Merge pull request #3271 from flatcar/buildbot/weekly-portage-stable-package-updates-2025-09-15

Weekly portage-stable package updates 2025-09-15

Author: krnowak

changelog/security/2025-09-16-weekly-updates.md

@@ -0,0 +1,3 @@
+- libpcre2 ([CVE-2025-58050](https://www.cve.org/CVERecord?id=CVE-2025-58050))
+- libxslt ([CVE-2025-7424](https://www.cve.org/CVERecord?id=CVE-2025-7424), [CVE-2025-7425](https://www.cve.org/CVERecord?id=CVE-2025-7425))
+- net-tools ([CVE-2025-46836](https://www.cve.org/CVERecord?id=CVE-2025-46836))

changelog/updates/2025-09-16-weekly-updates.md

@@ -0,0 +1,12 @@
+- SDK: azure-core ([1.16.1](https://github.com/Azure/azure-sdk-for-cpp/releases/tag/azure-core_1.16.1))
+- SDK: azure-identity ([1.13.1](https://github.com/Azure/azure-sdk-for-cpp/releases/tag/azure-identity_1.13.1))
+- base, dev: coreutils ([9.7](https://lists.gnu.org/archive/html/info-gnu/2025-04/msg00006.html) (includes [9.6](https://savannah.gnu.org/news/?id=10715)))
+- base, dev: libffi ([3.5.2](https://github.com/libffi/libffi/releases/tag/v3.5.2))
+- base, dev: libnftnl ([1.3.0](https://lwn.net/Articles/1032725/))
+- base, dev: libxml2 ([2.13.9](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.9))
+- base, dev: ncurses ([6.5_p20250802](https://invisible-island.net/ncurses/NEWS.html#t20250802))
+- base, dev: nftables ([1.1.4](https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.4.txt))
+- dev, sysext-incus: squashfs-tools ([4.7.2](https://github.com/plougher/squashfs-tools/releases/tag/4.7.2) (includes [4.7.1](https://github.com/plougher/squashfs-tools/releases/tag/4.7.1)))
+- sysext-podman: gpgme ([2.0.0](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=blob_plain;f=NEWS;h=cd0e093bf83fe47b6773fb478fced07d8409fbe0;hb=e17ba578861905857da0a514b4fc9b88a57f7346))
+- sysext-python: charset-normalizer ([3.4.3](https://github.com/jawah/charset_normalizer/releases/tag/3.4.3))
+- sysext-python: pip ([25.2](https://raw.githubusercontent.com/pypa/pip/refs/tags/25.2/NEWS.rst))

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-libs/libxslt/CVE-2025-7424.patch

@@ -0,0 +1,99 @@
+From 345d6826d0eae6f0a962456b8ed6f6a1bad0877d Mon Sep 17 00:00:00 2001
+From: David Kilzer <[email protected]>
+Date: Sat, 24 May 2025 15:06:42 -0700
+Subject: [PATCH] libxslt: Type confusion in xmlNode.psvi between stylesheet
+ and source nodes
+
+* libxslt/functions.c:
+(xsltDocumentFunctionLoadDocument):
+- Implement fix suggested by Ivan Fratric.  This copies the xmlDoc,
+  calls xsltCleanupSourceDoc() to remove pvsi fields, then adds the
+  xmlDoc to tctxt->docList.
+- Add error handling for functions that may return NULL.
+* libxslt/transform.c:
+- Remove static keyword so this can be called from
+  xsltDocumentFunctionLoadDocument().
+* libxslt/transformInternals.h: Add.
+(xsltCleanupSourceDoc): Add declaration.
+
+Fixes #139.
+---
+ libxslt/functions.c          | 16 +++++++++++++++-
+ libxslt/transform.c          |  3 ++-
+ libxslt/transformInternals.h |  9 +++++++++
+ 3 files changed, 26 insertions(+), 2 deletions(-)
+ create mode 100644 libxslt/transformInternals.h
+
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 72a58dc4..11ec039f 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -34,6 +34,7 @@
+ #include "numbersInternals.h"
+ #include "keys.h"
+ #include "documents.h"
++#include "transformInternals.h"
+ 
+ #ifdef WITH_XSLT_DEBUG
+ #define WITH_XSLT_DEBUG_FUNCTION
+@@ -125,7 +126,20 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt,
+ 	    /*
+ 	    * This selects the stylesheet's doc itself.
+ 	    */
+-	    doc = tctxt->style->doc;
++	    doc = xmlCopyDoc(tctxt->style->doc, 1);
++	    if (doc == NULL) {
++		xsltTransformError(tctxt, NULL, NULL,
++		    "document() : failed to copy style doc\n");
++		goto out_fragment;
++	    }
++	    xsltCleanupSourceDoc(doc); /* Remove psvi fields. */
++	    idoc = xsltNewDocument(tctxt, doc);
++	    if (idoc == NULL) {
++		xsltTransformError(tctxt, NULL, NULL,
++		    "document() : failed to create xsltDocument\n");
++		xmlFreeDoc(doc);
++		goto out_fragment;
++	    }
+ 	} else {
+             goto out_fragment;
+ 	}
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 54ef821b..38c2dce6 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -43,6 +43,7 @@
+ #include "xsltlocale.h"
+ #include "pattern.h"
+ #include "transform.h"
++#include "transformInternals.h"
+ #include "variables.h"
+ #include "numbersInternals.h"
+ #include "namespaces.h"
+@@ -5757,7 +5758,7 @@ xsltCountKeys(xsltTransformContextPtr ctxt)
+  *
+  * Resets source node flags and ids stored in 'psvi' member.
+  */
+-static void
++void
+ xsltCleanupSourceDoc(xmlDocPtr doc) {
+     xmlNodePtr cur = (xmlNodePtr) doc;
+     void **psviPtr;
+diff --git a/libxslt/transformInternals.h b/libxslt/transformInternals.h
+new file mode 100644
+index 00000000..d0f42823
+--- /dev/null
++++ b/libxslt/transformInternals.h
+@@ -0,0 +1,9 @@
++/*
++ * Summary: set of internal interfaces for the XSLT engine transformation part.
++ *
++ * Copy: See Copyright for the status of this software.
++ *
++ * Author: David Kilzer <[email protected]>
++ */
++
++void xsltCleanupSourceDoc(xmlDocPtr doc);
+-- 
+2.39.5 (Apple Git-154)
+

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-libs/libxslt/README.md

@@ -0,0 +1,2 @@
+The libxslt project in unmaintained, so we will need to carry the
+patch indefinitely.

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/net-tools/0001-CVE-2025-46836.patch

@@ -0,0 +1,87 @@
+From 7a8f42fb20013a1493d8cae1c43436f85e656f2d Mon Sep 17 00:00:00 2001
+From: Zephkeks <[email protected]>
+Date: Tue, 13 May 2025 11:04:17 +0200
+Subject: [PATCH] CVE-2025-46836: interface.c: Stack-based Buffer Overflow in
+ get_name()
+
+Coordinated as GHSA-pfwf-h6m3-63wf
+---
+ lib/interface.c | 63 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 24 deletions(-)
+
+diff --git a/lib/interface.c b/lib/interface.c
+index 71d4163..a054f12 100644
+--- a/lib/interface.c
++++ b/lib/interface.c
+@@ -211,32 +211,47 @@ static int if_readconf(void)
+ }
+ 
+ static const char *get_name(char *name, const char *p)
++/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied
++   and the destination buffer is always NUL‑terminated.             */
+ {
+-    while (isspace(*p))
+-	p++;
+-    while (*p) {
+-	if (isspace(*p))
+-	    break;
+-	if (*p == ':') {	/* could be an alias */
+-		const char *dot = p++;
+- 		while (*p && isdigit(*p)) p++;
+-		if (*p == ':') {
+-			/* Yes it is, backup and copy it. */
+-			p = dot;
+-			*name++ = *p++;
+-			while (*p && isdigit(*p)) {
+-				*name++ = *p++;
+-			}
+-		} else {
+-			/* No, it isn't */
+-			p = dot;
+-	    }
+-	    p++;
+-	    break;
+-	}
+-	*name++ = *p++;
++    char       *dst = name;                 /* current write ptr          */
++    const char *end = name + IFNAMSIZ - 1;  /* last byte we may write     */
++
++    /* Skip leading white‑space. */
++    while (isspace((unsigned char)*p))
++        ++p;
++
++    /* Copy until white‑space, end of string, or buffer full. */
++    while (*p && !isspace((unsigned char)*p) && dst < end) {
++        if (*p == ':') {                    /* possible alias veth0:123:  */
++            const char *dot = p;            /* remember the colon         */
++            ++p;
++            while (*p && isdigit((unsigned char)*p))
++                ++p;
++
++            if (*p == ':') {                /* confirmed alias            */
++                p = dot;                    /* rewind and copy it all     */
++
++                /* copy the colon */
++                if (dst < end)
++                    *dst++ = *p++;
++
++                /* copy the digits */
++                while (*p && isdigit((unsigned char)*p) && dst < end)
++                    *dst++ = *p++;
++
++                if (*p == ':')              /* consume trailing colon     */
++                    ++p;
++            } else {              /* if so treat as normal */
++                p = dot;
++            }
++            break;                          /* interface name ends here   */
++        }
++
++        *dst++ = *p++;                      /* ordinary character copy    */
+     }
+-    *name++ = '\0';
++
++    *dst = '\0';                            /* always NUL‑terminate       */
+     return p;
+ }
+ 

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/net-tools/0002-fix-for-CVE-2025-46836.patch

@@ -0,0 +1,28 @@
+From ddb0e375fb9ca95bb69335540b85bbdaa2714348 Mon Sep 17 00:00:00 2001
+From: Bernd Eckenfels <[email protected]>
+Date: Sat, 17 May 2025 21:53:23 +0200
+Subject: [PATCH] Interface statistic regression after 7a8f42fb2
+
+---
+ lib/interface.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/lib/interface.c b/lib/interface.c
+index a054f12..ca4adf1 100644
+--- a/lib/interface.c
++++ b/lib/interface.c
+@@ -239,12 +239,11 @@ static const char *get_name(char *name, const char *p)
+                 /* copy the digits */
+                 while (*p && isdigit((unsigned char)*p) && dst < end)
+                     *dst++ = *p++;
+-
+-                if (*p == ':')              /* consume trailing colon     */
+-                    ++p;
+             } else {              /* if so treat as normal */
+                 p = dot;
+             }
++            if (*p == ':')                  /* consume trailing colon */
++                ++p;
+             break;                          /* interface name ends here   */
+         }
+ 

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/net-tools/README.md

@@ -0,0 +1,2 @@
+Drop the CVE-2025-46836.patch when updating to a release >2.10, if
+that ever happens.

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -60,6 +60,11 @@ dev-cpp/azure-security-keyvault-keys
 
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =dev-libs/jose-12 **
+
+# CVE-2025-58050
+=dev-libs/libpcre2-10.46 ~amd64 ~arm64
+
+# The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =dev-libs/luksmeta-9-r1 **
 
 # Keep versions on both arches in sync.
@@ -85,21 +90,12 @@ dev-cpp/azure-security-keyvault-keys
 =net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
 
-# CVE-2025-54349, CVE-2025-54350, CVE-2025-54351
-=net-misc/iperf-3.19.1 ~amd64 ~arm64
-
-# Keep versions on both arches in sync.
-=net-misc/ntp-4.2.8_p18-r1 ~arm64
-=net-nds/rpcbind-1.2.8 ~arm64
-
 # Packages are in Gentoo but not expected to be used outside Flatcar, so they
 # are generally never stabilised. Thus an unusual form is used to pick up the
 # latest version of the package with the unstable keywords.
 sys-apps/azure-vm-utils
 
 # Keep versions on both arches in sync.
-=sys-apps/iproute2-6.16.0 ~arm64
-=sys-apps/portage-3.0.68 ~arm64
 =sys-apps/zram-generator-1.2.1 ~arm64
 =sys-auth/sssd-2.9.7 ~arm64
 =sys-boot/mokutil-0.7.2 **

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use

@@ -167,10 +167,6 @@ sys-firmware/intel-microcode -split-ucode
 net-dns/bind       gssapi
 net-dns/bind-tools gssapi
 
-# Flatcar can't benefit from this performance boost for several reasons, the
-# main one being the use of binary packages.
-sys-kernel/dracut -dracut-cpio
-
 # Avoid initrd bloat by using OpenSSL instead of gcrypt in systemd.
 # systemd-journal's FSS feature requires gcrypt, but Flatcar doesn't need it.
 sys-apps/systemd -gcrypt

sdk_container/src/third_party/portage-stable/app-arch/pixz/pixz-1.0.7-r1.ebuild

@@ -1,7 +1,7 @@
 # Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
 inherit flag-o-matic