From 9f4ae25536bd4a393b3dd7f4108a533704876c3c Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Wed, 6 Aug 2025 14:21:11 +0000 Subject: [PATCH 1/3] Patch iputils for CVE-2025-48964, CVE-2025-47268 --- SPECS/iputils/CVE-2025-47268.patch | 137 +++++++++++++++++++++++++++++ SPECS/iputils/CVE-2025-48964.patch | 100 +++++++++++++++++++++ SPECS/iputils/iputils.spec | 7 +- 3 files changed, 243 insertions(+), 1 deletion(-) create mode 100644 SPECS/iputils/CVE-2025-47268.patch create mode 100644 SPECS/iputils/CVE-2025-48964.patch diff --git a/SPECS/iputils/CVE-2025-47268.patch b/SPECS/iputils/CVE-2025-47268.patch new file mode 100644 index 00000000000..949444bf49d --- /dev/null +++ b/SPECS/iputils/CVE-2025-47268.patch @@ -0,0 +1,137 @@ +From 33ebd21ac99d3e6ab2d51b6581cbec7e9fba17b6 Mon Sep 17 00:00:00 2001 +From: Petr Vorel +Date: Mon, 5 May 2025 23:55:57 +0200 +Subject: [PATCH] ping: Fix signed 64-bit integer overflow in RTT calculation + +Crafted ICMP Echo Reply packet can cause signed integer overflow in + +1) triptime calculation: +triptime = tv->tv_sec * 1000000 + tv->tv_usec; + +2) tsum2 increment which uses triptime +rts->tsum2 += (double)((long long)triptime * (long long)triptime); + +3) final tmvar: +tmvar = (rts->tsum2 / total) - (tmavg * tmavg) + + $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer" + $ export LDFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" + $ meson setup .. -Db_sanitize=address,undefined + $ ninja + $ ./ping/ping -c2 127.0.0.1 + + PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. + 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.061 ms + ../ping/ping_common.c:757:25: runtime error: signed integer overflow: -2513732689199106 * 1000000 cannot be represented in type 'long int' + ../ping/ping_common.c:757:12: runtime error: signed integer overflow: -4975495174606980224 + -6510615555425289427 cannot be represented in type 'long int' + ../ping/ping_common.c:769:47: runtime error: signed integer overflow: 6960633343677281965 * 6960633343677281965 cannot be represented in type 'long int' + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + ./ping/ping: Warning: time of day goes back (-7256972569576721377us), taking countermeasures + ./ping/ping: Warning: time of day goes back (-7256972569576721232us), taking countermeasures + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + ../ping/ping_common.c:265:16: runtime error: signed integer overflow: 6960633343677281965 * 2 cannot be represented in type 'long int' + 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.565 ms + + --- 127.0.0.1 ping statistics --- + 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1002ms + ../ping/ping_common.c:940:42: runtime error: signed integer overflow: 1740158335919320832 * 1740158335919320832 cannot be represented in type 'long int' + rtt min/avg/max/mdev = 0.000/1740158335919320.832/6960633343677281.965/-1623514645242292.-224 ms + +To fix the overflow check allowed ranges of struct timeval members: +* tv_sec <0, LONG_MAX/1000000> +* tv_usec <0, 999999> + +Fix includes 2 new error messages (needs translation). +Also existing message "time of day goes back ..." needed to be modified +as it now prints tv->tv_sec which is a second (needs translation update). + +After fix: + + $ ./ping/ping -c2 127.0.0.1 + 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.057 ms + ./ping/ping: Warning: invalid tv_usec -6510615555424928611 us + ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures + ./ping/ping: Warning: invalid tv_usec -6510615555424928461 us + ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + ./ping/ping: Warning: invalid tv_usec -6510615555425884541 us + ./ping/ping: Warning: time of day goes back (-4243165695442945 s), taking countermeasures + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.111 ms + + --- 127.0.0.1 ping statistics --- + 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 101ms + rtt min/avg/max/mdev = 0.000/0.042/0.111/0.046 ms + +Fixes: https://github.com/iputils/iputils/issues/584 +Fixes: CVE-2025-472 +Link: https://github.com/Zephkek/ping-rtt-overflow/ +Co-developed-by: Cyril Hrubis +Reported-by: Mohamed Maatallah +Reviewed-by: Mohamed Maatallah +Reviewed-by: Cyril Hrubis +Signed-off-by: Petr Vorel +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/iputils/iputils/pull/585/commits/b41e4a10ab1f749a9bd149c608213c9704c3147f.patch +--- + iputils_common.h | 3 +++ + ping/ping_common.c | 22 +++++++++++++++++++--- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/iputils_common.h b/iputils_common.h +index 49e790d..829a749 100644 +--- a/iputils_common.h ++++ b/iputils_common.h +@@ -10,6 +10,9 @@ + !!__builtin_types_compatible_p(__typeof__(arr), \ + __typeof__(&arr[0]))])) * 0) + ++/* 1000001 = 1000000 tv_sec + 1 tv_usec */ ++#define TV_SEC_MAX_VAL (LONG_MAX/1000001) ++ + #ifdef __GNUC__ + # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m))) + #else +diff --git a/ping/ping_common.c b/ping/ping_common.c +index 73da26c..f44b2c0 100644 +--- a/ping/ping_common.c ++++ b/ping/ping_common.c +@@ -744,16 +744,32 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen, + + restamp: + tvsub(tv, &tmp_tv); +- triptime = tv->tv_sec * 1000000 + tv->tv_usec; +- if (triptime < 0) { +- error(0, 0, _("Warning: time of day goes back (%ldus), taking countermeasures"), triptime); ++ ++ if (tv->tv_usec >= 1000000) { ++ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); ++ tv->tv_usec = 999999; ++ } ++ ++ if (tv->tv_usec < 0) { ++ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); ++ tv->tv_usec = 0; ++ } ++ ++ if (tv->tv_sec > TV_SEC_MAX_VAL) { ++ error(0, 0, _("Warning: invalid tv_sec %ld s"), tv->tv_sec); ++ triptime = 0; ++ } else if (tv->tv_sec < 0) { ++ error(0, 0, _("Warning: time of day goes back (%ld s), taking countermeasures"), tv->tv_sec); + triptime = 0; + if (!rts->opt_latency) { + gettimeofday(tv, NULL); + rts->opt_latency = 1; + goto restamp; + } ++ } else { ++ triptime = tv->tv_sec * 1000000 + tv->tv_usec; + } ++ + if (!csfailed) { + rts->tsum += triptime; + rts->tsum2 += (double)((long long)triptime * (long long)triptime); +-- +2.45.4 + diff --git a/SPECS/iputils/CVE-2025-48964.patch b/SPECS/iputils/CVE-2025-48964.patch new file mode 100644 index 00000000000..c553479c760 --- /dev/null +++ b/SPECS/iputils/CVE-2025-48964.patch @@ -0,0 +1,100 @@ +From 339a67ae9f589b2e42c9b932066208b34f272d97 Mon Sep 17 00:00:00 2001 +From: Cyril Hrubis +Date: Fri, 16 May 2025 17:57:10 +0200 +Subject: [PATCH] ping: Fix moving average rtt calculation + +The rts->rtt counts an exponential weight moving average in a fixed +point, that means that even if we limit the triptime to fit into a 32bit +number the average will overflow because because fixed point needs eight +more bits. + +We also have to limit the triptime to 32bit number because otherwise the +moving average may stil overflow if we manage to produce a large enough +triptime. + +Fixes: CVE-2025-48964 +Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1243772 +Closes: https://github.com/iputils/iputils-ghsa-25fr-jw29-74f9/pull/1 +Reported-by: Mohamed Maatallah +Reviewed-by: Petr Vorel +Tested-by: Petr Vorel +Reviewed-by: Michal Kubecek +Reviewed-by: Mohamed Maatallah +Signed-off-by: Cyril Hrubis +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c.patch +--- + iputils_common.h | 2 +- + ping/ping.h | 2 +- + ping/ping_common.c | 8 ++++---- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/iputils_common.h b/iputils_common.h +index 829a749..1296905 100644 +--- a/iputils_common.h ++++ b/iputils_common.h +@@ -11,7 +11,7 @@ + __typeof__(&arr[0]))])) * 0) + + /* 1000001 = 1000000 tv_sec + 1 tv_usec */ +-#define TV_SEC_MAX_VAL (LONG_MAX/1000001) ++#define TV_SEC_MAX_VAL (INT32_MAX/1000001) + + #ifdef __GNUC__ + # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m))) +diff --git a/ping/ping.h b/ping/ping.h +index a40c8f8..f5a5bb8 100644 +--- a/ping/ping.h ++++ b/ping/ping.h +@@ -191,7 +191,7 @@ struct ping_rts { + long tmax; /* maximum round trip time */ + double tsum; /* sum of all times, for doing average */ + double tsum2; +- int rtt; ++ uint64_t rtt; /* Exponential weight moving average calculated in fixed point */ + int rtt_addend; + uint16_t acked; + int pipesize; +diff --git a/ping/ping_common.c b/ping/ping_common.c +index f44b2c0..013a007 100644 +--- a/ping/ping_common.c ++++ b/ping/ping_common.c +@@ -282,7 +282,7 @@ int __schedule_exit(int next) + + static inline void update_interval(struct ping_rts *rts) + { +- int est = rts->rtt ? rts->rtt / 8 : rts->interval * 1000; ++ int est = rts->rtt ? (int)(rts->rtt / 8) : rts->interval * 1000; + + rts->interval = (est + rts->rtt_addend + 500) / 1000; + if (rts->uid && rts->interval < MIN_USER_INTERVAL_MS) +@@ -778,7 +778,7 @@ restamp: + if (triptime > rts->tmax) + rts->tmax = triptime; + if (!rts->rtt) +- rts->rtt = triptime * 8; ++ rts->rtt = ((uint64_t)triptime) * 8; + else + rts->rtt += triptime - rts->rtt / 8; + if (rts->opt_adaptive) +@@ -948,7 +948,7 @@ int finish(struct ping_rts *rts) + int ipg = (1000000 * (long long)tv.tv_sec + tv.tv_nsec / 1000) / (rts->ntransmitted - 1); + + printf(_("%sipg/ewma %d.%03d/%d.%03d ms"), +- comma, ipg / 1000, ipg % 1000, rts->rtt / 8000, (rts->rtt / 8) % 1000); ++ comma, ipg / 1000, ipg % 1000, (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000)); + } + putchar('\n'); + return (!rts->nreceived || (rts->deadline && rts->nreceived < rts->npackets)); +@@ -973,7 +973,7 @@ void status(struct ping_rts *rts) + fprintf(stderr, _(", min/avg/ewma/max = %ld.%03ld/%lu.%03ld/%d.%03d/%ld.%03ld ms"), + (long)rts->tmin / 1000, (long)rts->tmin % 1000, + tavg / 1000, tavg % 1000, +- rts->rtt / 8000, (rts->rtt / 8) % 1000, (long)rts->tmax / 1000, (long)rts->tmax % 1000); ++ (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000), (long)rts->tmax / 1000, (long)rts->tmax % 1000); + } + fprintf(stderr, "\n"); + } +-- +2.45.4 + diff --git a/SPECS/iputils/iputils.spec b/SPECS/iputils/iputils.spec index a0b4d8de6a8..7191daeab33 100644 --- a/SPECS/iputils/iputils.spec +++ b/SPECS/iputils/iputils.spec @@ -1,7 +1,7 @@ Summary: Programs for basic networking Name: iputils Version: 20240117 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD-3 AND GPLv2+ AND Rdisc Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,6 +9,8 @@ Group: Applications/Communications URL: https://github.com/iputils/iputils Source0: https://github.com/iputils/iputils/archive/20240117.tar.gz#/%{name}-%{version}.tar.gz Patch0: ping_test_ipv6_localhost.patch +Patch1: CVE-2025-47268.patch +Patch2: CVE-2025-48964.patch BuildRequires: iproute BuildRequires: libcap-devel BuildRequires: libgcrypt-devel @@ -64,6 +66,9 @@ mv -f RELNOTES.tmp RELNOTES.old %exclude %{_datadir}/locale/ %changelog +* Wed Aug 06 2025 Azure Linux Security Servicing Account - 20240117-2 +- Patch for CVE-2025-48964, CVE-2025-47268 + * Thu Feb 01 2024 Suresh Thelkar - 20240117-1 - Upgrade to 20240117 From 994dc5bdda94c435df07ec0de913471b23a64e4a Mon Sep 17 00:00:00 2001 From: kgodara912 Date: Wed, 6 Aug 2025 20:13:56 +0530 Subject: [PATCH 2/3] Update iputils.spec Adding test failure change from PR 14049 --- SPECS/iputils/iputils.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SPECS/iputils/iputils.spec b/SPECS/iputils/iputils.spec index 7191daeab33..874a41b4951 100644 --- a/SPECS/iputils/iputils.spec +++ b/SPECS/iputils/iputils.spec @@ -8,9 +8,9 @@ Distribution: Azure Linux Group: Applications/Communications URL: https://github.com/iputils/iputils Source0: https://github.com/iputils/iputils/archive/20240117.tar.gz#/%{name}-%{version}.tar.gz -Patch0: ping_test_ipv6_localhost.patch -Patch1: CVE-2025-47268.patch -Patch2: CVE-2025-48964.patch + +Patch0: CVE-2025-47268.patch +Patch1: CVE-2025-48964.patch BuildRequires: iproute BuildRequires: libcap-devel BuildRequires: libgcrypt-devel From fd14c9ccb5e45f27444d4f1dde2ca78081d6a00e Mon Sep 17 00:00:00 2001 From: Kanishk Bansal Date: Thu, 7 Aug 2025 14:17:04 +0000 Subject: [PATCH 3/3] Remove patch for ping_test_ipv6_localhost as it causes test failure Signed-off-by: Kanishk Bansal --- SPECS/iputils/iputils.spec | 1 + SPECS/iputils/ping_test_ipv6_localhost.patch | 26 -------------------- 2 files changed, 1 insertion(+), 26 deletions(-) delete mode 100644 SPECS/iputils/ping_test_ipv6_localhost.patch diff --git a/SPECS/iputils/iputils.spec b/SPECS/iputils/iputils.spec index 874a41b4951..291e7c7cd81 100644 --- a/SPECS/iputils/iputils.spec +++ b/SPECS/iputils/iputils.spec @@ -68,6 +68,7 @@ mv -f RELNOTES.tmp RELNOTES.old %changelog * Wed Aug 06 2025 Azure Linux Security Servicing Account - 20240117-2 - Patch for CVE-2025-48964, CVE-2025-47268 +- Remove patch for ping_test_ipv6_localhost as it causes test failure * Thu Feb 01 2024 Suresh Thelkar - 20240117-1 - Upgrade to 20240117 diff --git a/SPECS/iputils/ping_test_ipv6_localhost.patch b/SPECS/iputils/ping_test_ipv6_localhost.patch deleted file mode 100644 index a857688c6c7..00000000000 --- a/SPECS/iputils/ping_test_ipv6_localhost.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 503d6e54847974d0b0d63f2354919c64cbda611d Mon Sep 17 00:00:00 2001 -From: Rachel Menge -Date: Fri, 18 Feb 2022 12:13:21 -0800 -Subject: [PATCH] Mark ping6 for localhost as expected failure - -Azure Linux does not map 'localhost' for ipv6 addresses ---- - test/ping/meson.build | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/test/ping/meson.build b/test/ping/meson.build -index 11f15f5..7198369 100644 ---- a/test/ping/meson.build -+++ b/test/ping/meson.build -@@ -37,7 +37,7 @@ foreach dst : [ 'localhost', '127.0.0.1' ] + ipv6_dst - - if switch != '' - args = [switch] + args -- if (switch == '-4' and dst == '::1') or (switch == '-6' and dst == '127.0.0.1') -+ if (switch == '-4' and dst == '::1') or (switch == '-6' and dst == '127.0.0.1') or (switch == '-6' and dst == 'localhost') - should_fail = true - endif - endif --- -2.17.1 -