Merge branch '2.0' into fasttrack/2.0

Author: jslobodzian

SPECS/atop/CVE-2025-31160.patch

@@ -2,7 +2,7 @@
 Summary:        An advanced interactive monitor to view the load on system and process level
 Name:           atop
 Version:        2.6.0
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -13,6 +13,7 @@ Patch0:         nvme_support.patch
 Patch1:         atop-sysconfig.patch
 Patch2:         atop-2.3.0-newer-gcc.patch
 Patch3:         9cb119713b5e6be43671fe1856fb4bd49ff91fa7.patch
+Patch4:         CVE-2025-31160.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  ncurses-devel
@@ -45,6 +46,7 @@ http://www.atcomputing.nl/Tools/atop/kernpatch.html
 %patch1  -b .sysconfig
 %patch2 -p1 -b .newer-gcc
 %patch3 -p1 -b .service
+%patch4 -p1
 
 # Correct unit file path
 sed -i "s|%{_sysconfdir}/default/atop|%{_sysconfdir}/sysconfig/atop|g" atop.service
@@ -93,6 +95,9 @@ install -Dp -m 0644 atop-rotate.* %{buildroot}%{_unitdir}/
 %{_sbindir}/atopacctd
 
 %changelog
+* Mon 10 Nov 2025 Aditya Singh <v-aditysing@microsoft.com> - 2.6.0-10
+- Added Patch for CVE-2025-31160
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 2.6.0-9
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 

SPECS/atop/atop.spec

@@ -0,0 +1,33 @@
+From 9d2825f03bb094836052de8c35666e7a720c1f28 Mon Sep 17 00:00:00 2001
+From: Suyash Dongre <suyashd999@gmail.com>
+Date: Wed, 20 Aug 2025 23:22:41 +0530
+Subject: [PATCH] Check if `HTTP_X_AMZ_COPY_SOURCE` header is empty
+
+The issue was that the `HTTP_X_AMZ_COPY_SOURCE` header could be present but empty (i.e., an empty string rather than NULL). The  code only checked if the pointer was not NULL, but didn't verify that the string had content. When an empty string was passed to RGWCopyObj::parse_copy_location(), it would eventually try to access name_str[0] on an empty string, causing a crash.
+
+Fixes: https://tracker.ceph.com/issues/72669
+
+Signed-off-by: Suyash Dongre <suyashd999@gmail.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://patch-diff.githubusercontent.com/raw/ceph/ceph/pull/65159.patch
+---
+ src/rgw/rgw_op.cc | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
+index 655f057..0287e67 100644
+--- a/src/rgw/rgw_op.cc
++++ b/src/rgw/rgw_op.cc
+@@ -4977,6 +4977,9 @@ bool RGWCopyObj::parse_copy_location(const std::string_view& url_src,
+     params_str = url_src.substr(pos + 1);
+   }
+ 
++  if (name_str.empty()) {
++    return false;
++  }
+   if (name_str[0] == '/') // trim leading slash
+     name_str.remove_prefix(1);
+ 
+-- 
+2.45.4
+

SPECS/ceph/CVE-2024-47866.patch

@@ -5,7 +5,7 @@
 Summary:        User space components of the Ceph file system
 Name:           ceph
 Version:        16.2.10
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0
 URL:            https://ceph.io/
 Vendor:         Microsoft Corporation
@@ -21,6 +21,7 @@ Patch6:		CVE-2025-1744.patch
 Patch7:         CVE-2025-52939.patch
 Patch8:         CVE-2024-48916.patch
 Patch9:         CVE-2025-9648.patch
+Patch10:        CVE-2024-47866.patch
 # 
 # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file
 # at the top-level directory of this distribution and at
@@ -1814,6 +1815,9 @@ exit 0
 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml
 
 %changelog
+* Fri Nov 14 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 16.2.10-11
+- Patch for CVE-2024-47866
+
 * Fri Oct 03 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 16.2.10-10
 - Patch for CVE-2025-9648
 

SPECS/ceph/ceph.spec

@@ -0,0 +1,39 @@
+From cb083a8451e8bb463512d7cd18d4698bf27c6fcf Mon Sep 17 00:00:00 2001
+From: dj_palli <v-dpalli@microsoft.com>
+Date: Thu, 19 Jun 2025 12:55:15 +0000
+Subject: [PATCH] Address CVE-2025-5916
+
+Upstream patch reference:https://github.com/libarchive/libarchive/pull/2568
+
+---
+ Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c          | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c b/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c
+index 72977b8e..0f3ee8d1 100644
+--- a/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c
++++ b/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c
+@@ -363,7 +363,8 @@ start_over:
+ 		/* FALLTHROUGH */
+ 	default:
+ 		/* consume the content and start over */
+-		_warc_skip(a);
++		if (_warc_skip(a) < 0)
++			return (ARCHIVE_FATAL);
+ 		goto start_over;
+ 	}
+ 	return (ARCHIVE_OK);
+@@ -416,7 +417,9 @@ _warc_skip(struct archive_read *a)
+ {
+ 	struct warc_s *w = a->format->data;
+ 
+-	__archive_read_consume(a, w->cntlen + 4U/*\r\n\r\n separator*/);
++	if (__archive_read_consume(a, w->cntlen) < 0 ||
++	    __archive_read_consume(a, 4U/*\r\n\r\n separator*/) < 0)
++		return (ARCHIVE_FATAL);
+ 	w->cntlen = 0U;
+ 	w->cntoff = 0U;
+ 	return (ARCHIVE_OK);
+-- 
+2.45.2
+

SPECS/cmake/CVE-2025-5916.patch

@@ -0,0 +1,36 @@
+From b211326905f20a8c9611911ebfef8a40c84757eb Mon Sep 17 00:00:00 2001
+From: dj_palli <v-dpalli@microsoft.com>
+Date: Thu, 19 Jun 2025 13:36:28 +0000
+Subject: [PATCH] Address CVE-2025-5917
+
+Upstream patch reference:https://github.com/libarchive/libarchive/pull/2588
+
+---
+ Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c    | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c b/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c
+index a2b27107..0e0c71eb 100644
+--- a/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c
++++ b/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c
+@@ -1542,7 +1542,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
+ 	const char *filename, *filename_end;
+ 	char *p;
+ 	int need_slash = 0; /* Was there a trailing slash? */
+-	size_t suffix_length = 99;
++	size_t suffix_length = 98; /* 99 - 1 for trailing slash */
+ 	size_t insert_length;
+ 
+ 	/* Length of additional dir element to be added. */
+@@ -1594,7 +1594,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
+ 	/* Step 2: Locate the "prefix" section of the dirname, including
+ 	 * trailing '/'. */
+ 	prefix = src;
+-	prefix_end = prefix + 155;
++	prefix_end = prefix + 154 /* 155 - 1 for trailing / */;
+ 	if (prefix_end > filename)
+ 		prefix_end = filename;
+ 	while (prefix_end > prefix && *prefix_end != '/')
+-- 
+2.45.2
+

SPECS/cmake/CVE-2025-5917.patch

@@ -0,0 +1,194 @@
+From 8a0cc2ca12fc939ac7390776ae12de627372650d Mon Sep 17 00:00:00 2001
+From: Durga Jagadeesh Palli <v-dpalli@microsoft.com>
+Date: Tue, 9 Sep 2025 00:32:16 +0000
+Subject: [PATCH] Address CVE-2025-5918 and fix the FILE skip regression.
+
+Upstream Patch Reference: https://github.com/libarchive/libarchive/pull/2584
+Upstream Patch Reference for fix FILE_skip regression: https://github.com/libarchive/libarchive/pull/2642
+
+---
+ Utilities/cmlibarchive/libarchive/archive_read_open_fd.c         | 13 +++++--
+ Utilities/cmlibarchive/libarchive/archive_read_open_file.c       | 36 ++++++++++++++-----
+ Utilities/cmlibarchive/libarchive/archive_read_open_filename.c   | 30 ++++++++++++----
+ 3 files changed, 62 insertions(+), 17 deletions(-)
+
+diff --git a/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c b/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c
+index f59cd07f..f8c5d0a1 100644
+--- a/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c
++++ b/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c
+@@ -53,6 +53,7 @@ __FBSDID("$FreeBSD: head/lib/libarchive/archive_read_open_fd.c 201103 2009-12-28
+ struct read_fd_data {
+ 	int	 fd;
+ 	size_t	 block_size;
++	int64_t size;
+ 	char	 use_lseek;
+ 	void	*buffer;
+ };
+@@ -96,6 +97,7 @@ archive_read_open_fd(struct archive *a, int fd, size_t block_size)
+ 	if (S_ISREG(st.st_mode)) {
+ 		archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino);
+ 		mine->use_lseek = 1;
++		mine->size = st.st_size;
+ 	}
+ #if defined(__CYGWIN__) || defined(_WIN32)
+ 	setmode(mine->fd, O_BINARY);
+@@ -152,9 +154,14 @@ file_skip(struct archive *a, void *client_data, int64_t request)
+ 	if (request == 0)
+ 		return (0);
+ 
+-	if (((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) &&
+-	    ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0))
+-		return (new_offset - old_offset);
++	if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) {
++		if (old_offset >= mine->size ||
++			skip > mine->size - old_offset) {
++			/* Do not seek past end of file. */
++			errno = ESPIPE;
++		} else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0)
++			return (new_offset - old_offset);
++	}
+ 
+ 	/* If seek failed once, it will probably fail again. */
+ 	mine->use_lseek = 0;
+diff --git a/Utilities/cmlibarchive/libarchive/archive_read_open_file.c b/Utilities/cmlibarchive/libarchive/archive_read_open_file.c
+index 101dae6c..de77e74f 100644
+--- a/Utilities/cmlibarchive/libarchive/archive_read_open_file.c
++++ b/Utilities/cmlibarchive/libarchive/archive_read_open_file.c
+@@ -53,6 +53,7 @@ __FBSDID("$FreeBSD: head/lib/libarchive/archive_read_open_file.c 201093 2009-12-
+ struct read_FILE_data {
+ 	FILE    *f;
+ 	size_t	 block_size;
++	int64_t  size;
+ 	void	*buffer;
+ 	char	 can_skip;
+ };
+@@ -91,6 +92,7 @@ archive_read_open_FILE(struct archive *a, FILE *f)
+ 		archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino);
+ 		/* Enable the seek optimization only for regular files. */
+ 		mine->can_skip = 1;
++		mine->size = st.st_size;
+ 	} else
+ 		mine->can_skip = 0;
+ 
+@@ -130,6 +132,7 @@ file_skip(struct archive *a, void *client_data, int64_t request)
+ #else
+ 	long skip = (long)request;
+ #endif
++    int64_t old_offset, new_offset = -1;
+ 	int skip_bits = sizeof(skip) * 8 - 1;
+ 
+ 	(void)a; /* UNUSED */
+@@ -153,19 +156,36 @@ file_skip(struct archive *a, void *client_data, int64_t request)
+ 
+ #ifdef __ANDROID__
+         /* fileno() isn't safe on all platforms ... see above. */
+-	if (lseek(fileno(mine->f), skip, SEEK_CUR) < 0)
++	old_offset = lseek(fileno(mine->f), 0, SEEK_CUR);
+ #elif HAVE_FSEEKO
+-	if (fseeko(mine->f, skip, SEEK_CUR) != 0)
++	old_offset = ftello(mine->f);
+ #elif HAVE__FSEEKI64
+-	if (_fseeki64(mine->f, skip, SEEK_CUR) != 0)
++	old_offset = _ftelli64(mine->f);
+ #else
+-	if (fseek(mine->f, skip, SEEK_CUR) != 0)
++	old_offset = ftell(mine->f);
+ #endif
+-	{
+-		mine->can_skip = 0;
+-		return (0);
++	if (old_offset >= 0) {
++		if (old_offset < mine->size &&
++		    skip <= mine->size - old_offset) {
++#ifdef __ANDROID__
++			new_offset = lseek(fileno(mine->f), skip, SEEK_CUR);
++#elif HAVE__FSEEKI64
++			if (_fseeki64(mine->f, skip, SEEK_CUR) == 0)
++				new_offset = _ftelli64(mine->f);
++#elif HAVE_FSEEKO
++			if (fseeko(mine->f, skip, SEEK_CUR) == 0)
++				new_offset = ftello(mine->f);
++#else
++			if (fseek(mine->f, skip, SEEK_CUR) == 0)
++				new_offset = ftell(mine->f);
++#endif
++			if (new_offset >= 0)
++				return (new_offset - old_offset);
++		}
+ 	}
+-	return (request);
++
++	mine->can_skip = 0;
++	return (0);
+ }
+ 
+ static int
+diff --git a/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c b/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c
+index 86635e21..84556a15 100644
+--- a/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c
++++ b/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c
+@@ -75,6 +75,7 @@ struct read_file_data {
+ 	size_t	 block_size;
+ 	void	*buffer;
+ 	mode_t	 st_mode;  /* Mode bits for opened file. */
++	int64_t size;
+ 	char	 use_lseek;
+ 	enum fnt_e { FNT_STDIN, FNT_MBS, FNT_WCS } filename_type;
+ 	union {
+@@ -366,8 +367,10 @@ file_open(struct archive *a, void *client_data)
+ 	mine->st_mode = st.st_mode;
+ 
+ 	/* Disk-like inputs can use lseek(). */
+-	if (is_disk_like)
++	if (is_disk_like) {
+ 		mine->use_lseek = 1;
++		mine->size = st.st_size;
++	}
+ 
+ 	return (ARCHIVE_OK);
+ fail:
+@@ -445,21 +448,36 @@ file_skip_lseek(struct archive *a, void *client_data, int64_t request)
+ 	struct read_file_data *mine = (struct read_file_data *)client_data;
+ #if defined(_WIN32) && !defined(__CYGWIN__)
+ 	/* We use _lseeki64() on Windows. */
+-	int64_t old_offset, new_offset;
++	int64_t old_offset, new_offset, skip = request;;
+ #else
+-	off_t old_offset, new_offset;
++	off_t old_offset, new_offset, skip = (off_t)request;
+ #endif
++    int skip_bits = sizeof(skip) * 8 - 1;
+ 
+ 	/* We use off_t here because lseek() is declared that way. */
+ 
++	/* Reduce a request that would overflow the 'skip' variable. */
++	if (sizeof(request) > sizeof(skip)) {
++		const int64_t max_skip =
++		    (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1;
++		if (request > max_skip)
++			skip = max_skip;
++	}
++
+ 	/* TODO: Deal with case where off_t isn't 64 bits.
+ 	 * This shouldn't be a problem on Linux or other POSIX
+ 	 * systems, since the configuration logic for libarchive
+ 	 * tries to obtain a 64-bit off_t.
+ 	 */
+-	if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0 &&
+-	    (new_offset = lseek(mine->fd, request, SEEK_CUR)) >= 0)
+-		return (new_offset - old_offset);
++
++	if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) {
++		if (old_offset >= mine->size ||
++		    skip > mine->size - old_offset) {
++			/* Do not seek past end of file. */
++			errno = ESPIPE;
++		} else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0)
++			return (new_offset - old_offset);
++	}
+ 
+ 	/* If lseek() fails, don't bother trying again. */
+ 	mine->use_lseek = 0;
+-- 
+2.45.4
+