Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package coredns-for-k8s1.35 for
openSUSE:Factory checked in at 2025-12-19 16:45:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/coredns-for-k8s1.35 (Old)
and /work/SRC/openSUSE:Factory/.coredns-for-k8s1.35.new.1928 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "coredns-for-k8s1.35"
Fri Dec 19 16:45:36 2025 rev:2 rq:1323635 version:1.13.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/coredns-for-k8s1.35/coredns-for-k8s1.35.changes
2025-12-18 18:36:00.273087493 +0100
+++
/work/SRC/openSUSE:Factory/.coredns-for-k8s1.35.new.1928/coredns-for-k8s1.35.changes
2025-12-19 16:48:54.269546179 +0100
@@ -1,0 +2,8 @@
+Fri Dec 19 08:47:02 UTC 2025 - Priyanka Saggu <[email protected]>
+
+- add new patch: CVE-2025-68156-limit-recursion-depth.patch, bsc#1255332
+ * Patch to fix CVE-2025-68156 (fix(builtin): limit recursion depth)
+ * Ref:
https://patch-diff.githubusercontent.com/raw/expr-lang/expr/pull/870.patch
+ * Ref:
https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6
+
+-------------------------------------------------------------------
New:
----
CVE-2025-68156-limit-recursion-depth.patch
----------(New B)----------
New:
- add new patch: CVE-2025-68156-limit-recursion-depth.patch, bsc#1255332
* Patch to fix CVE-2025-68156 (fix(builtin): limit recursion depth)
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ coredns-for-k8s1.35.spec ++++++
--- /var/tmp/diff_new_pack.LzZX1p/_old 2025-12-19 16:48:58.001702252 +0100
+++ /var/tmp/diff_new_pack.LzZX1p/_new 2025-12-19 16:48:58.017702921 +0100
@@ -29,6 +29,10 @@
Source1: vendor.tar.gz
Source10: Corefile
Source11: coredns.service
+# Patch to fix CVE-2025-68156 (fix(builtin): limit recursion depth)
+# Ref:
https://patch-diff.githubusercontent.com/raw/expr-lang/expr/pull/870.patch
+# Ref:
https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6
+Patch2: CVE-2025-68156-limit-recursion-depth.patch
BuildRequires: fdupes
BuildRequires: golang(API) >= 1.25
Conflicts: coredns
@@ -59,6 +63,7 @@
%prep
%setup -q -a1 -n coredns-%{version}
+%patch -P 2 -p1
%build
++++++ CVE-2025-68156-limit-recursion-depth.patch ++++++
>From 2a07330648d2f827f92a95b4c9976d0c4f971ee6 Mon Sep 17 00:00:00 2001
From: Ville Vesilehto <[email protected]>
Date: Wed, 3 Dec 2025 14:29:38 +0200
Subject: [PATCH] fix(builtin): limit recursion depth
Add builtin.MaxDepth (default 10k) to prevent stack overflows when
processing deeply nested or cyclic structures in builtin functions.
The functions flatten, min, max, mean, and median now return a
"recursion depth exceeded" error instead of crashing the runtime.
Signed-off-by: Ville Vesilehto <[email protected]>
---
builtin/builtin.go | 18 +++++---
builtin/builtin_test.go | 97 +++++++++++++++++++++++++++++++++++++++++
builtin/lib.go | 33 ++++++++++----
3 files changed, 134 insertions(+), 14 deletions(-)
Index: coredns-1.13.1/vendor/github.com/expr-lang/expr/builtin/builtin.go
===================================================================
--- coredns-1.13.1.orig/vendor/github.com/expr-lang/expr/builtin/builtin.go
+++ coredns-1.13.1/vendor/github.com/expr-lang/expr/builtin/builtin.go
@@ -3,6 +3,7 @@ package builtin
import (
"encoding/base64"
"encoding/json"
+ "errors"
"fmt"
"reflect"
"sort"
@@ -16,6 +17,10 @@ import (
var (
Index map[string]int
Names []string
+
+ // MaxDepth limits the recursion depth for nested structures.
+ MaxDepth = 10000
+ ErrorMaxDepth = errors.New("recursion depth exceeded")
)
func init() {
@@ -377,7 +382,7 @@ var Builtins = []*Function{
{
Name: "max",
Func: func(args ...any) (any, error) {
- return minMax("max", runtime.Less, args...)
+ return minMax("max", runtime.Less, 0, args...)
},
Validate: func(args []reflect.Type) (reflect.Type, error) {
return validateAggregateFunc("max", args)
@@ -386,7 +391,7 @@ var Builtins = []*Function{
{
Name: "min",
Func: func(args ...any) (any, error) {
- return minMax("min", runtime.More, args...)
+ return minMax("min", runtime.More, 0, args...)
},
Validate: func(args []reflect.Type) (reflect.Type, error) {
return validateAggregateFunc("min", args)
@@ -395,7 +400,7 @@ var Builtins = []*Function{
{
Name: "mean",
Func: func(args ...any) (any, error) {
- count, sum, err := mean(args...)
+ count, sum, err := mean(0, args...)
if err != nil {
return nil, err
}
@@ -411,7 +416,7 @@ var Builtins = []*Function{
{
Name: "median",
Func: func(args ...any) (any, error) {
- values, err := median(args...)
+ values, err := median(0, args...)
if err != nil {
return nil, err
}
@@ -940,7 +945,10 @@ var Builtins = []*Function{
if v.Kind() != reflect.Array && v.Kind() !=
reflect.Slice {
return nil, size, fmt.Errorf("cannot flatten
%s", v.Kind())
}
- ret := flatten(v)
+ ret, err := flatten(v, 0)
+ if err != nil {
+ return nil, 0, err
+ }
size = uint(len(ret))
return ret, size, nil
},
Index: coredns-1.13.1/vendor/github.com/expr-lang/expr/builtin/lib.go
===================================================================
--- coredns-1.13.1.orig/vendor/github.com/expr-lang/expr/builtin/lib.go
+++ coredns-1.13.1/vendor/github.com/expr-lang/expr/builtin/lib.go
@@ -253,7 +253,10 @@ func String(arg any) any {
return fmt.Sprintf("%v", arg)
}
-func minMax(name string, fn func(any, any) bool, args ...any) (any, error) {
+func minMax(name string, fn func(any, any) bool, depth int, args ...any) (any,
error) {
+ if depth > MaxDepth {
+ return nil, ErrorMaxDepth
+ }
var val any
for _, arg := range args {
rv := reflect.ValueOf(arg)
@@ -261,7 +264,7 @@ func minMax(name string, fn func(any, an
case reflect.Array, reflect.Slice:
size := rv.Len()
for i := 0; i < size; i++ {
- elemVal, err := minMax(name, fn,
rv.Index(i).Interface())
+ elemVal, err := minMax(name, fn, depth+1,
rv.Index(i).Interface())
if err != nil {
return nil, err
}
@@ -294,7 +297,10 @@ func minMax(name string, fn func(any, an
return val, nil
}
-func mean(args ...any) (int, float64, error) {
+func mean(depth int, args ...any) (int, float64, error) {
+ if depth > MaxDepth {
+ return 0, 0, ErrorMaxDepth
+ }
var total float64
var count int
@@ -304,7 +310,7 @@ func mean(args ...any) (int, float64, er
case reflect.Array, reflect.Slice:
size := rv.Len()
for i := 0; i < size; i++ {
- elemCount, elemSum, err :=
mean(rv.Index(i).Interface())
+ elemCount, elemSum, err := mean(depth+1,
rv.Index(i).Interface())
if err != nil {
return 0, 0, err
}
@@ -327,7 +333,10 @@ func mean(args ...any) (int, float64, er
return count, total, nil
}
-func median(args ...any) ([]float64, error) {
+func median(depth int, args ...any) ([]float64, error) {
+ if depth > MaxDepth {
+ return nil, ErrorMaxDepth
+ }
var values []float64
for _, arg := range args {
@@ -336,7 +345,7 @@ func median(args ...any) ([]float64, err
case reflect.Array, reflect.Slice:
size := rv.Len()
for i := 0; i < size; i++ {
- elems, err := median(rv.Index(i).Interface())
+ elems, err := median(depth+1,
rv.Index(i).Interface())
if err != nil {
return nil, err
}
@@ -355,18 +364,24 @@ func median(args ...any) ([]float64, err
return values, nil
}
-func flatten(arg reflect.Value) []any {
+func flatten(arg reflect.Value, depth int) ([]any, error) {
+ if depth > MaxDepth {
+ return nil, ErrorMaxDepth
+ }
ret := []any{}
for i := 0; i < arg.Len(); i++ {
v := deref.Value(arg.Index(i))
if v.Kind() == reflect.Array || v.Kind() == reflect.Slice {
- x := flatten(v)
+ x, err := flatten(v, depth+1)
+ if err != nil {
+ return nil, err
+ }
ret = append(ret, x...)
} else {
ret = append(ret, v.Interface())
}
}
- return ret
+ return ret, nil
}
func get(params ...any) (out any, err error) {
