[AutoPR- Security] Patch fio for CVE-2025-10823 [MEDIUM] (microsoft#14723)

Signed-off-by: Kanishk Bansal <[email protected]>
Co-authored-by: Kanishk Bansal <[email protected]>

Author: azurelinux-security

SPECS/fio/CVE-2025-10823.patch

@@ -0,0 +1,32 @@
+From 15bbb219bb05934bf321f750b6aaa8d1d5986566 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <[email protected]>
+Date: Tue, 23 Sep 2025 11:50:46 -0600
+Subject: [PATCH] options: check for NULL input string and fail
+
+Waste of time busy work.
+
+Link: https://github.com/axboe/fio/issues/1982
+Signed-off-by: Jens Axboe <[email protected]>
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/axboe/fio/commit/6a39dfaffdb8a6c2080eec0dc7fb1ee532d54025.patch
+---
+ options.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/options.c b/options.c
+index de935ef..b38441e 100644
+--- a/options.c
++++ b/options.c
+@@ -1535,6 +1535,9 @@ static int str_buffer_pattern_cb(void *data, const char *input)
+ 	struct thread_data *td = cb_data_to_td(data);
+ 	int ret;
+ 
++	if (!input)
++		return 1;
++
+ 	/* FIXME: for now buffer pattern does not support formats */
+ 	ret = parse_and_fill_pattern_alloc(input, strlen(input),
+ 				&td->o.buffer_pattern, NULL, NULL, NULL);
+-- 
+2.45.4
+

SPECS/fio/fio.signatures.json

@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "fio-3.37.tar.bz2": "88f0fd6549ca07f7387e784a91706ab11e36d5c12ec26540f1b2d33c6f2d8327"
+  "fio-3.37.tar.gz": "b59099d42d5c62a8171974e54466a688c8da6720bf74a7f16bf24fb0e51ff92d"
  }
 }
 

SPECS/fio/fio.spec

@@ -1,12 +1,13 @@
 Summary:        Multithreaded IO generation tool
 Name:           fio
 Version:        3.37
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://git.kernel.dk/?p=fio.git;a=summary
-Source0:        https://brick.kernel.dk/snaps/%{name}-%{version}.tar.bz2
+Source0:        https://github.com/axboe/%{name}/archive/refs/tags/%{name}-%{version}.tar.gz
+Patch0:         CVE-2025-10823.patch
 
 %bcond_without nbd
 %bcond_with rbd
@@ -147,7 +148,7 @@ RDMA engine for %{name}.
 %endif
 
 %prep
-%autosetup -p1
+%autosetup -n %{name}-%{name}-%{version} -p1
 
 %py3_shebang_fix \
  tools/fio_jsonplus_clat2csv \
@@ -220,6 +221,9 @@ EXTFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" %make_build
 %endif
 
 %changelog
+* Wed Sep 24 2025 Azure Linux Security Servicing Account <[email protected]> - 3.37-3
+- Patch for CVE-2025-10823
+
 * Thu Jun 06 2024 Andrew Phelps <[email protected]> - 3.37-2
 - Update spec based on Fedora 40 package (license: MIT)
 - Disable building rbd and rados subpackages

cgmanifest.json

@@ -3639,7 +3639,7 @@
         "other": {
           "name": "fio",
           "version": "3.37",
-          "downloadUrl": "https://brick.kernel.dk/snaps/fio-3.37.tar.bz2"
+          "downloadUrl": "https://github.com/axboe/fio/archive/refs/tags/fio-3.37.tar.gz"
         }
       }
     },