microsoft · CBL-Mariner-Bot · Dec 3, 2025 · Dec 3, 2025
@@ -0,0 +1,122 @@
+From a05dd812ec2de46ece35a11ab4b46c9d283d1505 Mon Sep 17 00:00:00 2001
+From: Vijay Sarvepalli <vssarvepalli@cert.org>
+Date: Thu, 6 Nov 2025 22:05:19 -0500
+Subject: [PATCH] Fix for vulnerbaility CVE-2025-12816
+
+Upstream Patch Reference: https://app.codecov.io/gh/digitalbazaar/forge/commit/a5ce91d03df4dcfc025b74a5b7f50389942d49c9?dropdown=coverage&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=digitalbazaar
+PR link: https://github.com/digitalbazaar/forge/pull/1124
+---
+ src/ui/node_modules/node-forge/lib/asn1.js   | 72 ++++++++++++++++----
+ src/ui/node_modules/node-forge/lib/pkcs12.js |  3 +
+ 2 files changed, 61 insertions(+), 14 deletions(-)
+
+diff --git a/src/ui/node_modules/node-forge/lib/asn1.js b/src/ui/node_modules/node-forge/lib/asn1.js
+index e0fea0e0..53c77050 100644
+--- a/src/ui/node_modules/node-forge/lib/asn1.js
++++ b/src/ui/node_modules/node-forge/lib/asn1.js
+@@ -1148,22 +1148,65 @@ asn1.validate = function(obj, v, capture, errors) {
+       if(v.value && forge.util.isArray(v.value)) {
+         var j = 0;
+         for(var i = 0; rval && i < v.value.length; ++i) {
+-          rval = v.value[i].optional || false;
+-          if(obj.value[j]) {
+-            rval = asn1.validate(obj.value[j], v.value[i], capture, errors);
+-            if(rval) {
+-              ++j;
+-            } else if(v.value[i].optional) {
++          var schemaItem = v.value[i];
++          rval = !!schemaItem.optional;
++
++          // current child in the object
++          var objChild = obj.value[j];
++
++          // if there is no child left to match
++          if(!objChild) {
++            // if optional, ok (rval already true), else fail below
++            if(!schemaItem.optional) {
++              rval = false;
++              if(errors) {
++                errors.push('[' + v.name + '] ' +
++                  'Missing required element. Expected tag class "' +
++                  schemaItem.tagClass + '", type "' + schemaItem.type + '"');
++              }
++            }
++            continue;
++          }
++
++          // If schema explicitly specifies tagClass/type, do a quick structural check
++          // to avoid unnecessary recursion/side-effects when tags clearly don't match.
++          var schemaHasTag = (typeof schemaItem.tagClass !== 'undefined' &&
++            typeof schemaItem.type !== 'undefined');
++
++          if(schemaHasTag &&
++            (objChild.tagClass !== schemaItem.tagClass || objChild.type !== schemaItem.type)) {
++            // Tags do not match.
++            if(schemaItem.optional) {
++              // Skip this schema element (don't consume objChild; don't call recursive validate).
+               rval = true;
++              continue;
++            } else {
++              // Required schema item mismatched - fail.
++              rval = false;
++              if(errors) {
++                errors.push('[' + v.name + '] ' +
++                  'Tag mismatch. Expected (' +
++                  schemaItem.tagClass + ',' + schemaItem.type + '), got (' +
++                  objChild.tagClass + ',' + objChild.type + ')');
++              }
++              break;
+             }
+           }
+-          if(!rval && errors) {
+-            errors.push(
+-              '[' + v.name + '] ' +
+-              'Tag class "' + v.tagClass + '", type "' +
+-              v.type + '" expected value length "' +
+-              v.value.length + '", got "' +
+-              obj.value.length + '"');
++
++          // Tags are compatible (or schema did not declare tags) - dive into recursive validate.
++          var childRval = asn1.validate(objChild, schemaItem, capture, errors);
++          if(childRval) {
++            // consume this child
++            ++j;
++            rval = true;
++          } else if(schemaItem.optional) {
++            // validation failed but element is optional => skip schema item (don't consume child)
++            rval = true;
++          } else {
++            // required item failed
++            rval = false;
++            // errors should already be populated by recursive call; keep failing
++            break;
+           }
+         }
+       }
+@@ -1209,7 +1252,8 @@ asn1.validate = function(obj, v, capture, errors) {
+     if(obj.type !== v.type) {
+       errors.push(
+         '[' + v.name + '] ' +
+-        'Expected type "' + v.type + '", got "' + obj.type + '"');
++        'Expected type "' + v.type + '", got "' +
++        obj.type + '"');
+     }
+   }
+   return rval;
+diff --git a/src/ui/node_modules/node-forge/lib/pkcs12.js b/src/ui/node_modules/node-forge/lib/pkcs12.js
+index cd06c494..dee8b36a 100644
+--- a/src/ui/node_modules/node-forge/lib/pkcs12.js
++++ b/src/ui/node_modules/node-forge/lib/pkcs12.js
+@@ -474,6 +474,9 @@ p12.pkcs12FromAsn1 = function(obj, strict, password) {
+     if(macValue.getBytes() !== capture.macDigest) {
+       throw new Error('PKCS#12 MAC could not be verified. Invalid password?');
+     }
++  } else if(Array.isArray(obj.value) && obj.value.length > 2) {
++    /* This is pfx data that should have mac and verify macDigest */
++    throw new Error('Invalid PKCS#12. macData field present but MAC was not validated.');
+   }
+
+   _decodeAuthenticatedSafe(pfx, data.value, strict, password);
+-- 
+2.43.0
+
@@ -0,0 +1,47 @@
+From 3e0c35ace169cfca529a3e547a7848dc7bf57fdb Mon Sep 17 00:00:00 2001
+From: "David I. Lehn" <dlehn@digitalbazaar.com>
+Date: Mon, 24 Nov 2025 23:16:22 -0500
+Subject: [PATCH] Fix "ASN.1 OID Integer Truncation" advisory.
+
+- [asn1] Improve OID handling.
+  - Error on parsed OID values larger than `2**32 - 1`.
+  - Error on DER OID values larger than `2**53 - 1 `.
+
+Upstream Patch Reference: https://github.com/digitalbazaar/forge/commit/3e0c35ace169cfca529a3e547a7848dc7bf57fdb.patch
+---
+ src/ui/node_modules/node-forge/lib/asn1.js | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/ui/node_modules/node-forge/lib/asn1.js b/src/ui/node_modules/node-forge/lib/asn1.js
+index f424f84b..f90c831b 100644
+--- a/src/ui/node_modules/node-forge/lib/asn1.js
++++ b/src/ui/node_modules/node-forge/lib/asn1.js
+@@ -770,6 +770,10 @@ asn1.oidToDer = function(oid) {
+     last = true;
+     valueBytes = [];
+     value = parseInt(values[i], 10);
++    // TODO: Change bitwise logic to allow larger values.
++    if(value > 0xffffffff) {
++      throw new Error('OID value too large; max is 32-bits.');
++    }
+     do {
+       b = value & 0x7F;
+       value = value >>> 7;
+@@ -815,8 +819,13 @@ asn1.derToOid = function(bytes) {
+   // the last byte for each value
+   var value = 0;
+   while(bytes.length() > 0) {
++    // error if 7b shift would exceed Number.MAX_SAFE_INTEGER
++    // (Number.MAX_SAFE_INTEGER / 128)
++    if(value > 0x3fffffffffff) {
++      throw new Error('OID value too large; max is 53-bits.');
++    }
+     b = bytes.getByte();
+-    value = value << 7;
++    value = value * 128;
+     // not the last byte for the value
+     if(b & 0x80) {
+       value += b & 0x7F;
+-- 
+2.43.0
+
@@ -0,0 +1,52 @@
+From 260425c6167a38aae038697132483b5517b26451 Mon Sep 17 00:00:00 2001
+From: wodzen <wodzen@proton.me>
+Date: Sat, 22 Nov 2025 10:35:50 -0800
+Subject: [PATCH] Add ASN.1 recursion depth limit
+
+Upstream Patch Reference: https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451.patch
+---
+ src/ui/node_modules/node-forge/lib/asn1.js | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/ui/node_modules/node-forge/lib/asn1.js b/src/ui/node_modules/node-forge/lib/asn1.js
+index 97d1a8a1..c766f7e6 100644
+--- a/src/ui/node_modules/node-forge/lib/asn1.js
++++ b/src/ui/node_modules/node-forge/lib/asn1.js
+@@ -178,6 +178,11 @@ asn1.Type = {
+   BMPSTRING:       30
+ };
+
++/**
++ * Sets the default maximum recursion depth when parsing ASN.1 structures.
++ */
++asn1.maxDepth = 256;
++
+ /**
+  * Creates a new asn1 object.
+  *
+@@ -439,6 +444,9 @@ asn1.fromDer = function(bytes, options) {
+   if(!('decodeBitStrings' in options)) {
+     options.decodeBitStrings = true;
+   }
++  if(!('maxDepth' in options)) {
++    options.maxDepth = asn1.maxDepth;
++  }
+
+   // wrap in buffer if needed
+   if(typeof bytes === 'string') {
+@@ -459,6 +467,12 @@ asn1.fromDer = function(bytes, options) {
+  * @return the parsed asn1 object.
+  */
+ function _fromDer(bytes, remaining, depth, options) {
++
++  // check depth limit
++  if(depth >= options.maxDepth) {
++    throw new Error('ASN.1 parsing error: Max depth exceeded.');
++  }
++
+   // temporary storage for consumption calculations
+   var start;
+
+-- 
+2.43.0
+
@@ -6,7 +6,7 @@
 Summary:        Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters.
 Name:           reaper
 Version:        3.1.1
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -53,6 +53,9 @@ Patch17:        CVE-2024-6484.patch
 Patch18:        CVE-2025-48387.patch
 Patch19:        CVE-2018-19827.patch
 Patch20:        CVE-2018-19797.patch
+Patch21:        CVE-2025-12816.patch
+Patch22:        CVE-2025-66031.patch
+Patch23:        CVE-2025-66030.patch
 
 BuildRequires:  git
 BuildRequires:  javapackages-tools
@@ -201,6 +204,9 @@ fi
 %{_unitdir}/cassandra-%{name}.service
 
 %changelog
+* Tue Dec 02 2025 Akhila Guruju <v-guakhila@microsoft.com> - 3.1.1-21
+- Patch CVE-2025-12816, CVE-2025-66031 and CVE-2025-66030
+
 * Fri Nov 28 2025 Akhila Guruju <v-guakhila@microsoft.com> - 3.1.1-20
 - Patch CVE-2018-19827 and CVE-2018-19797