Skip to content

[Low] Patch telegraf for CVE-2025-29923, CVE-2025-46327#14747

Open
jykanase wants to merge 5 commits into
microsoft:3.0-devfrom
jykanase:topic_telegraph-3.0
Open

[Low] Patch telegraf for CVE-2025-29923, CVE-2025-46327#14747
jykanase wants to merge 5 commits into
microsoft:3.0-devfrom
jykanase:topic_telegraph-3.0

Conversation

@jykanase

@jykanase jykanase commented Sep 30, 2025

Copy link
Copy Markdown
Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary
  • [Low] Patch telegraf for GHSA-92cp-5422-2mw7
  • [Low] Patch telegraf for GHSA-6jgm-j7h2-2fqg
    Required backporting four patches so that the actual patch would apply. Any patches that were changed beyond adding the patch link to the commit message have been re-written such that I am listed as the author, and the main changes made were simply omitting changes to files that we do not ship.
Change Log
  • [Low] Patch telegraf for GHSA-92cp-5422-2mw7
    Patch did not apply cleanly, I had to remove all references to UnstableResp3 as that symbol is not present in the version we ship.
    Upstream Patch Link: https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6.patch
    Patch was found via astrolabe

  • [Low] Patch telegraf for GHSA-6jgm-j7h2-2fqg
    Required backporting four patches so that the actual patch would apply. Any patches that were changed beyond adding the patch link to the commit message have been re-written such that I am listed as the author, and the main changes made were simply omitting changes to files that we do not ship.
    Initial patch was found via astrolabe, backported supporting patches were found via git blame.

Does this affect the toolchain?

NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology
  • Local build
Screenshot 2025-09-30 180920
  • Patch applied cleanly:
Screenshot 2025-09-30 180833

@jykanase jykanase requested a review from a team as a code owner September 30, 2025 12:39
@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Sep 30, 2025
@Kanishk-Bansal

Copy link
Copy Markdown

Buddy Build

@jykanase jykanase changed the title [Low] patch telegraph for CVE-2025-29923, CVE-2025-46327 [Low] Patch telegraf for CVE-2025-29923, CVE-2025-46327 Oct 1, 2025
@jykanase

jykanase commented Oct 1, 2025

Copy link
Copy Markdown
Author

Buddy Build

Buddy Build is successful.

@jykanase jykanase force-pushed the topic_telegraph-3.0 branch from d69000a to 1403f5b Compare December 25, 2025 14:51
@Kanishk-Bansal

Copy link
Copy Markdown

Buddy Build

@v-aaditya v-aaditya force-pushed the topic_telegraph-3.0 branch from 1403f5b to 079f50f Compare January 9, 2026 08:50
@jykanase jykanase force-pushed the topic_telegraph-3.0 branch from 079f50f to 20c15ca Compare June 2, 2026 06:57

@mfrw mfrw left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we please rebase this to the latest 3.0-dev

@jykanase jykanase force-pushed the topic_telegraph-3.0 branch from 20c15ca to d45e935 Compare June 5, 2026 04:34
@Kanishk-Bansal Kanishk-Bansal requested a review from mfrw June 5, 2026 11:02

@mfrw mfrw left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✅

Did a thorough check on this CVE patch series:

  • Spec Release bumped 23 → 24, and Patch46/47/48 declared in correct order.
  • %prep uses %autosetup -a1 -p1 — so the new PatchN declarations get applied automatically; no manual %patchN line needed.
  • All three patches apply cleanly w.r.t the vendored sources in v1.31.0/vendor.
  • Cross-checked every backport against its upstream commit (see per-patch notes below).
  • ADO Test Build green — buildId 1133197.

Per-patch verification

CVE-2025-29923.patch (go-redis CLIENT SETINFO panic)

  • Backport of upstream d236865 (PR #3295).
  • The dropped UnstableResp3 refs are expected — that symbol doesn't exist in the older vendored copy shipped in this telegraf release.
  • The DisableIndentity → DisableIdentity deprecation rename is preserved exactly as upstream.
  • Patch looks good w.r.t upstream ✅.

CVE-2025-46327-prereqs.patch (4-commit prereq stack on snowflakedb/gosnowflake)

CVE-2025-46327.patch (snowflake easy-logging perm-check TOCTOU race)

  • Backport of upstream ba94a48 (PR #1382).
  • The replacement of the racy os.Stat → os.ReadFile pair with getFileContents(filePath, expectedPerm) (single Open + fstat on the same fd) is exactly the upstream approach.
  • Patch looks good w.r.t upstream ✅.

Test Build

Test Build: 1133197 — ✅ succeeded (34 min)

Stage AMD64 ARM64
build
postbuild
test_install

Only warnings on the run are pre-existing Component Governance alerts that fire on every buddy build — not caused by this PR.

Signed-Off By: @mfrw

@Kanishk-Bansal Kanishk-Bansal added the ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review label Jun 6, 2026

@kgodara912 kgodara912 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The patch is too big for low CVE. Is there any better approach to backport the change?

@Kanishk-Bansal Kanishk-Bansal requested a review from kgodara912 July 3, 2026 10:31
@jykanase jykanase force-pushed the topic_telegraph-3.0 branch from a2eedf7 to d1be704 Compare July 3, 2026 11:31
@kgodara912

Copy link
Copy Markdown

Buddy build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants