diff --git a/SPECS/iputils/CVE-2025-48964.patch b/SPECS/iputils/CVE-2025-48964.patch new file mode 100644 index 00000000000..d29aeb4a16f --- /dev/null +++ b/SPECS/iputils/CVE-2025-48964.patch @@ -0,0 +1,126 @@ +From 3d304a13b105ee1772a81e5bbe2a9013c1dd5ad8 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Tue, 29 Jul 2025 06:55:51 +0000 +Subject: [PATCH] Fix CVE CVE-2025-48964 in iputils + +Upstream Patch Reference: https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c.patch +--- + iputils_common.h | 2 ++ + ping/ping.h | 2 +- + ping/ping_common.c | 45 +++++++++++++++++++++++++++++++-------------- + 3 files changed, 34 insertions(+), 15 deletions(-) + +diff --git a/iputils_common.h b/iputils_common.h +index 49e790d..d3ba1d9 100644 +--- a/iputils_common.h ++++ b/iputils_common.h +@@ -10,6 +10,8 @@ + !!__builtin_types_compatible_p(__typeof__(arr), \ + __typeof__(&arr[0]))])) * 0) + ++#define TV_SEC_MAX_VAL (INT32_MAX/1000001) ++ + #ifdef __GNUC__ + # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m))) + #else +diff --git a/ping/ping.h b/ping/ping.h +index a40c8f8..f5a5bb8 100644 +--- a/ping/ping.h ++++ b/ping/ping.h +@@ -191,7 +191,7 @@ struct ping_rts { + long tmax; /* maximum round trip time */ + double tsum; /* sum of all times, for doing average */ + double tsum2; +- int rtt; ++ uint64_t rtt; /* Exponential weight moving average calculated in fixed point */ + int rtt_addend; + uint16_t acked; + int pipesize; +diff --git a/ping/ping_common.c b/ping/ping_common.c +index 73da26c..0756c3e 100644 +--- a/ping/ping_common.c ++++ b/ping/ping_common.c +@@ -282,7 +282,7 @@ int __schedule_exit(int next) + + static inline void update_interval(struct ping_rts *rts) + { +- int est = rts->rtt ? rts->rtt / 8 : rts->interval * 1000; ++ int est = rts->rtt ? (int)(rts->rtt / 8) : rts->interval * 1000; + + rts->interval = (est + rts->rtt_addend + 500) / 1000; + if (rts->uid && rts->interval < MIN_USER_INTERVAL_MS) +@@ -744,16 +744,33 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen, + + restamp: + tvsub(tv, &tmp_tv); +- triptime = tv->tv_sec * 1000000 + tv->tv_usec; +- if (triptime < 0) { +- error(0, 0, _("Warning: time of day goes back (%ldus), taking countermeasures"), triptime); +- triptime = 0; +- if (!rts->opt_latency) { +- gettimeofday(tv, NULL); +- rts->opt_latency = 1; +- goto restamp; +- } +- } ++ ++ if (tv->tv_usec >= 1000000) { ++ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); ++ tv->tv_usec = 999999; ++ } ++ ++ if (tv->tv_usec < 0) { ++ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); ++ tv->tv_usec = 0; ++ } ++ ++ if (tv->tv_sec > TV_SEC_MAX_VAL) { ++ error(0, 0, _("Warning: invalid tv_sec %ld s"), tv->tv_sec); ++ triptime = 0; ++ } else if (tv->tv_sec < 0) { ++ error(0, 0, _("Warning: time of day goes back (%ld s), taking countermeasures"), tv->tv_sec); ++ triptime = 0; ++ if (!rts->opt_latency) { ++ gettimeofday(tv, NULL); ++ rts->opt_latency = 1; ++ goto restamp; ++ } ++ } else { ++ triptime = tv->tv_sec * 1000000 + tv->tv_usec; ++ } ++ ++ + if (!csfailed) { + rts->tsum += triptime; + rts->tsum2 += (double)((long long)triptime * (long long)triptime); +@@ -762,7 +779,7 @@ restamp: + if (triptime > rts->tmax) + rts->tmax = triptime; + if (!rts->rtt) +- rts->rtt = triptime * 8; ++ rts->rtt = ((uint64_t)triptime) * 8; + else + rts->rtt += triptime - rts->rtt / 8; + if (rts->opt_adaptive) +@@ -932,7 +949,7 @@ int finish(struct ping_rts *rts) + int ipg = (1000000 * (long long)tv.tv_sec + tv.tv_nsec / 1000) / (rts->ntransmitted - 1); + + printf(_("%sipg/ewma %d.%03d/%d.%03d ms"), +- comma, ipg / 1000, ipg % 1000, rts->rtt / 8000, (rts->rtt / 8) % 1000); ++ comma, ipg / 1000, ipg % 1000, (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000)); + } + putchar('\n'); + return (!rts->nreceived || (rts->deadline && rts->nreceived < rts->npackets)); +@@ -957,7 +974,7 @@ void status(struct ping_rts *rts) + fprintf(stderr, _(", min/avg/ewma/max = %ld.%03ld/%lu.%03ld/%d.%03d/%ld.%03ld ms"), + (long)rts->tmin / 1000, (long)rts->tmin % 1000, + tavg / 1000, tavg % 1000, +- rts->rtt / 8000, (rts->rtt / 8) % 1000, (long)rts->tmax / 1000, (long)rts->tmax % 1000); ++ (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000), (long)rts->tmax / 1000, (long)rts->tmax % 1000); + } + fprintf(stderr, "\n"); + } +-- +2.45.2 + diff --git a/SPECS/iputils/iputils.spec b/SPECS/iputils/iputils.spec index a0b4d8de6a8..b11b2949734 100644 --- a/SPECS/iputils/iputils.spec +++ b/SPECS/iputils/iputils.spec @@ -1,7 +1,7 @@ Summary: Programs for basic networking Name: iputils Version: 20240117 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD-3 AND GPLv2+ AND Rdisc Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,6 +9,7 @@ Group: Applications/Communications URL: https://github.com/iputils/iputils Source0: https://github.com/iputils/iputils/archive/20240117.tar.gz#/%{name}-%{version}.tar.gz Patch0: ping_test_ipv6_localhost.patch +Patch1: CVE-2025-48964.patch BuildRequires: iproute BuildRequires: libcap-devel BuildRequires: libgcrypt-devel @@ -64,6 +65,9 @@ mv -f RELNOTES.tmp RELNOTES.old %exclude %{_datadir}/locale/ %changelog +* Tue Jul 29 2025 Azure Linux Security Servicing Account - 20240117-2 +- Patch for CVE-2025-48964 + * Thu Feb 01 2024 Suresh Thelkar - 20240117-1 - Upgrade to 20240117