diff --git a/SPECS/fluent-bit/CVE-2025-54126.patch b/SPECS/fluent-bit/CVE-2025-54126.patch new file mode 100644 index 00000000000..9707850f231 --- /dev/null +++ b/SPECS/fluent-bit/CVE-2025-54126.patch @@ -0,0 +1,80 @@ +From fa5362648e63fea8fa85d89cfec012721e6c873f Mon Sep 17 00:00:00 2001 +From: "liang.he" +Date: Sun, 27 Jul 2025 14:38:56 +0800 +Subject: [PATCH] Merge commit from fork + +If `--addr-pool=1.2.3.4`, the runtime will return an error. +The value must be in the form of ADDRESS/MASK. + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/bytecodealliance/wasm-micro-runtime/commit/121232a9957a069bbb04ebda053bdc72ab409e7a.patch +--- + .../core/iwasm/common/wasm_runtime_common.c | 10 +++++++++- + lib/wasm-micro-runtime-WAMR-1.3.0/doc/socket_api.md | 3 ++- + .../product-mini/platforms/common/libc_wasi.c | 2 +- + .../samples/socket-api/CMakeLists.txt | 1 + + 4 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/common/wasm_runtime_common.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/common/wasm_runtime_common.c +index 567e77b..976842d 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/common/wasm_runtime_common.c ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/common/wasm_runtime_common.c +@@ -3125,7 +3125,15 @@ wasm_runtime_init_wasi(WASMModuleInstanceCommon *module_inst, + address = strtok(cp, "/"); + mask = strtok(NULL, "/"); + +- ret = addr_pool_insert(apool, address, (uint8)(mask ? atoi(mask) : 0)); ++ if (!mask) { ++ snprintf(error_buf, error_buf_size, ++ "Invalid address pool entry: %s, must be in the format of " ++ "ADDRESS/MASK", ++ addr_pool[i]); ++ goto fail; ++ } ++ ++ ret = addr_pool_insert(apool, address, (uint8)atoi(mask)); + wasm_runtime_free(cp); + if (!ret) { + set_error_buf(error_buf, error_buf_size, +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/doc/socket_api.md b/lib/wasm-micro-runtime-WAMR-1.3.0/doc/socket_api.md +index eff9376..7cab555 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/doc/socket_api.md ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/doc/socket_api.md +@@ -58,7 +58,8 @@ enabled. + + _iwasm_ accepts address ranges via an option, `--addr-pool`, to implement + the capability control. All IP address the WebAssembly application may need to `bind()` or `connect()` +-should be announced first. Every IP address should be in CIDR notation. ++should be announced first. Every IP address should be in CIDR notation. If not, _iwasm_ will return ++an error. + + ```bash + $ iwasm --addr-pool=1.2.3.4/15,2.3.4.6/16 socket_example.wasm +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/product-mini/platforms/common/libc_wasi.c b/lib/wasm-micro-runtime-WAMR-1.3.0/product-mini/platforms/common/libc_wasi.c +index 84e133b..1e595b3 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/product-mini/platforms/common/libc_wasi.c ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/product-mini/platforms/common/libc_wasi.c +@@ -45,7 +45,7 @@ libc_wasi_print_help() + "path, for example:\n"); + printf(" --map-dir= " + "--map-dir=\n"); +- printf(" --addr-pool= Grant wasi access to the given network " ++ printf(" --addr-pool= Grant wasi access to the given network " + "addresses in\n"); + printf(" CIDR notation to the program, seperated " + "with ',',\n"); +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/samples/socket-api/CMakeLists.txt b/lib/wasm-micro-runtime-WAMR-1.3.0/samples/socket-api/CMakeLists.txt +index e68a63e..a68d0ca 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/samples/socket-api/CMakeLists.txt ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/samples/socket-api/CMakeLists.txt +@@ -171,6 +171,7 @@ set(WAMR_BUILD_JIT 0) + set(WAMR_BUILD_LIBC_BUILTIN 1) + set(WAMR_BUILD_LIBC_WASI 1) + set(WAMR_BUILD_LIB_PTHREAD 1) ++set(WAMR_BUILD_REF_TYPES 1) + + # compiling and linking flags + if (NOT (CMAKE_C_COMPILER MATCHES ".*clang.*" OR CMAKE_C_COMPILER_ID MATCHES ".*Clang")) +-- +2.45.4 + diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index 751539766a9..29481a3ef1c 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -1,7 +1,7 @@ Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX Name: fluent-bit Version: 3.0.6 -Release: 2%{?dist} +Release: 3%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -14,6 +14,7 @@ Patch3: CVE-2024-25431.patch Patch4: CVE-2024-27532.patch Patch5: CVE-2024-50608.patch Patch6: CVE-2024-50609.patch +Patch7: CVE-2025-54126.patch BuildRequires: bison BuildRequires: cmake BuildRequires: cyrus-sasl-devel @@ -88,6 +89,9 @@ Development files for %{name} %{_libdir}/fluent-bit/*.so %changelog +* Wed Aug 06 2025 Azure Linux Security Servicing Account - 3.0.6-3 +- Patch for CVE-2025-54126 + * Thu Feb 27 2025 Kshitiz Godara - 3.0.6-2 - Address CVE-2024-50608 and CVE-2024-50609