[Medium] Patch Fio for CVE-2025-10823 (microsoft#14725)

Author: AkarshHCL

SPECS/fio/CVE-2025-10823.patch

@@ -0,0 +1,35 @@
+From 6a39dfaffdb8a6c2080eec0dc7fb1ee532d54025 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <[email protected]>
+Date: Tue, 23 Sep 2025 11:50:46 -0600
+Subject: [PATCH] options: check for NULL input string and fail
+
+Waste of time busy work.
+
+Link: https://github.com/axboe/fio/issues/1982
+Signed-off-by: Jens Axboe <[email protected]>
+
+Modified patch to apply to AzureLinux
+Modified-by: Akarsh Chaudhary <[email protected]>
+Date: Wed, 24 Sep 2025 
+
+Upstream Patch Reference: https://github.com/axboe/fio/commit/6a39dfaffdb8a6c2080eec0dc7fb1ee532d54025.patch
+---
+ options.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/options.c b/options.c
+index e06d9b6..07ebec0 100644
+--- a/options.c
++++ b/options.c
+@@ -1486,6 +1486,8 @@ static int str_buffer_pattern_cb(void *data, const char *input)
+ {
+ 	struct thread_data *td = cb_data_to_td(data);
+ 	int ret;
++        if (!input)
++		return 1;
+ 
+ 	/* FIXME: for now buffer pattern does not support formats */
+ 	ret = parse_and_fill_pattern(input, strlen(input), td->o.buffer_pattern,
+-- 
+2.45.4
+

SPECS/fio/fio.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "fio-3.30.tar.bz2": "a6f4c0181112588a826b36ee634d5476dd562b7d19ac9c239abd1dabe3dc51e2"
+  "fio-3.30.tar.gz": "305647377527a2827223065582dd8a9269e69866426b341699d55bb4e4d3cc71"
  }
-}
+}

SPECS/fio/fio.spec

@@ -1,12 +1,15 @@
 Summary:        Multithreaded IO generation tool
 Name:           fio
 Version:        3.30
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://git.kernel.dk/?p=fio.git;a=summary
-Source0:        https://brick.kernel.dk/snaps/%{name}-%{version}.tar.bz2
+Source0:        https://github.com/axboe/%{name}/archive/refs/tags/%{name}-%{version}.tar.gz
+
+Patch1:         CVE-2025-10823.patch
+
 BuildRequires:  gcc
 BuildRequires:  gnupg2
 BuildRequires:  libaio-devel
@@ -22,7 +25,7 @@ BuildRequires:  zlib-devel
 BuildRequires:  libpmem-devel
 BuildRequires:  libpmemblk-devel
 %endif
-%if %{with_check}
+%if 0%{?with_check}
 BuildRequires:  CUnit-devel
 %endif
 
@@ -125,7 +128,7 @@ Requires:       %{name} = %{version}-%{release}
 RDMA engine for %{name}.
 
 %prep
-%autosetup -p1
+%autosetup -n %{name}-%{name}-%{version} -p1 
 
 %py3_shebang_fix \
  tools/fio_jsonplus_clat2csv \
@@ -191,6 +194,9 @@ EXTFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" %make_build
 %{_libdir}/fio/fio-rdma.so
 
 %changelog
+* Wed Sep 24 2025 Akarsh Chaudhary <[email protected]>- 3.30-3
+- Patch CVE-2025-10823
+
 * Wed Sep 20 2023 Jon Slobodzian <[email protected]> - 3.30-2
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 

cgmanifest.json

@@ -3589,7 +3589,7 @@
         "other": {
           "name": "fio",
           "version": "3.30",
-          "downloadUrl": "https://brick.kernel.dk/snaps/fio-3.30.tar.bz2"
+          "downloadUrl": "https://github.com/axboe/fio/archive/refs/tags/fio-3.30.tar.gz"
         }
       }
     },