[AutoPR- Security] Patch lz4 for CVE-2025-62813 [MEDIUM] (microsoft#14912)

Co-authored-by: Kanishk Bansal <[email protected]>

Author: azurelinux-security

SPECS/lz4/CVE-2025-62813.patch

@@ -0,0 +1,71 @@
+From e2441290577968c02ff745c8002c5ef080540717 Mon Sep 17 00:00:00 2001
+From: louislafosse <[email protected]>
+Date: Mon, 31 Mar 2025 20:48:52 +0200
+Subject: [PATCH] fix(null) : improve error handlings when passing a null
+ pointer to some functions from lz4frame
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/lz4/lz4/pull/1593.patch
+---
+ lib/lz4frame.c    | 15 +++++++++++++--
+ tests/frametest.c |  9 ++++++---
+ 2 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/lib/lz4frame.c b/lib/lz4frame.c
+index 174f9ae..cc6ed6f 100644
+--- a/lib/lz4frame.c
++++ b/lib/lz4frame.c
+@@ -530,9 +530,16 @@ LZ4F_CDict*
+ LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize)
+ {
+     const char* dictStart = (const char*)dictBuffer;
+-    LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++    LZ4F_CDict* cdict = NULL;
++
+     DEBUGLOG(4, "LZ4F_createCDict_advanced");
+-    if (!cdict) return NULL;
++
++    if (!dictStart)
++        return NULL;
++    cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++    if (!cdict)
++        return NULL;
++
+     cdict->cmem = cmem;
+     if (dictSize > 64 KB) {
+         dictStart += dictSize - 64 KB;
+@@ -1429,6 +1436,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_dctx* dctx,
+                                    LZ4F_frameInfo_t* frameInfoPtr,
+                              const void* srcBuffer, size_t* srcSizePtr)
+ {
++    assert(dctx != NULL);
++    RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null);
++    RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null);
++
+     LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader);
+     if (dctx->dStage > dstage_storeFrameHeader) {
+         /* frameInfo already decoded */
+diff --git a/tests/frametest.c b/tests/frametest.c
+index 3301955..523e35d 100644
+--- a/tests/frametest.c
++++ b/tests/frametest.c
+@@ -589,10 +589,13 @@ int basicTests(U32 seed, double compressibility)
+         size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */
+         size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL);
+         size_t cSizeNoDict, cSizeWithDict;
+-        LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize);
+-        if (cdict == NULL) goto _output_error;
+-        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++        LZ4F_CDict* cdict = NULL;
+ 
++        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++        cdict = LZ4F_createCDict(CNBuffer, dictSize);
++        if (cdict == NULL)
++            goto _output_error;
++        
+         DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : ");
+         {   LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize);
+             if (cda == NULL) goto _output_error;
+-- 
+2.45.4
+

SPECS/lz4/lz4.spec

@@ -1,7 +1,7 @@
 Summary:        Extremely fast compression.
 Name:           lz4
 Version:        1.9.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD 2-Clause and GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -14,7 +14,8 @@ Source0:        https://github.com/lz4/lz4/archive/v%{version}/%{name}-%{version
 # *** NOTE: Leave this patch definition because the CVE Scan tool will flag the
 # CVE due to the above version format change.
 # CVE-2014-4715 applies to versions r* before r119.
-Patch0:         CVE-2014-4715.nopatch
+# Patch0:       CVE-2014-4715.nopatch
+Patch1:         CVE-2025-62813.patch
 
 %description
 LZ4 is lossless compression algorithm, providing compression speed at 400 MB/s per core, scalable with multi-cores CPU.
@@ -28,7 +29,7 @@ Requires:   %{name} = %{version}-%{release}
 Static libraries and header files for the support library for lz4.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 make %{?_smp_mflags} all
@@ -56,6 +57,9 @@ make install DESTDIR=%{buildroot} LIBDIR=%{_libdir} PREFIX=%{_prefix}
 %{_includedir}/*
 
 %changelog
+* Thu Oct 23 2025 Azure Linux Security Servicing Account <[email protected]> - 1.9.4-2
+- Patch for CVE-2025-62813
+
 * Tue Nov 21 2023 CBL-Mariner Servicing Account <[email protected]> - 1.9.4-1
 - Auto-upgrade to 1.9.4 - Azure Linux 3.0 - package upgrades
 
@@ -66,7 +70,7 @@ make install DESTDIR=%{buildroot} LIBDIR=%{_libdir} PREFIX=%{_prefix}
 *   Fri Jun 12 2020 Eric Li <[email protected]> 1.9.2-2
 -   Mark CVE-2014-4715 as not applicable due to version format change
 
-*   Tue May 18 2020 Andrew Phelps <[email protected]> 1.9.2-1
+*   Mon May 18 2020 Andrew Phelps <[email protected]> 1.9.2-1
 -   Update to version 1.9.2
 
 *   Sat May 09 2020 Nick Samson <[email protected]> 1.8.2-3

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -255,9 +255,9 @@ lua-libs-5.4.6-1.azl3.aarch64.rpm
 lua-rpm-macros-1-6.azl3.noarch.rpm
 lua-srpm-macros-1-6.azl3.noarch.rpm
 lua-static-5.4.6-1.azl3.aarch64.rpm
-lz4-1.9.4-1.azl3.aarch64.rpm
-lz4-debuginfo-1.9.4-1.azl3.aarch64.rpm
-lz4-devel-1.9.4-1.azl3.aarch64.rpm
+lz4-1.9.4-2.azl3.aarch64.rpm
+lz4-debuginfo-1.9.4-2.azl3.aarch64.rpm
+lz4-devel-1.9.4-2.azl3.aarch64.rpm
 m4-1.4.19-2.azl3.aarch64.rpm
 m4-debuginfo-1.4.19-2.azl3.aarch64.rpm
 make-4.4.1-2.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -263,9 +263,9 @@ lua-libs-5.4.6-1.azl3.x86_64.rpm
 lua-rpm-macros-1-6.azl3.noarch.rpm
 lua-srpm-macros-1-6.azl3.noarch.rpm
 lua-static-5.4.6-1.azl3.x86_64.rpm
-lz4-1.9.4-1.azl3.x86_64.rpm
-lz4-debuginfo-1.9.4-1.azl3.x86_64.rpm
-lz4-devel-1.9.4-1.azl3.x86_64.rpm
+lz4-1.9.4-2.azl3.x86_64.rpm
+lz4-debuginfo-1.9.4-2.azl3.x86_64.rpm
+lz4-devel-1.9.4-2.azl3.x86_64.rpm
 m4-1.4.19-2.azl3.x86_64.rpm
 m4-debuginfo-1.4.19-2.azl3.x86_64.rpm
 make-4.4.1-2.azl3.x86_64.rpm