[AutoPR- Security] Patch rabbitmq-server for CVE-2025-50200 [MEDIUM] (microsoft#14950)

Author: azurelinux-security

SPECS/rabbitmq-server/CVE-2025-50200.patch

@@ -0,0 +1,177 @@
+From e893d6bdaabfcb98472b115213c1af0522be7517 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Wed, 29 Oct 2025 05:28:18 +0000
+Subject: [PATCH] Fix Cowboy crashes caused by double reply: set_resp_not_found
+ helper and adjust resource_exists in mgmt WM modules
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/rabbitmq/rabbitmq-server/pull/13612.patch
+---
+ .../src/rabbit_mgmt_util.erl                  | 17 +++++++++++++
+ .../src/rabbit_mgmt_wm_exchange_publish.erl   | 25 ++++++-------------
+ .../src/rabbit_mgmt_wm_queue_actions.erl      | 24 ++++++------------
+ .../src/rabbit_mgmt_wm_queue_get.erl          | 24 ++++++------------
+ 4 files changed, 41 insertions(+), 49 deletions(-)
+
+diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
+index 99a8436..9c4c65d 100644
+--- a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
++++ b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
+@@ -51,6 +51,8 @@
+ 
+ -export([disable_stats/1, enable_queue_totals/1]).
+ 
++-export([set_resp_not_found/2]).
++
+ -import(rabbit_misc, [pget/2]).
+ 
+ -include("rabbit_mgmt.hrl").
+@@ -1145,3 +1147,18 @@ catch_no_such_user_or_vhost(Fun, Replacement) ->
+ %% error is thrown when the request is out of range
+ sublist(List, S, L) when is_integer(L), L >= 0 ->
+     lists:sublist(lists:nthtail(S-1, List), L).
++
++-spec set_resp_not_found(binary(), cowboy_req:req()) -> cowboy_req:req().
++set_resp_not_found(NotFoundBin, ReqData) ->
++    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
++        not_found ->
++            <<"vhost_not_found">>;
++        _ ->
++            NotFoundBin
++    end,
++    ReqData1 = cowboy_req:set_resp_header(
++        <<"content-type">>, <<"application/json">>, ReqData),
++    cowboy_req:set_resp_body(rabbit_json:encode(#{
++        <<"error">> => <<"not_found">>,
++        <<"reason">> => ErrorMessage
++    }), ReqData1).
+diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
+index 5a2dc27..381482a 100644
+--- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
++++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
+@@ -29,11 +29,14 @@ allowed_methods(ReqData, Context) ->
+ content_types_provided(ReqData, Context) ->
+    {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
+ 
+-resource_exists(ReqData, Context) ->
+-    {case rabbit_mgmt_wm_exchange:exchange(ReqData) of
+-         not_found -> raise_not_found(ReqData, Context);
+-         _         -> true
+-     end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++    case rabbit_mgmt_wm_exchange:exchange(ReqData0) of
++        not_found ->
++            ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"exchange_not_found">>, ReqData0),
++            {false, ReqData1, Context};
++        _ ->
++            {true, ReqData0, Context}
++    end.
+ 
+ allow_missing_post(ReqData, Context) ->
+     {false, ReqData, Context}.
+@@ -104,18 +107,6 @@ bad({{coordinator_unavailable, _}, _}, ReqData, Context) ->
+ is_authorized(ReqData, Context) ->
+     rabbit_mgmt_util:is_authorized_vhost(ReqData, Context).
+ 
+-raise_not_found(ReqData, Context) ->
+-    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+-        not_found -> 
+-            "vhost_not_found";
+-        _ ->
+-            "exchange_not_found"
+-    end,
+-    rabbit_mgmt_util:not_found(
+-        rabbit_data_coercion:to_binary(ErrorMessage),
+-        ReqData,
+-        Context).
+-
+ %%--------------------------------------------------------------------
+ 
+ decode(Payload, <<"string">>) -> Payload;
+diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
+index f11d2fd..eb41b8d 100644
+--- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
++++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
+@@ -26,11 +26,14 @@ variances(Req, Context) ->
+ allowed_methods(ReqData, Context) ->
+     {[<<"POST">>, <<"OPTIONS">>], ReqData, Context}.
+ 
+-resource_exists(ReqData, Context) ->
+-    {case rabbit_mgmt_wm_queue:queue(ReqData) of
+-         not_found -> raise_not_found(ReqData, Context);
+-         _         -> true
+-     end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++    case rabbit_mgmt_wm_queue:queue(ReqData0) of
++        not_found ->
++            ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"queue_not_found">>, ReqData0),
++            {false, ReqData1, Context};
++        _ ->
++            {true, ReqData0, Context}
++    end.
+ 
+ allow_missing_post(ReqData, Context) ->
+     {false, ReqData, Context}.
+@@ -55,17 +58,6 @@ do_it(ReqData0, Context) ->
+ is_authorized(ReqData, Context) ->
+     rabbit_mgmt_util:is_authorized_admin(ReqData, Context).
+ 
+-raise_not_found(ReqData, Context) ->
+-    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+-        not_found -> 
+-            "vhost_not_found";
+-        _ ->
+-            "queue_not_found"
+-    end,
+-    rabbit_mgmt_util:not_found(
+-        rabbit_data_coercion:to_binary(ErrorMessage),
+-        ReqData,
+-        Context).
+ %%--------------------------------------------------------------------
+ 
+ action(<<"sync">>, Q, ReqData, Context) when ?is_amqqueue(Q) ->
+diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
+index d08439b..31d32c1 100644
+--- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
++++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
+@@ -29,11 +29,14 @@ allowed_methods(ReqData, Context) ->
+ content_types_provided(ReqData, Context) ->
+    {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
+ 
+-resource_exists(ReqData, Context) ->
+-    {case rabbit_mgmt_wm_queue:queue(ReqData) of
+-         not_found -> raise_not_found(ReqData, Context);
+-         _         -> true
+-     end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++    case rabbit_mgmt_wm_queue:queue(ReqData0) of
++        not_found ->
++            ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"queue_not_found">>, ReqData0),
++            {false, ReqData1, Context};
++        _ ->
++            {true, ReqData0, Context}
++    end.
+ 
+ allow_missing_post(ReqData, Context) ->
+     {false, ReqData, Context}.
+@@ -152,17 +155,6 @@ basic_get(Ch, Q, AckMode, Enc, Trunc) ->
+ is_authorized(ReqData, Context) ->
+     rabbit_mgmt_util:is_authorized_vhost(ReqData, Context).
+ 
+-raise_not_found(ReqData, Context) ->
+-    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+-        not_found -> 
+-            "vhost_not_found";
+-        _ ->
+-            "queue_not_found"
+-    end,
+-    rabbit_mgmt_util:not_found(
+-        rabbit_data_coercion:to_binary(ErrorMessage),
+-        ReqData,
+-        Context).
+ %%--------------------------------------------------------------------
+ 
+ maybe_truncate(Payload, none)                         -> Payload;
+-- 
+2.45.4
+

SPECS/rabbitmq-server/rabbitmq-server.spec

@@ -2,14 +2,15 @@
 Summary:        rabbitmq-server
 Name:           rabbitmq-server
 Version:        3.13.7
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        Apache-2.0 and MPL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Languages
 URL:            https://rabbitmq.com
 Source0:        https://github.com/rabbitmq/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
 Patch0:			CVE-2025-30219.patch
+Patch1:			CVE-2025-50200.patch
 
 BuildRequires:  elixir
 BuildRequires:  erlang
@@ -66,6 +67,9 @@ done
 %{_libdir}/rabbitmq/lib/rabbitmq_server-%{version}/*
 
 %changelog
+* Wed Oct 29 2025 Azure Linux Security Servicing Account <[email protected]> - 3.13.7-3
+- Patch for CVE-2025-50200
+
 * Mon Mar 31 2025 Ankita Pareek <[email protected]> - 3.13.7-2
 - Address CVE-2025-30219 with a patch