azurelinux-security · azurelinux-security · Jul 29, 2025 · Aug 1, 2025
diff --git a/SPECS/iputils/CVE-2025-48964.patch b/SPECS/iputils/CVE-2025-48964.patch
@@ -0,0 +1,126 @@
+From 3d304a13b105ee1772a81e5bbe2a9013c1dd5ad8 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Tue, 29 Jul 2025 06:55:51 +0000
+Subject: [PATCH] Fix CVE CVE-2025-48964 in iputils
+
+Upstream Patch Reference: https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c.patch
+---
+ iputils_common.h   |  2 ++
+ ping/ping.h        |  2 +-
+ ping/ping_common.c | 45 +++++++++++++++++++++++++++++++--------------
+ 3 files changed, 34 insertions(+), 15 deletions(-)
+
+diff --git a/iputils_common.h b/iputils_common.h
+index 49e790d..d3ba1d9 100644
+--- a/iputils_common.h
++++ b/iputils_common.h
+@@ -10,6 +10,8 @@
+ 	  !!__builtin_types_compatible_p(__typeof__(arr), \
+ 					 __typeof__(&arr[0]))])) * 0)
+
++#define TV_SEC_MAX_VAL (INT32_MAX/1000001)
++
+ #ifdef __GNUC__
+ # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m)))
+ #else
+diff --git a/ping/ping.h b/ping/ping.h
+index a40c8f8..f5a5bb8 100644
+--- a/ping/ping.h
++++ b/ping/ping.h
+@@ -191,7 +191,7 @@ struct ping_rts {
+ 	long tmax;			/* maximum round trip time */
+ 	double tsum;			/* sum of all times, for doing average */
+ 	double tsum2;
+-	int rtt;
++	uint64_t rtt;                   /* Exponential weight moving average calculated in fixed point */
+ 	int rtt_addend;
+ 	uint16_t acked;
+ 	int pipesize;
+diff --git a/ping/ping_common.c b/ping/ping_common.c
+index 73da26c..0756c3e 100644
+--- a/ping/ping_common.c
++++ b/ping/ping_common.c
+@@ -282,7 +282,7 @@ int __schedule_exit(int next)
+
+ static inline void update_interval(struct ping_rts *rts)
+ {
+-	int est = rts->rtt ? rts->rtt / 8 : rts->interval * 1000;
++	int est = rts->rtt ? (int)(rts->rtt / 8) : rts->interval * 1000;
+
+ 	rts->interval = (est + rts->rtt_addend + 500) / 1000;
+ 	if (rts->uid && rts->interval < MIN_USER_INTERVAL_MS)
+@@ -744,16 +744,33 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen,
+
+ restamp:
+ 		tvsub(tv, &tmp_tv);
+-		triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+-		if (triptime < 0) {
+-			error(0, 0, _("Warning: time of day goes back (%ldus), taking countermeasures"), triptime);
+-			triptime = 0;
+-			if (!rts->opt_latency) {
+-				gettimeofday(tv, NULL);
+-				rts->opt_latency = 1;
+-				goto restamp;
+-			}
+-		}
++
++		if (tv->tv_usec >= 1000000) {
++                        error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec);
++                        tv->tv_usec = 999999;
++                }
++
++                if (tv->tv_usec < 0) {
++                        error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec);
++                        tv->tv_usec = 0;
++                }
++
++                if (tv->tv_sec > TV_SEC_MAX_VAL) {
++                        error(0, 0, _("Warning: invalid tv_sec %ld s"), tv->tv_sec);
++                        triptime = 0;
++                } else if (tv->tv_sec < 0) {
++                        error(0, 0, _("Warning: time of day goes back (%ld s), taking countermeasures"), tv->tv_sec);
++                        triptime = 0;
++                        if (!rts->opt_latency) {
++                                gettimeofday(tv, NULL);
++                                rts->opt_latency = 1;
++                                goto restamp;
++                        }
++                } else {
++                        triptime = tv->tv_sec * 1000000 + tv->tv_usec;
++                }
++
++
+ 		if (!csfailed) {
+ 			rts->tsum += triptime;
+ 			rts->tsum2 += (double)((long long)triptime * (long long)triptime);
+@@ -762,7 +779,7 @@ restamp:
+ 			if (triptime > rts->tmax)
+ 				rts->tmax = triptime;
+ 			if (!rts->rtt)
+-				rts->rtt = triptime * 8;
++				rts->rtt = ((uint64_t)triptime) * 8;
+ 			else
+ 				rts->rtt += triptime - rts->rtt / 8;
+ 			if (rts->opt_adaptive)
+@@ -932,7 +949,7 @@ int finish(struct ping_rts *rts)
+ 		int ipg = (1000000 * (long long)tv.tv_sec + tv.tv_nsec / 1000) / (rts->ntransmitted - 1);
+
+ 		printf(_("%sipg/ewma %d.%03d/%d.%03d ms"),
+-		       comma, ipg / 1000, ipg % 1000, rts->rtt / 8000, (rts->rtt / 8) % 1000);
++		       comma, ipg / 1000, ipg % 1000, (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000));
+ 	}
+ 	putchar('\n');
+ 	return (!rts->nreceived || (rts->deadline && rts->nreceived < rts->npackets));
+@@ -957,7 +974,7 @@ void status(struct ping_rts *rts)
+ 		fprintf(stderr, _(", min/avg/ewma/max = %ld.%03ld/%lu.%03ld/%d.%03d/%ld.%03ld ms"),
+ 			(long)rts->tmin / 1000, (long)rts->tmin % 1000,
+ 			tavg / 1000, tavg % 1000,
+-			rts->rtt / 8000, (rts->rtt / 8) % 1000, (long)rts->tmax / 1000, (long)rts->tmax % 1000);
++			(int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000), (long)rts->tmax / 1000, (long)rts->tmax % 1000);
+ 	}
+ 	fprintf(stderr, "\n");
+ }
+-- 
+2.45.2
+
diff --git a/SPECS/iputils/iputils.spec b/SPECS/iputils/iputils.spec
@@ -1,14 +1,15 @@
 Summary:        Programs for basic networking
 Name:           iputils
 Version:        20240117
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD-3 AND GPLv2+ AND Rdisc
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Applications/Communications
 URL:            https://github.com/iputils/iputils
 Source0:        https://github.com/iputils/iputils/archive/20240117.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         ping_test_ipv6_localhost.patch
+Patch1:         CVE-2025-48964.patch
 BuildRequires:  iproute
 BuildRequires:  libcap-devel
 BuildRequires:  libgcrypt-devel
@@ -64,6 +65,9 @@ mv -f RELNOTES.tmp RELNOTES.old
 %exclude %{_datadir}/locale/
 
 %changelog
+* Tue Jul 29 2025 Azure Linux Security Servicing Account <[email protected]> - 20240117-2
+- Patch for CVE-2025-48964
+
 * Thu Feb 01 2024 Suresh Thelkar <[email protected]> - 20240117-1
 - Upgrade to 20240117