Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package coredns-for-k8s1.34 for
openSUSE:Factory checked in at 2025-12-18 18:37:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/coredns-for-k8s1.34 (Old)
and /work/SRC/openSUSE:Factory/.coredns-for-k8s1.34.new.1928 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "coredns-for-k8s1.34"
Thu Dec 18 18:37:14 2025 rev:2 rq:1323530 version:1.12.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/coredns-for-k8s1.34/coredns-for-k8s1.34.changes
2025-09-19 15:33:56.568701767 +0200
+++
/work/SRC/openSUSE:Factory/.coredns-for-k8s1.34.new.1928/coredns-for-k8s1.34.changes
2025-12-18 18:37:54.997907037 +0100
@@ -1,0 +2,8 @@
+Thu Dec 18 13:23:20 UTC 2025 - Priyanka Saggu <[email protected]>
+
+- add new patch: CVE-2025-68156-limit-recursion-depth.patch, bsc#1255332
+ * Patch to fix CVE-2025-68156 (fix(builtin): limit recursion depth)
+ * Ref:
https://patch-diff.githubusercontent.com/raw/expr-lang/expr/pull/870.patch
+ * Ref:
https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6
+
+-------------------------------------------------------------------
New:
----
CVE-2025-68156-limit-recursion-depth.patch
----------(New B)----------
New:
- add new patch: CVE-2025-68156-limit-recursion-depth.patch, bsc#1255332
* Patch to fix CVE-2025-68156 (fix(builtin): limit recursion depth)
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ coredns-for-k8s1.34.spec ++++++
--- /var/tmp/diff_new_pack.YG3gpU/_old 2025-12-18 18:37:55.757938968 +0100
+++ /var/tmp/diff_new_pack.YG3gpU/_new 2025-12-18 18:37:55.757938968 +0100
@@ -29,6 +29,10 @@
Source1: vendor.tar.gz
Source10: Corefile
Source11: coredns.service
+# Patch to fix CVE-2025-68156 (fix(builtin): limit recursion depth)
+# Ref:
https://patch-diff.githubusercontent.com/raw/expr-lang/expr/pull/870.patch
+# Ref:
https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6
+Patch2: CVE-2025-68156-limit-recursion-depth.patch
BuildRequires: fdupes
BuildRequires: golang(API) >= 1.23
Conflicts: coredns
@@ -59,6 +63,7 @@
%prep
%setup -q -a1 -n coredns-%{version}
+%patch -P 2 -p1
%build
++++++ CVE-2025-68156-limit-recursion-depth.patch ++++++
>From 2a07330648d2f827f92a95b4c9976d0c4f971ee6 Mon Sep 17 00:00:00 2001
From: Ville Vesilehto <[email protected]>
Date: Wed, 3 Dec 2025 14:29:38 +0200
Subject: [PATCH] fix(builtin): limit recursion depth
Add builtin.MaxDepth (default 10k) to prevent stack overflows when
processing deeply nested or cyclic structures in builtin functions.
The functions flatten, min, max, mean, and median now return a
"recursion depth exceeded" error instead of crashing the runtime.
Signed-off-by: Ville Vesilehto <[email protected]>
---
builtin/builtin.go | 18 +++++---
builtin/builtin_test.go | 97 +++++++++++++++++++++++++++++++++++++++++
builtin/lib.go | 33 ++++++++++----
3 files changed, 134 insertions(+), 14 deletions(-)
Index: coredns-1.12.1/vendor/github.com/expr-lang/expr/builtin/builtin.go
===================================================================
--- coredns-1.12.1.orig/vendor/github.com/expr-lang/expr/builtin/builtin.go
+++ coredns-1.12.1/vendor/github.com/expr-lang/expr/builtin/builtin.go
@@ -3,6 +3,7 @@ package builtin
import (
"encoding/base64"
"encoding/json"
+ "errors"
"fmt"
"reflect"
"sort"
@@ -16,6 +17,10 @@ import (
var (
Index map[string]int
Names []string
+
+ // MaxDepth limits the recursion depth for nested structures.
+ MaxDepth = 10000
+ ErrorMaxDepth = errors.New("recursion depth exceeded")
)
func init() {
@@ -377,7 +382,7 @@ var Builtins = []*Function{
{
Name: "max",
Func: func(args ...any) (any, error) {
- return minMax("max", runtime.Less, args...)
+ return minMax("max", runtime.Less, 0, args...)
},
Validate: func(args []reflect.Type) (reflect.Type, error) {
return validateAggregateFunc("max", args)
@@ -386,7 +391,7 @@ var Builtins = []*Function{
{
Name: "min",
Func: func(args ...any) (any, error) {
- return minMax("min", runtime.More, args...)
+ return minMax("min", runtime.More, 0, args...)
},
Validate: func(args []reflect.Type) (reflect.Type, error) {
return validateAggregateFunc("min", args)
@@ -395,7 +400,7 @@ var Builtins = []*Function{
{
Name: "mean",
Func: func(args ...any) (any, error) {
- count, sum, err := mean(args...)
+ count, sum, err := mean(0, args...)
if err != nil {
return nil, err
}
@@ -411,7 +416,7 @@ var Builtins = []*Function{
{
Name: "median",
Func: func(args ...any) (any, error) {
- values, err := median(args...)
+ values, err := median(0, args...)
if err != nil {
return nil, err
}
@@ -940,7 +945,10 @@ var Builtins = []*Function{
if v.Kind() != reflect.Array && v.Kind() !=
reflect.Slice {
return nil, size, fmt.Errorf("cannot flatten
%s", v.Kind())
}
- ret := flatten(v)
+ ret, err := flatten(v, 0)
+ if err != nil {
+ return nil, 0, err
+ }
size = uint(len(ret))
return ret, size, nil
},
Index: coredns-1.12.1/vendor/github.com/expr-lang/expr/builtin/lib.go
===================================================================
--- coredns-1.12.1.orig/vendor/github.com/expr-lang/expr/builtin/lib.go
+++ coredns-1.12.1/vendor/github.com/expr-lang/expr/builtin/lib.go
@@ -253,7 +253,10 @@ func String(arg any) any {
return fmt.Sprintf("%v", arg)
}
-func minMax(name string, fn func(any, any) bool, args ...any) (any, error) {
+func minMax(name string, fn func(any, any) bool, depth int, args ...any) (any,
error) {
+ if depth > MaxDepth {
+ return nil, ErrorMaxDepth
+ }
var val any
for _, arg := range args {
rv := reflect.ValueOf(arg)
@@ -261,7 +264,7 @@ func minMax(name string, fn func(any, an
case reflect.Array, reflect.Slice:
size := rv.Len()
for i := 0; i < size; i++ {
- elemVal, err := minMax(name, fn,
rv.Index(i).Interface())
+ elemVal, err := minMax(name, fn, depth+1,
rv.Index(i).Interface())
if err != nil {
return nil, err
}
@@ -294,7 +297,10 @@ func minMax(name string, fn func(any, an
return val, nil
}
-func mean(args ...any) (int, float64, error) {
+func mean(depth int, args ...any) (int, float64, error) {
+ if depth > MaxDepth {
+ return 0, 0, ErrorMaxDepth
+ }
var total float64
var count int
@@ -304,7 +310,7 @@ func mean(args ...any) (int, float64, er
case reflect.Array, reflect.Slice:
size := rv.Len()
for i := 0; i < size; i++ {
- elemCount, elemSum, err :=
mean(rv.Index(i).Interface())
+ elemCount, elemSum, err := mean(depth+1,
rv.Index(i).Interface())
if err != nil {
return 0, 0, err
}
@@ -327,7 +333,10 @@ func mean(args ...any) (int, float64, er
return count, total, nil
}
-func median(args ...any) ([]float64, error) {
+func median(depth int, args ...any) ([]float64, error) {
+ if depth > MaxDepth {
+ return nil, ErrorMaxDepth
+ }
var values []float64
for _, arg := range args {
@@ -336,7 +345,7 @@ func median(args ...any) ([]float64, err
case reflect.Array, reflect.Slice:
size := rv.Len()
for i := 0; i < size; i++ {
- elems, err := median(rv.Index(i).Interface())
+ elems, err := median(depth+1,
rv.Index(i).Interface())
if err != nil {
return nil, err
}
@@ -355,18 +364,24 @@ func median(args ...any) ([]float64, err
return values, nil
}
-func flatten(arg reflect.Value) []any {
+func flatten(arg reflect.Value, depth int) ([]any, error) {
+ if depth > MaxDepth {
+ return nil, ErrorMaxDepth
+ }
ret := []any{}
for i := 0; i < arg.Len(); i++ {
v := deref.Value(arg.Index(i))
if v.Kind() == reflect.Array || v.Kind() == reflect.Slice {
- x := flatten(v)
+ x, err := flatten(v, depth+1)
+ if err != nil {
+ return nil, err
+ }
ret = append(ret, x...)
} else {
ret = append(ret, v.Interface())
}
}
- return ret
+ return ret, nil
}
func get(params ...any) (out any, err error) {
@@ -374,6 +389,10 @@ func get(params ...any) (out any, err er
i := params[1]
v := reflect.ValueOf(from)
+ if from == nil {
+ return nil, nil
+ }
+
if v.Kind() == reflect.Invalid {
panic(fmt.Sprintf("cannot fetch %v from %T", i, from))
}
@@ -417,10 +436,14 @@ func get(params ...any) (out any, err er
fieldName := i.(string)
value := v.FieldByNameFunc(func(name string) bool {
field, _ := v.Type().FieldByName(name)
- if field.Tag.Get("expr") == fieldName {
+ switch field.Tag.Get("expr") {
+ case "-":
+ return false
+ case fieldName:
return true
+ default:
+ return name == fieldName
}
- return name == fieldName
})
if value.IsValid() {
return value.Interface(), nil
