[AutoPR- Security] Patch alsa-lib for CVE-2026-25068 [MEDIUM] (#15758)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: Aditya Singh <v-aditysing@microsoft.com>

Author: 3 people

SPECS/alsa-lib/CVE-2026-25068.patch

@@ -0,0 +1,36 @@
+From a5eb94d680ffae07cf1ea0068883f9276d3bce1a Mon Sep 17 00:00:00 2001
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Thu, 29 Jan 2026 16:51:09 +0100
+Subject: [PATCH] topology: decoder - add boundary check for channel mixer
+ count
+
+Malicious binary topology file may cause heap corruption.
+
+CVE: CVE-2026-25068
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40.patch
+---
+ src/topology/ctl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/topology/ctl.c b/src/topology/ctl.c
+index dd05424..311dd05 100644
+--- a/src/topology/ctl.c
++++ b/src/topology/ctl.c
+@@ -1246,6 +1246,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg,
+ 	if (mc->num_channels > 0) {
+ 		map = tplg_calloc(heap, sizeof(*map));
+ 		map->num_channels = mc->num_channels;
++		if (map->num_channels > SND_TPLG_MAX_CHAN ||
++		    map->num_channels > SND_SOC_TPLG_MAX_CHAN) {
++		        SNDERR("mixer: unexpected channel count %d", map->num_channels);
++			return -EINVAL;
++		}
+ 		for (i = 0; i < map->num_channels; i++) {
+ 			map->channel[i].reg = mc->channel[i].reg;
+ 			map->channel[i].shift = mc->channel[i].shift;
+-- 
+2.45.4
+

SPECS/alsa-lib/alsa-lib.spec

@@ -1,13 +1,14 @@
 Summary:        ALSA library
 Name:           alsa-lib
 Version:        1.2.6.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/Internet
 URL:            https://alsa-project.org
 Source0:        https://www.alsa-project.org/files/pub/lib/%{name}-%{version}.tar.bz2
+Patch0:         CVE-2026-25068.patch
 BuildRequires:  python3-devel
 BuildRequires:  python3-libs
 Requires:       python3
@@ -24,7 +25,7 @@ Requires:       %{name} = %{version}
 It contains the libraries and header files to create applications
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 %configure
@@ -46,6 +47,9 @@ make DESTDIR=%{buildroot} install
 %{_includedir}/*
 
 %changelog
+* Mon Feb 09 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.2.6.1-3
+- Patch for CVE-2026-25068
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 1.2.6.1-2
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)