[AutoPR- Security] Patch fluent-bit for CVE-2025-54126 [MEDIUM] (#14446)

Author: azurelinux-security

SPECS/fluent-bit/CVE-2025-54126.patch

@@ -0,0 +1,80 @@
+From fa5362648e63fea8fa85d89cfec012721e6c873f Mon Sep 17 00:00:00 2001
+From: "liang.he" <[email protected]>
+Date: Sun, 27 Jul 2025 14:38:56 +0800
+Subject: [PATCH] Merge commit from fork
+
+If `--addr-pool=1.2.3.4`, the runtime will return an error.
+The value must be in the form of ADDRESS/MASK.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/bytecodealliance/wasm-micro-runtime/commit/121232a9957a069bbb04ebda053bdc72ab409e7a.patch
+---
+ .../core/iwasm/common/wasm_runtime_common.c            | 10 +++++++++-
+ lib/wasm-micro-runtime-WAMR-1.3.0/doc/socket_api.md    |  3 ++-
+ .../product-mini/platforms/common/libc_wasi.c          |  2 +-
+ .../samples/socket-api/CMakeLists.txt                  |  1 +
+ 4 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/common/wasm_runtime_common.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/common/wasm_runtime_common.c
+index 567e77b..976842d 100644
+--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/common/wasm_runtime_common.c
++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/common/wasm_runtime_common.c
+@@ -3125,7 +3125,15 @@ wasm_runtime_init_wasi(WASMModuleInstanceCommon *module_inst,
+         address = strtok(cp, "/");
+         mask = strtok(NULL, "/");
+ 
+-        ret = addr_pool_insert(apool, address, (uint8)(mask ? atoi(mask) : 0));
++        if (!mask) {
++            snprintf(error_buf, error_buf_size,
++                     "Invalid address pool entry: %s, must be in the format of "
++                     "ADDRESS/MASK",
++                     addr_pool[i]);
++            goto fail;
++        }
++
++        ret = addr_pool_insert(apool, address, (uint8)atoi(mask));
+         wasm_runtime_free(cp);
+         if (!ret) {
+             set_error_buf(error_buf, error_buf_size,
+diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/doc/socket_api.md b/lib/wasm-micro-runtime-WAMR-1.3.0/doc/socket_api.md
+index eff9376..7cab555 100644
+--- a/lib/wasm-micro-runtime-WAMR-1.3.0/doc/socket_api.md
++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/doc/socket_api.md
+@@ -58,7 +58,8 @@ enabled.
+ 
+ _iwasm_ accepts address ranges via an option, `--addr-pool`, to implement
+ the capability control. All IP address the WebAssembly application may need to `bind()` or `connect()`
+-should be announced first. Every IP address should be in CIDR notation.
++should be announced first. Every IP address should be in CIDR notation. If not, _iwasm_ will return
++an error.
+ 
+ ```bash
+ $ iwasm --addr-pool=1.2.3.4/15,2.3.4.6/16 socket_example.wasm
+diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/product-mini/platforms/common/libc_wasi.c b/lib/wasm-micro-runtime-WAMR-1.3.0/product-mini/platforms/common/libc_wasi.c
+index 84e133b..1e595b3 100644
+--- a/lib/wasm-micro-runtime-WAMR-1.3.0/product-mini/platforms/common/libc_wasi.c
++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/product-mini/platforms/common/libc_wasi.c
+@@ -45,7 +45,7 @@ libc_wasi_print_help()
+            "path, for example:\n");
+     printf("                             --map-dir=<guest-path1::host-path1> "
+            "--map-dir=<guest-path2::host-path2>\n");
+-    printf("  --addr-pool=<addrs>      Grant wasi access to the given network "
++    printf("  --addr-pool=<addr/mask>  Grant wasi access to the given network "
+            "addresses in\n");
+     printf("                           CIDR notation to the program, seperated "
+            "with ',',\n");
+diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/samples/socket-api/CMakeLists.txt b/lib/wasm-micro-runtime-WAMR-1.3.0/samples/socket-api/CMakeLists.txt
+index e68a63e..a68d0ca 100644
+--- a/lib/wasm-micro-runtime-WAMR-1.3.0/samples/socket-api/CMakeLists.txt
++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/samples/socket-api/CMakeLists.txt
+@@ -171,6 +171,7 @@ set(WAMR_BUILD_JIT 0)
+ set(WAMR_BUILD_LIBC_BUILTIN 1)
+ set(WAMR_BUILD_LIBC_WASI 1)
+ set(WAMR_BUILD_LIB_PTHREAD 1)
++set(WAMR_BUILD_REF_TYPES 1)
+ 
+ # compiling and linking flags
+ if (NOT (CMAKE_C_COMPILER MATCHES ".*clang.*" OR CMAKE_C_COMPILER_ID MATCHES ".*Clang"))
+-- 
+2.45.4
+

SPECS/fluent-bit/fluent-bit.spec

@@ -1,7 +1,7 @@
 Summary:        Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
 Name:           fluent-bit
 Version:        3.0.6
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -14,6 +14,7 @@ Patch3:         CVE-2024-25431.patch
 Patch4:         CVE-2024-27532.patch
 Patch5:         CVE-2024-50608.patch
 Patch6:         CVE-2024-50609.patch
+Patch7:         CVE-2025-54126.patch
 BuildRequires:  bison
 BuildRequires:  cmake
 BuildRequires:  cyrus-sasl-devel
@@ -88,6 +89,9 @@ Development files for %{name}
 %{_libdir}/fluent-bit/*.so
 
 %changelog
+* Wed Aug 06 2025 Azure Linux Security Servicing Account <[email protected]> - 3.0.6-3
+- Patch for CVE-2025-54126
+
 * Thu Feb 27 2025 Kshitiz Godara <[email protected]> - 3.0.6-2
 - Address CVE-2024-50608 and CVE-2024-50609