[AUTO-CHERRYPICK] [AutoPR- Security] Patch mtr for CVE-2025-49809 - branch 3.0-dev (microsoft#14301)

Co-authored-by: Azure Linux Security Servicing Account <[email protected]>
Co-authored-by: Kevin Lockwood <[email protected]>

Author: 3 people

SPECS/mtr/CVE-2025-49809.patch

@@ -0,0 +1,39 @@
+From de4cc71f2bca9ac59bed53ed5697147195d0226c Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Mon, 14 Jul 2025 19:49:55 +0000
+Subject: [PATCH] Fix CVE CVE-2025-49809 in mtr
+
+Upstream Patch Reference: https://github.com/traviscross/mtr/commit/5226f105f087c29d3cfad9f28000e7536af91ac6.patch
+---
+ ui/cmdpipe.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/ui/cmdpipe.c b/ui/cmdpipe.c
+index d22b236..1a66293 100644
+--- a/ui/cmdpipe.c
++++ b/ui/cmdpipe.c
+@@ -220,10 +220,17 @@ void execute_packet_child(
+        the path to the mtr-packet executable.  This is necessary
+        for debugging changes for mtr-packet.
+      */
+-    char *mtr_packet_path = getenv("MTR_PACKET");
+-    if (mtr_packet_path == NULL) {
++    char * mtr_packet_path = NULL; 
++
++    // In the rare case that mtr-packet is not setuid-root, 
++    // and a select group of users has sudo privileges to run 
++    // mtr and not much else, THEN create /etc/mtr.is.run.under.sudo
++    // to prevent a privilege escalation when one of those accounts
++    // is compromised.  CVE-2025-49809
++    if (access ("/etc/mtr.is.run.under.sudo", F_OK) != 0)
++        mtr_packet_path = getenv("MTR_PACKET");
++    if (mtr_packet_path == NULL)
+         mtr_packet_path = "mtr-packet";
+-    }
+ 
+     /*
+        First, try to execute mtr-packet from PATH
+-- 
+2.45.3
+

SPECS/mtr/mtr.spec

@@ -3,7 +3,7 @@
 Summary: Network diagnostic tool combining 'traceroute' and 'ping'
 Name: mtr
 Version: 0.95
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -12,6 +12,7 @@ Source0: https://github.com/traviscross/mtr/archive/v%{version}/%{name}-%{versio
 Source1: net-x%{name}.desktop
 Source2: mtr-gtk-pkexec-wrapper.sh
 Source3: org.fedoraproject.mtr.policy
+Patch0:CVE-2025-49809.patch
 
 BuildRequires: ncurses-devel
 BuildRequires: autoconf automake libtool git
@@ -32,7 +33,7 @@ command line, e.g. for SSH sessions; and a GTK+ interface for X (provided
 in the mtr-gtk package).
 
 %prep
-%autosetup
+%autosetup -p1
 
 %build
 export CFLAGS="%{optflags} -fPIE"
@@ -61,6 +62,9 @@ install -D -p -m 0755 mtr %{buildroot}%{_sbindir}/mtr
 %{_datadir}/bash-completion/completions/%{name}
 
 %changelog
+* Mon Jul 14 2025 Azure Linux Security Servicing Account <[email protected]> - 0.95-3
+- Patch for CVE-2025-49809
+
 * Mon Jul 22 2024 Aditya Dubey <[email protected]> - 0.95-2
 - Promoting package from SPECS-EXTENDED to SPECS