Skip to content

[AutoPR- Security] Patch mtr for CVE-2025-49809 [HIGH] #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

[AutoPR- Security] Patch mtr for CVE-2025-49809 [HIGH] #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions SPECS/mtr/CVE-2025-49809.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
From 2ea17da13083f5621327084d9229c48dd5160ac5 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
<[email protected]>
Date: Tue, 15 Jul 2025 19:58:45 +0000
Subject: [PATCH] Fix CVE CVE-2025-49809 in mtr

Upstream Patch Reference: https://github.com/traviscross/mtr/commit/5226f105f087c29d3cfad9f28000e7536af91ac6.patch
---
ui/cmdpipe.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/ui/cmdpipe.c b/ui/cmdpipe.c
index d22b236..1a66293 100644
--- a/ui/cmdpipe.c
+++ b/ui/cmdpipe.c
@@ -220,10 +220,17 @@ void execute_packet_child(
the path to the mtr-packet executable. This is necessary
for debugging changes for mtr-packet.
*/
- char *mtr_packet_path = getenv("MTR_PACKET");
- if (mtr_packet_path == NULL) {
+ char * mtr_packet_path = NULL;
+
+ // In the rare case that mtr-packet is not setuid-root,
+ // and a select group of users has sudo privileges to run
+ // mtr and not much else, THEN create /etc/mtr.is.run.under.sudo
+ // to prevent a privilege escalation when one of those accounts
+ // is compromised. CVE-2025-49809
+ if (access ("/etc/mtr.is.run.under.sudo", F_OK) != 0)
+ mtr_packet_path = getenv("MTR_PACKET");
+ if (mtr_packet_path == NULL)
mtr_packet_path = "mtr-packet";
- }

/*
First, try to execute mtr-packet from PATH
--
2.45.3

6 changes: 5 additions & 1 deletion SPECS/mtr/mtr.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Summary: Network diagnostic tool combining 'traceroute' and 'ping'
Name: mtr
Version: 0.95
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -12,6 +12,7 @@ Source0: https://github.com/traviscross/mtr/archive/v%{version}/%{name}-%{versio
Source1: net-x%{name}.desktop
Source2: mtr-gtk-pkexec-wrapper.sh
Source3: org.fedoraproject.mtr.policy
Patch0:CVE-2025-49809.patch

BuildRequires: ncurses-devel
BuildRequires: autoconf automake libtool git
Expand Down Expand Up @@ -61,6 +62,9 @@ install -D -p -m 0755 mtr %{buildroot}%{_sbindir}/mtr
%{_datadir}/bash-completion/completions/%{name}

%changelog
* Tue Jul 15 2025 Azure Linux Security Servicing Account <[email protected]> - 0.95-3
- Patch for CVE-2025-49809

* Mon Jul 22 2024 Aditya Dubey <[email protected]> - 0.95-2
- Promoting package from SPECS-EXTENDED to SPECS

Expand Down
Loading