[AUTO-CHERRYPICK] Patch cloud-hypervisor for CVE-2025-1744 [Critical] - branch main (#12860)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit 71a030770dab · 2025-03-10T18:59:29.000-04:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/cloud-hypervisor/CVE-2025-1744.patch b/SPECS/cloud-hypervisor/CVE-2025-1744.patch
@@ -0,0 +1,31 @@
+From b49d2f0b84d424ec7fbf47138bf6acc6b18e1b0d Mon Sep 17 00:00:00 2001
+From: tabudz <tanb74653@gmail.com>
+Date: Tue, 18 Feb 2025 11:28:15 +0800
+Subject: [PATCH] Fix a bug when getting a gzip header extra field with
+ inflate(). If the extra field was larger than the space the user provided
+ with inflateGetHeader(), and if multiple calls of inflate() delivered the
+ extra header data, then there could be a buffer overflow of the provided
+ space. This commit assures that provided space is not exceeded.
+
+Upstream Reference: https://github.com/radareorg/radare2/pull/23969/commits/b49d2f0b84d424ec7fbf47138bf6acc6b18e1b0d
+---
+ inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index e9ed74cff3279..2ecfb4876d155 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -755,9 +755,10 @@ int ZEXPORT inflate(z_streamp strm, int flush)
+                 copy = state->length;
+                 if (copy > have) copy = have;
+                 if (copy) {
++                    len = state->head->extra_len - state->length;
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
++                        len < state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
diff --git a/SPECS/cloud-hypervisor/cloud-hypervisor.spec b/SPECS/cloud-hypervisor/cloud-hypervisor.spec
@@ -5,7 +5,7 @@
 Summary:        Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM.
 Name:           cloud-hypervisor
 Version:        32.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        ASL 2.0 OR BSD-3-clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -26,6 +26,7 @@ Patch0:         CVE-2023-45853.patch
 Patch1:         CVE-2023-50711-vmm-sys-util.patch
 Patch2:         CVE-2023-50711-vhost.patch
 Patch3:         CVE-2023-50711-versionize.patch
+Patch4:         CVE-2025-1744.patch
 %endif
 
 Conflicts: cloud-hypervisor-cvm
@@ -80,6 +81,7 @@ Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on to
 tar xf %{SOURCE1}
 pushd vendor/libz-sys/src/zlib
 %patch0 -p1
+%patch4 -p1
 popd
 %patch1 -p1
 %patch2 -p1	
@@ -164,6 +166,9 @@ cargo build --release --target=%{rust_musl_target} --package vhost_user_block %{
 %license LICENSE-BSD-3-Clause
 
 %changelog
+* Tue Mar 04 2024 Kanishk Bansal <kanbansal@microsoft.com> - 32.0-4
+- Patch CVE-2025-1744
+
 * Mon May 20 2024 Saul Paredes <saulparedes@microsoft.com> - 32.0-4
 - Add conflicts with cloud-hypervisor-cvm
 
