[AutoPR- Security] Patch netavark for CVE-2026-25541 [MEDIUM] (#15824)

azurelinux-security · archana25-ms · web-flow · commit bac998d76236 · 2026-03-09T14:07:03.000+05:30
Co-authored-by: Archana Shettigar &lt;v-shettigara@microsoft.com&gt;
diff --git a/SPECS/netavark/CVE-2026-25541.patch b/SPECS/netavark/CVE-2026-25541.patch
@@ -0,0 +1,118 @@
+From eac0ec6e37e65707bf5c171206d880e206c5dad3 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 12 Feb 2026 18:27:10 +0000
+Subject: [PATCH] vendor/bytes: check overflow in new_cap + offset and add test
+
+- Add miri.sh run with wrapping overflow
+- Always check overflow in new_cap + offset during reserve and use computed value
+- Update debug asserts and pointer math to use existing offset
+- Add test to repro integer overflow in reserve
+
+Signed-off-by: AllSpark <allspark@microsoft.com>
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: AI Backport of https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f.patch
+
+---
+ vendor/bytes/.cargo-checksum.json |  2 +-
+ vendor/bytes/ci/miri.sh           |  3 +++
+ vendor/bytes/src/bytes_mut.rs     | 22 +++++++++++++++--------
+ vendor/bytes/tests/test_bytes.rs  | 13 +++++++++++++
+ 4 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/vendor/bytes/.cargo-checksum.json b/vendor/bytes/.cargo-checksum.json
+index 68aa59e..14d2c55 100644
+--- a/vendor/bytes/.cargo-checksum.json
++++ b/vendor/bytes/.cargo-checksum.json
+@@ -1 +1 @@
+-{"files":{"CHANGELOG.md":"acf98bf37a6f854e120b17b0117de8d11e31ceeffd06e69f5a8a50559a5c7822","Cargo.toml":"5e3195d94510bb4d78c001af60576812491a0d2d2f72a9411e9d8ab54ccd3927","LICENSE":"45f522cacecb1023856e46df79ca625dfc550c94910078bd8aec6e02880b3d42","README.md":"c1b2b54999d4829f9f64fb41cbdf05a72d565be0dd078a8633d34631147498a1","benches/buf.rs":"72e6b6120b52d568da068f17c66a793d65602e400c595778581b63092e41d8dc","benches/bytes.rs":"f8cc255be7e8afedf6ade95cd529d105c537c5ec51110d46d470a26b497afa05","benches/bytes_mut.rs":"1326fe6224b26826228e02b4133151e756f38152c2d9cfe66adf83af76c3ec98","ci/miri.sh":"1ee54575b55a0e495e52ca1a934beed674bc8f375f03c4cfc3e81d221ec4fe98","ci/test-stable.sh":"57dd709bc25a20103ee85e24965566900817b2e603f067fb1251a5c03e4b1d93","ci/tsan.sh":"466b86b19225dd26c756cf2252cb1973f87a145642c99364b462ed7ceb55c7dd","clippy.toml":"8522f448dfa3b33ac334ce47d233ebb6b58e8ae115e45107a64fc1b4510fe560","src/buf/buf_impl.rs":"68e493fbf585af6e30990be73ac7fda133f626665ac0a49470426ca824f41254","src/buf/buf_mut.rs":"f167024c569fa47d6b413d68ddb6a6d07b72a0297e0f40f7dc4bbfe2b33048b9","src/buf/chain.rs":"46ec16a7cc370374218c2621ad738df77d95b25216099900ad9195a08a234375","src/buf/iter.rs":"6b44b0b397112f6bcb892103c02a24113963fd8da110c0e0adb91201bf5b3caa","src/buf/limit.rs":"e005ba140b70f68654877c96b981a220477e415ff5c92438c1b0cb9bc866d872","src/buf/mod.rs":"19ff6fb7e19cba3884bc3f1a50ef20117dbc807f6d146ed355f42344a74fdf44","src/buf/reader.rs":"856c1e7129a1eceaa3c8f9ed4da8c3b5e1cc267eeffa99fa8f7c56c5ca7834d1","src/buf/take.rs":"a897e79bf579391227816973b2aa1f1d63614bd48bc029d9371f61607dcfa23f","src/buf/uninit_slice.rs":"54756e79617685f3e805ae1dd51e5b8197791161169a18ee1d96e3158dc748fa","src/buf/vec_deque.rs":"8d552c26ac6ce28a471f74c388e4749432e86b1d8f5a9759b9fc32a2549d395f","src/buf/writer.rs":"c92b5f8b9b42e2e784de474c987fe4ac50af4b5c51ac9548d19a54e8ac9ff521","src/bytes.rs":"0207c4d88e3a91022548d11b2ac5a80f6f9662e6acb2142ca1a00d9b3b9dd9c9","src/bytes_mut.rs":"a4d4c5f8b8502cd3650f938433365b7a7989d8bc4f60b436d21a37f1ed13ffa1","src/fmt/debug.rs":"97b23cfa1d2701fa187005421302eeb260e635cd4f9a9e02b044ff89fcc8b8ad","src/fmt/hex.rs":"13755ec6f1b79923e1f1a05c51b179a38c03c40bb8ed2db0210e8901812e61e7","src/fmt/mod.rs":"176da4e359da99b8e5cf16e480cb7b978f574876827f1b9bb9c08da4d74ac0f5","src/lib.rs":"7d64ad302f99d982b39ea59ea84f9ab1c872935e5f5a8390b29ed08890d5dd61","src/loom.rs":"eb3f577d8cce39a84155c241c4dc308f024631f02085833f7fe9f0ea817bcea9","src/serde.rs":"3ecd7e828cd4c2b7db93c807cb1548fad209e674df493edf7cda69a7b04d405d","tests/test_buf.rs":"a7be350258f0433cfb9ba9e4583d6bb356c964ac34a781f586fd78fbd2c4bb02","tests/test_buf_mut.rs":"5589ce30cb35f8bb4163870d6de14aa67c2209bbd6ba547222d6008297e04a99","tests/test_bytes.rs":"b2fc06ab0f03372972e2b87c6e5d5a6ca91eb8886edbe2a0169ae689ec1be863","tests/test_bytes_odd_alloc.rs":"aeb7a86bf8b31f67b6f453399f3649e0d3878247debc1325d98e66201b1da15f","tests/test_bytes_vec_alloc.rs":"dd7e3c3a71abcfdcad7e3b2f52a6bd106ad6ea0d4bc634372e81dae097233cf0","tests/test_chain.rs":"e9f094539bb42b3135f50033c44122a6b44cf0f953e51e8b488f43243f1e7f10","tests/test_debug.rs":"13299107172809e8cbbd823964ac9450cd0d6b6de79f2e6a2e0f44b9225a0593","tests/test_iter.rs":"c1f46823df26a90139645fd8728a03138edd95b2849dfec830452a80ddd9726d","tests/test_reader.rs":"bf83669d4e0960dad6aa47b46a9a454814fab626eb83572aba914c3d71618f43","tests/test_serde.rs":"2691f891796ba259de0ecf926de05c514f4912cc5fcd3e6a1591efbcd23ed4d0","tests/test_take.rs":"db01bf6855097f318336e90d12c0725a92cee426d330e477a6bd1d32dac34a27"},"package":"a2bd12c1caf447e69cd4528f47f94d203fd2582878ecb9e9465484c4148a8223"}
+\ No newline at end of file
++{"files":{"CHANGELOG.md":"acf98bf37a6f854e120b17b0117de8d11e31ceeffd06e69f5a8a50559a5c7822","Cargo.toml":"5e3195d94510bb4d78c001af60576812491a0d2d2f72a9411e9d8ab54ccd3927","LICENSE":"45f522cacecb1023856e46df79ca625dfc550c94910078bd8aec6e02880b3d42","README.md":"c1b2b54999d4829f9f64fb41cbdf05a72d565be0dd078a8633d34631147498a1","benches/buf.rs":"72e6b6120b52d568da068f17c66a793d65602e400c595778581b63092e41d8dc","benches/bytes.rs":"f8cc255be7e8afedf6ade95cd529d105c537c5ec51110d46d470a26b497afa05","benches/bytes_mut.rs":"1326fe6224b26826228e02b4133151e756f38152c2d9cfe66adf83af76c3ec98","ci/miri.sh":"b74d80448f1631b76521be77553eff3eba70d516c218fd6994e201034d7fe175","ci/test-stable.sh":"57dd709bc25a20103ee85e24965566900817b2e603f067fb1251a5c03e4b1d93","ci/tsan.sh":"466b86b19225dd26c756cf2252cb1973f87a145642c99364b462ed7ceb55c7dd","clippy.toml":"8522f448dfa3b33ac334ce47d233ebb6b58e8ae115e45107a64fc1b4510fe560","src/buf/buf_impl.rs":"68e493fbf585af6e30990be73ac7fda133f626665ac0a49470426ca824f41254","src/buf/buf_mut.rs":"f167024c569fa47d6b413d68ddb6a6d07b72a0297e0f40f7dc4bbfe2b33048b9","src/buf/chain.rs":"46ec16a7cc370374218c2621ad738df77d95b25216099900ad9195a08a234375","src/buf/iter.rs":"6b44b0b397112f6bcb892103c02a24113963fd8da110c0e0adb91201bf5b3caa","src/buf/limit.rs":"e005ba140b70f68654877c96b981a220477e415ff5c92438c1b0cb9bc866d872","src/buf/mod.rs":"19ff6fb7e19cba3884bc3f1a50ef20117dbc807f6d146ed355f42344a74fdf44","src/buf/reader.rs":"856c1e7129a1eceaa3c8f9ed4da8c3b5e1cc267eeffa99fa8f7c56c5ca7834d1","src/buf/take.rs":"a897e79bf579391227816973b2aa1f1d63614bd48bc029d9371f61607dcfa23f","src/buf/uninit_slice.rs":"54756e79617685f3e805ae1dd51e5b8197791161169a18ee1d96e3158dc748fa","src/buf/vec_deque.rs":"8d552c26ac6ce28a471f74c388e4749432e86b1d8f5a9759b9fc32a2549d395f","src/buf/writer.rs":"c92b5f8b9b42e2e784de474c987fe4ac50af4b5c51ac9548d19a54e8ac9ff521","src/bytes.rs":"0207c4d88e3a91022548d11b2ac5a80f6f9662e6acb2142ca1a00d9b3b9dd9c9","src/bytes_mut.rs":"f05460b43bfca126812c3b26fa68847106f8ce8f52875dc6164c7fcced699ade","src/fmt/debug.rs":"97b23cfa1d2701fa187005421302eeb260e635cd4f9a9e02b044ff89fcc8b8ad","src/fmt/hex.rs":"13755ec6f1b79923e1f1a05c51b179a38c03c40bb8ed2db0210e8901812e61e7","src/fmt/mod.rs":"176da4e359da99b8e5cf16e480cb7b978f574876827f1b9bb9c08da4d74ac0f5","src/lib.rs":"7d64ad302f99d982b39ea59ea84f9ab1c872935e5f5a8390b29ed08890d5dd61","src/loom.rs":"eb3f577d8cce39a84155c241c4dc308f024631f02085833f7fe9f0ea817bcea9","src/serde.rs":"3ecd7e828cd4c2b7db93c807cb1548fad209e674df493edf7cda69a7b04d405d","tests/test_buf.rs":"a7be350258f0433cfb9ba9e4583d6bb356c964ac34a781f586fd78fbd2c4bb02","tests/test_buf_mut.rs":"5589ce30cb35f8bb4163870d6de14aa67c2209bbd6ba547222d6008297e04a99","tests/test_bytes.rs":"17106a375d6a54f9b5911f6da15bb5c86488d0a9594a38db0a434b62fafb0488","tests/test_bytes_odd_alloc.rs":"aeb7a86bf8b31f67b6f453399f3649e0d3878247debc1325d98e66201b1da15f","tests/test_bytes_vec_alloc.rs":"dd7e3c3a71abcfdcad7e3b2f52a6bd106ad6ea0d4bc634372e81dae097233cf0","tests/test_chain.rs":"e9f094539bb42b3135f50033c44122a6b44cf0f953e51e8b488f43243f1e7f10","tests/test_debug.rs":"13299107172809e8cbbd823964ac9450cd0d6b6de79f2e6a2e0f44b9225a0593","tests/test_iter.rs":"c1f46823df26a90139645fd8728a03138edd95b2849dfec830452a80ddd9726d","tests/test_reader.rs":"bf83669d4e0960dad6aa47b46a9a454814fab626eb83572aba914c3d71618f43","tests/test_serde.rs":"2691f891796ba259de0ecf926de05c514f4912cc5fcd3e6a1591efbcd23ed4d0","tests/test_take.rs":"db01bf6855097f318336e90d12c0725a92cee426d330e477a6bd1d32dac34a27"},"package":"a2bd12c1caf447e69cd4528f47f94d203fd2582878ecb9e9465484c4148a8223"}
+diff --git a/vendor/bytes/ci/miri.sh b/vendor/bytes/ci/miri.sh
+index 0158756..161d581 100755
+--- a/vendor/bytes/ci/miri.sh
++++ b/vendor/bytes/ci/miri.sh
+@@ -9,3 +9,6 @@ export MIRIFLAGS="-Zmiri-strict-provenance"
+ 
+ cargo miri test
+ cargo miri test --target mips64-unknown-linux-gnuabi64
++
++# run with wrapping integer overflow instead of panic
++cargo miri test --release
+diff --git a/vendor/bytes/src/bytes_mut.rs b/vendor/bytes/src/bytes_mut.rs
+index c5c2e52..1de43ae 100644
+--- a/vendor/bytes/src/bytes_mut.rs
++++ b/vendor/bytes/src/bytes_mut.rs
+@@ -668,9 +668,14 @@ impl BytesMut {
+ 
+                 let offset = offset_from(self.ptr.as_ptr(), ptr);
+ 
++                let new_cap_plus_offset = match new_cap.checked_add(offset) {
++                    Some(new_cap_plus_offset) => new_cap_plus_offset,
++                    None => panic!("overflow"),
++                };
++
+                 // Compare the condition in the `kind == KIND_VEC` case above
+                 // for more details.
+-                if v_capacity >= new_cap + offset {
++                if v_capacity >= new_cap_plus_offset {
+                     self.cap = new_cap;
+                     // no copy is necessary
+                 } else if v_capacity >= new_cap && offset >= len {
+@@ -683,14 +689,12 @@ impl BytesMut {
+                     self.ptr = vptr(ptr);
+                     self.cap = v.capacity();
+                 } else {
+-                    // calculate offset
+-                    let off = (self.ptr.as_ptr() as usize) - (v.as_ptr() as usize);
+ 
+                     // new_cap is calculated in terms of `BytesMut`, not the underlying
+                     // `Vec`, so it does not take the offset into account.
+                     //
+                     // Thus we have to manually add it here.
+-                    new_cap = new_cap.checked_add(off).expect("overflow");
++                    new_cap = new_cap_plus_offset;
+ 
+                     // The vector capacity is not sufficient. The reserve request is
+                     // asking for more than the initial buffer capacity. Allocate more
+@@ -712,13 +719,13 @@ impl BytesMut {
+                     // the unused capacity of the vector is copied over to the new
+                     // allocation, so we need to ensure that we don't have any data we
+                     // care about in the unused capacity before calling `reserve`.
+-                    debug_assert!(off + len <= v.capacity());
+-                    v.set_len(off + len);
++                    debug_assert!(offset + len <= v.capacity());
++                    v.set_len(offset + len);
+                     v.reserve(new_cap - v.len());
+ 
+                     // Update the info
+-                    self.ptr = vptr(v.as_mut_ptr().add(off));
+-                    self.cap = v.capacity() - off;
++                    self.ptr = vptr(v.as_mut_ptr().add(offset));
++                    self.cap = v.capacity() - offset;
+                 }
+ 
+                 return;
+diff --git a/vendor/bytes/tests/test_bytes.rs b/vendor/bytes/tests/test_bytes.rs
+index 5ec60a5..5f81ea3 100644
+--- a/vendor/bytes/tests/test_bytes.rs
++++ b/vendor/bytes/tests/test_bytes.rs
+@@ -1208,3 +1208,16 @@ fn test_bytes_capacity_len() {
+         }
+     }
+ }
++
++#[test]
++#[should_panic]
++fn bytes_mut_reserve_overflow() {
++    let mut a = BytesMut::from(&b"hello world"[..]);
++    let mut b = a.split_off(5);
++    // Ensure b becomes the unique owner of the backing storage
++    drop(a);
++    // Trigger overflow in new_cap + offset inside reserve
++    b.reserve(usize::MAX - 6);
++    // This call relies on the corrupted cap and may cause UB & HBO
++    b.put_u8(b'h');
++}
+-- 
+2.45.4
+
diff --git a/SPECS/netavark/netavark.spec b/SPECS/netavark/netavark.spec
@@ -11,14 +11,15 @@
 
 Name:          netavark
 Version:       1.10.3
-Release:       5%{?dist}
+Release:       6%{?dist}
 Summary:       OCI network stack
 License:       ASL 2.0 and BSD and MIT
 Vendor:        Microsoft Corporation
 Distribution:   Azure Linux
 URL:           https://github.com/containers/%{name}
 Source0:       %{url}/archive/%{built_tag}/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:       %{url}/releases/download/%{built_tag}/%{name}-%{built_tag}-vendor.tar.gz
+Patch0:        CVE-2026-25541.patch
 BuildRequires: cargo < 1.85.0
 BuildRequires: make
 BuildRequires: protobuf-c
@@ -193,8 +194,7 @@ Its features include:
 * Support for container DNS resolution via aardvark-dns.
 
 %prep
-%autosetup -Sgit -n %{name}-%{built_tag_strip}
-tar fx %{SOURCE1}
+%autosetup -p1 -n %{name}-%{built_tag_strip} -a 1
 mkdir -p .cargo
 
 cat >.cargo/config << EOF
@@ -225,6 +225,9 @@ popd
 %{_unitdir}/%{name}-firewalld-reload.service
 
 %changelog
+* Thu Feb 12 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.10.3-6
+- Patch for CVE-2026-25541
+
 * Mon Feb 02 2026 Archana Shettigar <v-shettigara@microsoft.com> - 1.10.3-5
 - Bump release to rebuild with rust
 
