[Low] Patch cmake for CVE-2025-5916, CVE-2025-5917 & CVE-2025-5918 (microsoft#14052)

Author: durgajagadeesh

SPECS/cmake/CVE-2025-5916.patch

@@ -0,0 +1,39 @@
+From cb083a8451e8bb463512d7cd18d4698bf27c6fcf Mon Sep 17 00:00:00 2001
+From: dj_palli <[email protected]>
+Date: Thu, 19 Jun 2025 12:55:15 +0000
+Subject: [PATCH] Address CVE-2025-5916
+
+Upstream patch reference:https://github.com/libarchive/libarchive/pull/2568
+
+---
+ Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c          | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c b/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c
+index 72977b8e..0f3ee8d1 100644
+--- a/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c
++++ b/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c
+@@ -363,7 +363,8 @@ start_over:
+ 		/* FALLTHROUGH */
+ 	default:
+ 		/* consume the content and start over */
+-		_warc_skip(a);
++		if (_warc_skip(a) < 0)
++			return (ARCHIVE_FATAL);
+ 		goto start_over;
+ 	}
+ 	return (ARCHIVE_OK);
+@@ -416,7 +417,9 @@ _warc_skip(struct archive_read *a)
+ {
+ 	struct warc_s *w = a->format->data;
+ 
+-	__archive_read_consume(a, w->cntlen + 4U/*\r\n\r\n separator*/);
++	if (__archive_read_consume(a, w->cntlen) < 0 ||
++	    __archive_read_consume(a, 4U/*\r\n\r\n separator*/) < 0)
++		return (ARCHIVE_FATAL);
+ 	w->cntlen = 0U;
+ 	w->cntoff = 0U;
+ 	return (ARCHIVE_OK);
+-- 
+2.45.2
+

SPECS/cmake/CVE-2025-5917.patch

@@ -0,0 +1,36 @@
+From b211326905f20a8c9611911ebfef8a40c84757eb Mon Sep 17 00:00:00 2001
+From: dj_palli <[email protected]>
+Date: Thu, 19 Jun 2025 13:36:28 +0000
+Subject: [PATCH] Address CVE-2025-5917
+
+Upstream patch reference:https://github.com/libarchive/libarchive/pull/2588
+
+---
+ Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c    | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c b/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c
+index a2b27107..0e0c71eb 100644
+--- a/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c
++++ b/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c
+@@ -1542,7 +1542,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
+ 	const char *filename, *filename_end;
+ 	char *p;
+ 	int need_slash = 0; /* Was there a trailing slash? */
+-	size_t suffix_length = 99;
++	size_t suffix_length = 98; /* 99 - 1 for trailing slash */
+ 	size_t insert_length;
+ 
+ 	/* Length of additional dir element to be added. */
+@@ -1594,7 +1594,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
+ 	/* Step 2: Locate the "prefix" section of the dirname, including
+ 	 * trailing '/'. */
+ 	prefix = src;
+-	prefix_end = prefix + 155;
++	prefix_end = prefix + 154 /* 155 - 1 for trailing / */;
+ 	if (prefix_end > filename)
+ 		prefix_end = filename;
+ 	while (prefix_end > prefix && *prefix_end != '/')
+-- 
+2.45.2
+

SPECS/cmake/CVE-2025-5918.patch

@@ -0,0 +1,194 @@
+From 8a0cc2ca12fc939ac7390776ae12de627372650d Mon Sep 17 00:00:00 2001
+From: Durga Jagadeesh Palli <[email protected]>
+Date: Tue, 9 Sep 2025 00:32:16 +0000
+Subject: [PATCH] Address CVE-2025-5918 and fix the FILE skip regression.
+
+Upstream Patch Reference: https://github.com/libarchive/libarchive/pull/2584
+Upstream Patch Reference for fix FILE_skip regression: https://github.com/libarchive/libarchive/pull/2642
+
+---
+ Utilities/cmlibarchive/libarchive/archive_read_open_fd.c         | 13 +++++--
+ Utilities/cmlibarchive/libarchive/archive_read_open_file.c       | 36 ++++++++++++++-----
+ Utilities/cmlibarchive/libarchive/archive_read_open_filename.c   | 30 ++++++++++++----
+ 3 files changed, 62 insertions(+), 17 deletions(-)
+
+diff --git a/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c b/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c
+index f59cd07f..f8c5d0a1 100644
+--- a/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c
++++ b/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c
+@@ -53,6 +53,7 @@ __FBSDID("$FreeBSD: head/lib/libarchive/archive_read_open_fd.c 201103 2009-12-28
+ struct read_fd_data {
+ 	int	 fd;
+ 	size_t	 block_size;
++	int64_t size;
+ 	char	 use_lseek;
+ 	void	*buffer;
+ };
+@@ -96,6 +97,7 @@ archive_read_open_fd(struct archive *a, int fd, size_t block_size)
+ 	if (S_ISREG(st.st_mode)) {
+ 		archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino);
+ 		mine->use_lseek = 1;
++		mine->size = st.st_size;
+ 	}
+ #if defined(__CYGWIN__) || defined(_WIN32)
+ 	setmode(mine->fd, O_BINARY);
+@@ -152,9 +154,14 @@ file_skip(struct archive *a, void *client_data, int64_t request)
+ 	if (request == 0)
+ 		return (0);
+ 
+-	if (((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) &&
+-	    ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0))
+-		return (new_offset - old_offset);
++	if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) {
++		if (old_offset >= mine->size ||
++			skip > mine->size - old_offset) {
++			/* Do not seek past end of file. */
++			errno = ESPIPE;
++		} else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0)
++			return (new_offset - old_offset);
++	}
+ 
+ 	/* If seek failed once, it will probably fail again. */
+ 	mine->use_lseek = 0;
+diff --git a/Utilities/cmlibarchive/libarchive/archive_read_open_file.c b/Utilities/cmlibarchive/libarchive/archive_read_open_file.c
+index 101dae6c..de77e74f 100644
+--- a/Utilities/cmlibarchive/libarchive/archive_read_open_file.c
++++ b/Utilities/cmlibarchive/libarchive/archive_read_open_file.c
+@@ -53,6 +53,7 @@ __FBSDID("$FreeBSD: head/lib/libarchive/archive_read_open_file.c 201093 2009-12-
+ struct read_FILE_data {
+ 	FILE    *f;
+ 	size_t	 block_size;
++	int64_t  size;
+ 	void	*buffer;
+ 	char	 can_skip;
+ };
+@@ -91,6 +92,7 @@ archive_read_open_FILE(struct archive *a, FILE *f)
+ 		archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino);
+ 		/* Enable the seek optimization only for regular files. */
+ 		mine->can_skip = 1;
++		mine->size = st.st_size;
+ 	} else
+ 		mine->can_skip = 0;
+ 
+@@ -130,6 +132,7 @@ file_skip(struct archive *a, void *client_data, int64_t request)
+ #else
+ 	long skip = (long)request;
+ #endif
++    int64_t old_offset, new_offset = -1;
+ 	int skip_bits = sizeof(skip) * 8 - 1;
+ 
+ 	(void)a; /* UNUSED */
+@@ -153,19 +156,36 @@ file_skip(struct archive *a, void *client_data, int64_t request)
+ 
+ #ifdef __ANDROID__
+         /* fileno() isn't safe on all platforms ... see above. */
+-	if (lseek(fileno(mine->f), skip, SEEK_CUR) < 0)
++	old_offset = lseek(fileno(mine->f), 0, SEEK_CUR);
+ #elif HAVE_FSEEKO
+-	if (fseeko(mine->f, skip, SEEK_CUR) != 0)
++	old_offset = ftello(mine->f);
+ #elif HAVE__FSEEKI64
+-	if (_fseeki64(mine->f, skip, SEEK_CUR) != 0)
++	old_offset = _ftelli64(mine->f);
+ #else
+-	if (fseek(mine->f, skip, SEEK_CUR) != 0)
++	old_offset = ftell(mine->f);
+ #endif
+-	{
+-		mine->can_skip = 0;
+-		return (0);
++	if (old_offset >= 0) {
++		if (old_offset < mine->size &&
++		    skip <= mine->size - old_offset) {
++#ifdef __ANDROID__
++			new_offset = lseek(fileno(mine->f), skip, SEEK_CUR);
++#elif HAVE__FSEEKI64
++			if (_fseeki64(mine->f, skip, SEEK_CUR) == 0)
++				new_offset = _ftelli64(mine->f);
++#elif HAVE_FSEEKO
++			if (fseeko(mine->f, skip, SEEK_CUR) == 0)
++				new_offset = ftello(mine->f);
++#else
++			if (fseek(mine->f, skip, SEEK_CUR) == 0)
++				new_offset = ftell(mine->f);
++#endif
++			if (new_offset >= 0)
++				return (new_offset - old_offset);
++		}
+ 	}
+-	return (request);
++
++	mine->can_skip = 0;
++	return (0);
+ }
+ 
+ static int
+diff --git a/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c b/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c
+index 86635e21..84556a15 100644
+--- a/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c
++++ b/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c
+@@ -75,6 +75,7 @@ struct read_file_data {
+ 	size_t	 block_size;
+ 	void	*buffer;
+ 	mode_t	 st_mode;  /* Mode bits for opened file. */
++	int64_t size;
+ 	char	 use_lseek;
+ 	enum fnt_e { FNT_STDIN, FNT_MBS, FNT_WCS } filename_type;
+ 	union {
+@@ -366,8 +367,10 @@ file_open(struct archive *a, void *client_data)
+ 	mine->st_mode = st.st_mode;
+ 
+ 	/* Disk-like inputs can use lseek(). */
+-	if (is_disk_like)
++	if (is_disk_like) {
+ 		mine->use_lseek = 1;
++		mine->size = st.st_size;
++	}
+ 
+ 	return (ARCHIVE_OK);
+ fail:
+@@ -445,21 +448,36 @@ file_skip_lseek(struct archive *a, void *client_data, int64_t request)
+ 	struct read_file_data *mine = (struct read_file_data *)client_data;
+ #if defined(_WIN32) && !defined(__CYGWIN__)
+ 	/* We use _lseeki64() on Windows. */
+-	int64_t old_offset, new_offset;
++	int64_t old_offset, new_offset, skip = request;;
+ #else
+-	off_t old_offset, new_offset;
++	off_t old_offset, new_offset, skip = (off_t)request;
+ #endif
++    int skip_bits = sizeof(skip) * 8 - 1;
+ 
+ 	/* We use off_t here because lseek() is declared that way. */
+ 
++	/* Reduce a request that would overflow the 'skip' variable. */
++	if (sizeof(request) > sizeof(skip)) {
++		const int64_t max_skip =
++		    (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1;
++		if (request > max_skip)
++			skip = max_skip;
++	}
++
+ 	/* TODO: Deal with case where off_t isn't 64 bits.
+ 	 * This shouldn't be a problem on Linux or other POSIX
+ 	 * systems, since the configuration logic for libarchive
+ 	 * tries to obtain a 64-bit off_t.
+ 	 */
+-	if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0 &&
+-	    (new_offset = lseek(mine->fd, request, SEEK_CUR)) >= 0)
+-		return (new_offset - old_offset);
++
++	if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) {
++		if (old_offset >= mine->size ||
++		    skip > mine->size - old_offset) {
++			/* Do not seek past end of file. */
++			errno = ESPIPE;
++		} else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0)
++			return (new_offset - old_offset);
++	}
+ 
+ 	/* If lseek() fails, don't bother trying again. */
+ 	mine->use_lseek = 0;
+-- 
+2.45.4
+

SPECS/cmake/cmake.spec

@@ -2,7 +2,7 @@
 Summary:        Cmake
 Name:           cmake
 Version:        3.21.4
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        BSD AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -34,9 +34,13 @@ Patch19:        CVE-2024-28182.patch
 Patch20:        CVE-2024-7264.patch
 Patch21:        CVE-2024-11053.patch
 Patch22:        CVE-2024-9681.patch
-Patch23:	CVE-2024-48615.patch
-Patch24:	CVE-2024-8096.patch
-Patch25:	CVE-2025-9301.patch
+Patch23:        CVE-2024-48615.patch
+Patch24:        CVE-2024-8096.patch
+Patch25:        CVE-2025-9301.patch
+Patch26:        CVE-2025-5916.patch
+Patch27:        CVE-2025-5917.patch
+Patch28:        CVE-2025-5918.patch
+
 BuildRequires:  bzip2
 BuildRequires:  bzip2-devel
 BuildRequires:  curl
@@ -102,6 +106,10 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
 %{_prefix}/doc/%{name}-*/*
 
 %changelog
+* Wed Sep 24 2025 Durga Jagadeesh Palli <[email protected]> - 3.21.4-20
+- Patch CVE-2025-5916, CVE-2025-5917 & CVE-2025-5918
+- Fix FILE skip regression in CVE-2025-5918 patch.
+
 * Fri Aug 22 2025 Azure Linux Security Servicing Account <[email protected]> - 3.21.4-19
 - Patch for CVE-2025-9301
 

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -30,8 +30,8 @@ check-debuginfo-0.15.2-1.cm2.aarch64.rpm
 chkconfig-1.20-4.cm2.aarch64.rpm
 chkconfig-debuginfo-1.20-4.cm2.aarch64.rpm
 chkconfig-lang-1.20-4.cm2.aarch64.rpm
-cmake-3.21.4-19.cm2.aarch64.rpm
-cmake-debuginfo-3.21.4-19.cm2.aarch64.rpm
+cmake-3.21.4-20.cm2.aarch64.rpm
+cmake-debuginfo-3.21.4-20.cm2.aarch64.rpm
 coreutils-8.32-7.cm2.aarch64.rpm
 coreutils-debuginfo-8.32-7.cm2.aarch64.rpm
 coreutils-lang-8.32-7.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -31,8 +31,8 @@ check-debuginfo-0.15.2-1.cm2.x86_64.rpm
 chkconfig-1.20-4.cm2.x86_64.rpm
 chkconfig-debuginfo-1.20-4.cm2.x86_64.rpm
 chkconfig-lang-1.20-4.cm2.x86_64.rpm
-cmake-3.21.4-19.cm2.x86_64.rpm
-cmake-debuginfo-3.21.4-19.cm2.x86_64.rpm
+cmake-3.21.4-20.cm2.x86_64.rpm
+cmake-debuginfo-3.21.4-20.cm2.x86_64.rpm
 coreutils-8.32-7.cm2.x86_64.rpm
 coreutils-debuginfo-8.32-7.cm2.x86_64.rpm
 coreutils-lang-8.32-7.cm2.x86_64.rpm