool: %s", name, wrapStrconvNumError(err))
+     		}
+     	default:
+     		return fmt.Errorf(
+    @@ -777,7 +777,7 @@ func (d *Decoder) decodeFloat(name string, data interface{}, val reflect.Value)
+     		if err == nil {
+     			val.SetFloat(f)
+     		} else {
+    -			return fmt.Errorf("cannot parse '%s' as float: %s", name, err)
+    +			return fmt.Errorf("cannot parse '%s' as float: %s", name, wrapStrconvNumError(err))
+     		}
+     	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
+     		jn := data.(json.Number)
+    --
+.45.4

SPECS/docker-cli/docker-cli.spec

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,7 +3,7 @@ @@
     Summary:        The open-source application container engine client.
     Name:           docker-cli
     Version:        25.0.7
-    Release:        1%{?dist}
+    Release:        2%{?dist}
     License:        ASL 2.0
     Vendor:         Microsoft Corporation
     Distribution:   Azure Linux
@@ Expand All @@
     Source1:        %{name}-%{version}-govendor-v1.tar.gz
     Patch0:         disable_manpage_vendor.patch
     Patch1:         CVE-2024-24786.patch
+    Patch2:         CVE-2025-11065.patch
     BuildRequires:  git
     BuildRequires:  go-md2man
     BuildRequires:  golang
@@ Expand All / @@ -28,8 +29,7 @@ Obsoletes: moby-cli < %{version}-%{release} @@
     %{summary}
     %prep
-    %autosetup -p1 -n cli-%{version}
-    %setup -q -n cli-%{version} -T -D -a 1
+    %autosetup -n cli-%{version} -a 1 -p1
     mkdir -p %{OUR_GOPATH}/src/github.com/docker
     ln -sfT %{_builddir}/cli-%{version} %{OUR_GOPATH}/src/github.com/docker/cli
@@ Expand Down Expand Up @@
     %{_datadir}/fish/vendor_completions.d/docker.fish
     %changelog
+    * Tue Feb 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 25.0.7-2
+    - Patch for CVE-2025-11065
     * Sat Feb 15 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 25.0.7-1
     - Auto-upgrade to 25.0.7 - to fix CVE-2023-45288 [High]
     - Remove patch for CVE-2024-36623
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[AutoPR- Security] Patch docker-cli for CVE-2025-11065 [MEDIUM] #15680

Diff view

Diff view

There are no files selected for viewing

Uh oh!

[AutoPR- Security] Patch docker-cli for CVE-2025-11065 [MEDIUM] #15680

Are you sure you want to change the base?

[AutoPR- Security] Patch docker-cli for CVE-2025-11065 [MEDIUM] #15680

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!