diff --git a/SPECS/telegraf/CVE-2025-29923.patch b/SPECS/telegraf/CVE-2025-29923.patch new file mode 100644 index 00000000000..03937ae48a9 --- /dev/null +++ b/SPECS/telegraf/CVE-2025-29923.patch @@ -0,0 +1,285 @@ +From d236865b0cfa1b752ea4b7da666b1fdcd0acebb6 Mon Sep 17 00:00:00 2001 +From: Nedyalko Dyakov +Date: Wed, 19 Mar 2025 19:02:36 +0200 +Subject: [PATCH] fix: handle network error on SETINFO (#3295) (CVE-2025-29923) + +* fix: handle network error on SETINFO + +This fix addresses potential out of order responses as described in `CVE-2025-29923` + +* fix: deprecate DisableIndentity and introduce DisableIdentity + +Both options will work before V10. In v10 DisableIndentity will be dropped. The preferred flag to use is `DisableIdentity`. + +Upstream Patch Link: https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6.patch +--- + vendor/github.com/redis/go-redis/v9/README.md | 8 ++++--- + .../github.com/redis/go-redis/v9/options.go | 11 +++++++++- + .../redis/go-redis/v9/osscluster.go | 18 +++++++++++++--- + vendor/github.com/redis/go-redis/v9/redis.go | 8 +++++-- + vendor/github.com/redis/go-redis/v9/ring.go | 14 ++++++++++++- + .../github.com/redis/go-redis/v9/sentinel.go | 21 +++++++++++++++++-- + .../github.com/redis/go-redis/v9/universal.go | 21 +++++++++++++++---- + 7 files changed, 85 insertions(+), 16 deletions(-) + +diff --git a/vendor/github.com/redis/go-redis/v9/README.md b/vendor/github.com/redis/go-redis/v9/README.md +index 043d3f0e..9adc7f12 100644 +--- a/vendor/github.com/redis/go-redis/v9/README.md ++++ b/vendor/github.com/redis/go-redis/v9/README.md +@@ -172,16 +172,18 @@ By default, go-redis automatically sends the client library name and version dur + + #### Disabling Identity Verification + +-When connection identity verification is not required or needs to be explicitly disabled, a `DisableIndentity` configuration option exists. In V10 of this library, `DisableIndentity` will become `DisableIdentity` in order to fix the associated typo. ++When connection identity verification is not required or needs to be explicitly disabled, a `DisableIdentity` configuration option exists. ++Initially there was a typo and the option was named `DisableIndentity` instead of `DisableIdentity`. The misspelled option is marked as Deprecated and will be removed in V10 of this library. ++Although both options will work at the moment, the correct option is `DisableIdentity`. The deprecated option will be removed in V10 of this library, so please use the correct option name to avoid any issues. + +-To disable verification, set the `DisableIndentity` option to `true` in the Redis client options: ++To disable verification, set the `DisableIdentity` option to `true` in the Redis client options: + + ```go + rdb := redis.NewClient(&redis.Options{ + Addr: "localhost:6379", + Password: "", + DB: 0, +- DisableIndentity: true, // Disable set-info on connect ++ DisableIdentity: true, // Disable set-info on connect + }) + ``` + +diff --git a/vendor/github.com/redis/go-redis/v9/options.go b/vendor/github.com/redis/go-redis/v9/options.go +index dff52ae8..da9a5f99 100644 +--- a/vendor/github.com/redis/go-redis/v9/options.go ++++ b/vendor/github.com/redis/go-redis/v9/options.go +@@ -142,9 +142,18 @@ type Options struct { + // Enables read only queries on slave/follower nodes. + readOnly bool + +- // Disable set-lib on connect. Default is false. ++ // DisableIndentity - Disable set-lib on connect. ++ // ++ // default: false ++ // ++ // Deprecated: Use DisableIdentity instead. + DisableIndentity bool + ++ // DisableIdentity is used to disable CLIENT SETINFO command on connect. ++ // ++ // default: false ++ DisableIdentity bool ++ + // Add suffix to client name. Default is empty. + IdentitySuffix string + } +diff --git a/vendor/github.com/redis/go-redis/v9/osscluster.go b/vendor/github.com/redis/go-redis/v9/osscluster.go +index 17f98d9d..3d490ec1 100644 +--- a/vendor/github.com/redis/go-redis/v9/osscluster.go ++++ b/vendor/github.com/redis/go-redis/v9/osscluster.go +@@ -85,8 +85,19 @@ type ClusterOptions struct { + ConnMaxIdleTime time.Duration + ConnMaxLifetime time.Duration + +- TLSConfig *tls.Config +- DisableIndentity bool // Disable set-lib on connect. Default is false. ++ TLSConfig *tls.Config ++ ++ // DisableIndentity - Disable set-lib on connect. ++ // ++ // default: false ++ // ++ // Deprecated: Use DisableIdentity instead. ++ DisableIndentity bool ++ ++ // DisableIdentity is used to disable CLIENT SETINFO command on connect. ++ // ++ // default: false ++ DisableIdentity bool + + IdentitySuffix string // Add suffix to client name. Default is empty. + } +@@ -294,7 +305,8 @@ func (opt *ClusterOptions) clientOptions() *Options { + MaxActiveConns: opt.MaxActiveConns, + ConnMaxIdleTime: opt.ConnMaxIdleTime, + ConnMaxLifetime: opt.ConnMaxLifetime, +- DisableIndentity: opt.DisableIndentity, ++ DisableIdentity: opt.DisableIdentity, ++ DisableIndentity: opt.DisableIdentity, + IdentitySuffix: opt.IdentitySuffix, + TLSConfig: opt.TLSConfig, + // If ClusterSlots is populated, then we probably have an artificial +diff --git a/vendor/github.com/redis/go-redis/v9/redis.go b/vendor/github.com/redis/go-redis/v9/redis.go +index d25a0d31..6d38ceb6 100644 +--- a/vendor/github.com/redis/go-redis/v9/redis.go ++++ b/vendor/github.com/redis/go-redis/v9/redis.go +@@ -340,7 +340,7 @@ func (c *baseClient) initConn(ctx context.Context, cn *pool.Conn) error { + return err + } + +- if !c.opt.DisableIndentity { ++ if !c.opt.DisableIdentity && !c.opt.DisableIndentity { + libName := "" + libVer := Version() + if c.opt.IdentitySuffix != "" { +@@ -349,7 +349,11 @@ func (c *baseClient) initConn(ctx context.Context, cn *pool.Conn) error { + p := conn.Pipeline() + p.ClientSetInfo(ctx, WithLibraryName(libName)) + p.ClientSetInfo(ctx, WithLibraryVersion(libVer)) +- _, _ = p.Exec(ctx) ++ // Handle network errors (e.g. timeouts) in CLIENT SETINFO to avoid ++ // out of order responses later on. ++ if _, err = p.Exec(ctx); err != nil && !isRedisError(err) { ++ return err ++ } + } + + if c.opt.OnConnect != nil { +diff --git a/vendor/github.com/redis/go-redis/v9/ring.go b/vendor/github.com/redis/go-redis/v9/ring.go +index 4ae00542..e9bd6595 100644 +--- a/vendor/github.com/redis/go-redis/v9/ring.go ++++ b/vendor/github.com/redis/go-redis/v9/ring.go +@@ -98,8 +98,18 @@ type RingOptions struct { + TLSConfig *tls.Config + Limiter Limiter + ++ // DisableIndentity - Disable set-lib on connect. ++ // ++ // default: false ++ // ++ // Deprecated: Use DisableIdentity instead. + DisableIndentity bool +- IdentitySuffix string ++ ++ // DisableIdentity is used to disable CLIENT SETINFO command on connect. ++ // ++ // default: false ++ DisableIdentity bool ++ IdentitySuffix string + } + + func (opt *RingOptions) init() { +@@ -166,7 +176,9 @@ func (opt *RingOptions) clientOptions() *Options { + TLSConfig: opt.TLSConfig, + Limiter: opt.Limiter, + ++ DisableIdentity: opt.DisableIdentity, + DisableIndentity: opt.DisableIndentity, ++ + IdentitySuffix: opt.IdentitySuffix, + } + } +diff --git a/vendor/github.com/redis/go-redis/v9/sentinel.go b/vendor/github.com/redis/go-redis/v9/sentinel.go +index 188f8849..72dc265a 100644 +--- a/vendor/github.com/redis/go-redis/v9/sentinel.go ++++ b/vendor/github.com/redis/go-redis/v9/sentinel.go +@@ -80,8 +80,19 @@ type FailoverOptions struct { + + TLSConfig *tls.Config + ++ // DisableIndentity - Disable set-lib on connect. ++ // ++ // default: false ++ // ++ // Deprecated: Use DisableIdentity instead. + DisableIndentity bool +- IdentitySuffix string ++ ++ // DisableIdentity is used to disable CLIENT SETINFO command on connect. ++ // ++ // default: false ++ DisableIdentity bool ++ ++ IdentitySuffix string + } + + func (opt *FailoverOptions) clientOptions() *Options { +@@ -117,7 +128,9 @@ func (opt *FailoverOptions) clientOptions() *Options { + + TLSConfig: opt.TLSConfig, + ++ DisableIdentity: opt.DisableIdentity, + DisableIndentity: opt.DisableIndentity, ++ + IdentitySuffix: opt.IdentitySuffix, + } + } +@@ -154,7 +167,9 @@ func (opt *FailoverOptions) sentinelOptions(addr string) *Options { + + TLSConfig: opt.TLSConfig, + ++ DisableIdentity: opt.DisableIdentity, + DisableIndentity: opt.DisableIndentity, ++ + IdentitySuffix: opt.IdentitySuffix, + } + } +@@ -194,8 +209,10 @@ func (opt *FailoverOptions) clusterOptions() *ClusterOptions { + + TLSConfig: opt.TLSConfig, + ++ DisableIdentity: opt.DisableIdentity, + DisableIndentity: opt.DisableIndentity, +- IdentitySuffix: opt.IdentitySuffix, ++ ++ IdentitySuffix: opt.IdentitySuffix, + } + } + +diff --git a/vendor/github.com/redis/go-redis/v9/universal.go b/vendor/github.com/redis/go-redis/v9/universal.go +index 275bef3d..30aae0bc 100644 +--- a/vendor/github.com/redis/go-redis/v9/universal.go ++++ b/vendor/github.com/redis/go-redis/v9/universal.go +@@ -61,13 +61,23 @@ type UniversalOptions struct { + RouteByLatency bool + RouteRandomly bool + +- // The sentinel master name. +- // Only failover clients. +- ++ // MasterName is the sentinel master name. ++ // Only for failover clients. + MasterName string + ++ // DisableIndentity - Disable set-lib on connect. ++ // ++ // default: false ++ // ++ // Deprecated: Use DisableIdentity instead. + DisableIndentity bool +- IdentitySuffix string ++ ++ // DisableIdentity is used to disable CLIENT SETINFO command on connect. ++ // ++ // default: false ++ DisableIdentity bool ++ ++ IdentitySuffix string + } + + // Cluster returns cluster options created from the universal options. +@@ -112,6 +122,7 @@ func (o *UniversalOptions) Cluster() *ClusterOptions { + + TLSConfig: o.TLSConfig, + ++ DisableIdentity: o.DisableIdentity, + DisableIndentity: o.DisableIndentity, + IdentitySuffix: o.IdentitySuffix, + } +@@ -158,6 +169,7 @@ func (o *UniversalOptions) Failover() *FailoverOptions { + + TLSConfig: o.TLSConfig, + ++ DisableIdentity: o.DisableIdentity, + DisableIndentity: o.DisableIndentity, + IdentitySuffix: o.IdentitySuffix, + } +@@ -201,6 +213,7 @@ func (o *UniversalOptions) Simple() *Options { + + TLSConfig: o.TLSConfig, + ++ DisableIdentity: o.DisableIdentity, + DisableIndentity: o.DisableIndentity, + IdentitySuffix: o.IdentitySuffix, + } +-- +2.34.1 diff --git a/SPECS/telegraf/CVE-2025-46327.patch b/SPECS/telegraf/CVE-2025-46327.patch new file mode 100644 index 00000000000..827b7465711 --- /dev/null +++ b/SPECS/telegraf/CVE-2025-46327.patch @@ -0,0 +1,175 @@ +From ba94a4800e23621eff558ef18ce4b96ec5489ff0 Mon Sep 17 00:00:00 2001 +From: Piotr Fus +Date: Mon, 28 Apr 2025 15:15:00 +0200 +Subject: [PATCH] SNOW-1155452 Fix race condition on perm checking for easy + logging (#1382) +CVE-2025-46327 (GHSA-6jgm-j7h2-2fqg): TOCTOU race condition on the +Easy Logging configuration file. The old code performs + os.ReadFile(path); validateCfgPerm(path); +which re-stats the path after reading its contents, allowing a local +attacker to swap the file (via a symlink or directory-write) between +the read and the permission check. + +Upstream fix (snowflakedb/gosnowflake@ba94a48, released in v1.13.3) +opens the file once with O_NOFOLLOW, then validates group/other +write bits and the file owner on that file descriptor, then reads +from the same fd. Its Easy-Logging changes depend on a large +`os_specific_posix.go` / `os_specific_windows.go` / secure-storage- +manager refactor chain that is unrelated to this CVE. + +This minimal backport keeps the fix strictly scoped to the vulnerable +Easy-Logging path: + + * vendor/.../client_configuration.go + Replace the vulnerable os.ReadFile + validateCfgPerm sequence + with a single call to a new getFileContents helper that + performs all checks on one file descriptor. The now-unused + validateCfgPerm function and its `runtime` import are also + removed. + + (Note: gosnowflake's own permissions_test.go references + validateCfgPerm, but Azure Linux ships gosnowflake via + `go mod vendor` which strips all *_test.go files, so nothing + to update on the packaging side. Upstream v1.13.3 rewires + the same test to the new helper.) + + * vendor/.../os_specific_posix.go (new) + Self-contained getFileContents for linux/darwin: opens with + syscall.O_RDONLY|syscall.O_NOFOLLOW, checks that group/other + write bits are clear on the fd, checks that the fd is owned + by the current uid, then reads. + + * vendor/.../os_specific_windows.go (new) + Windows stub that simply calls os.ReadFile (permission model + differs; upstream does the same). + +Unrelated refactors from upstream (secure_storage_manager / +credential-cache hardening) are intentionally NOT backported. + +Upstream-reference: AI Backport of + https://github.com/snowflakedb/gosnowflake/commit/ba94a4800e23621eff558ef18ce4b96ec5489ff0.patch +--- + .../gosnowflake/client_configuration.go | 24 +++------- + .../gosnowflake/os_specific_posix.go | 43 ++++++++++++++++++ + .../gosnowflake/os_specific_windows.go | 11 +++++ + 3 files changed, 57 insertions(+), 21 deletions(-) + create mode 100644 vendor/github.com/snowflakedb/gosnowflake/os_specific_posix.go + create mode 100644 vendor/github.com/snowflakedb/gosnowflake/os_specific_windows.go + +diff --git a/vendor/github.com/snowflakedb/gosnowflake/client_configuration.go b/vendor/github.com/snowflakedb/gosnowflake/client_configuration.go +index 2eada70b..0f1b7c1a 100644 +--- a/vendor/github.com/snowflakedb/gosnowflake/client_configuration.go ++++ b/vendor/github.com/snowflakedb/gosnowflake/client_configuration.go +@@ -9,7 +9,6 @@ import ( + "os" + "path" + "path/filepath" +- "runtime" + "strings" + ) + +@@ -116,11 +115,10 @@ func parseClientConfiguration(filePath string) (*ClientConfig, error) { + if filePath == "" { + return nil, nil + } +- fileContents, err := os.ReadFile(filePath) +- if err != nil { +- return nil, parsingClientConfigError(err) +- } +- err = validateCfgPerm(filePath) ++ // CVE-2025-46327: open once with O_NOFOLLOW then check perms+owner ++ // on the resulting fd to avoid a TOCTOU race against the read. ++ expectedPerm := os.FileMode(1<<4 | 1<<1) // group-write | other-write ++ fileContents, err := getFileContents(filePath, expectedPerm) + if err != nil { + return nil, parsingClientConfigError(err) + } +@@ -186,22 +184,6 @@ func validateLogLevel(clientConfig ClientConfig) error { + } + return nil + } +- +-func validateCfgPerm(filePath string) error { +- if runtime.GOOS == "windows" { +- return nil +- } +- stat, err := os.Stat(filePath) +- if err != nil { +- return err +- } +- perm := stat.Mode() +- // Check if group (5th LSB) or others (2nd LSB) have a write permission to the file +- if perm&(1<<4) != 0 || perm&(1<<1) != 0 { +- return fmt.Errorf("configuration file: %s can be modified by group or others", filePath) +- } +- return nil +-} + + func toLogLevel(logLevelString string) (string, error) { + var logLevel = strings.ToUpper(logLevelString) +diff --git a/vendor/github.com/snowflakedb/gosnowflake/os_specific_posix.go b/vendor/github.com/snowflakedb/gosnowflake/os_specific_posix.go +new file mode 100644 +index 00000000..1a2b3c4d +--- /dev/null ++++ b/vendor/github.com/snowflakedb/gosnowflake/os_specific_posix.go +@@ -0,0 +1,43 @@ ++//go:build linux || darwin ++ ++// Added for CVE-2025-46327 minimal backport. Provides a race-free ++// helper that opens a file with O_NOFOLLOW, verifies its permissions ++// and owner via the resulting file descriptor, and returns its ++// contents. Upstream introduces the same helper in gosnowflake ++// v1.13.3 (commit ba94a48). ++ ++package gosnowflake ++ ++import ( ++ "fmt" ++ "io" ++ "os" ++ "syscall" ++) ++ ++func getFileContents(filePath string, expectedPerm os.FileMode) ([]byte, error) { ++ file, err := os.OpenFile(filePath, syscall.O_RDONLY|syscall.O_NOFOLLOW, 0) ++ if err != nil { ++ return nil, err ++ } ++ defer file.Close() ++ ++ info, err := file.Stat() ++ if err != nil { ++ return nil, err ++ } ++ if info.Mode()&expectedPerm != 0 { ++ return nil, fmt.Errorf("incorrect permissions of %s", file.Name()) ++ } ++ ++ nativeStat, ok := info.Sys().(*syscall.Stat_t) ++ if !ok { ++ return nil, fmt.Errorf("cannot cast file info for %v to *syscall.Stat_t", file.Name()) ++ } ++ if nativeStat.Uid != uint32(os.Getuid()) { ++ return nil, fmt.Errorf( ++ "configuration file %v is not owned by the current user", file.Name()) ++ } ++ ++ return io.ReadAll(file) ++} +diff --git a/vendor/github.com/snowflakedb/gosnowflake/os_specific_windows.go b/vendor/github.com/snowflakedb/gosnowflake/os_specific_windows.go +new file mode 100644 +index 00000000..5e6f7a8b +--- /dev/null ++++ b/vendor/github.com/snowflakedb/gosnowflake/os_specific_windows.go +@@ -0,0 +1,11 @@ ++//go:build windows ++ ++// Added for CVE-2025-46327 minimal backport. Windows lacks POSIX ++// permission semantics; mirror upstream v1.13.3 by falling back to ++// a plain os.ReadFile. ++ ++package gosnowflake ++ ++import "os" ++ ++func getFileContents(filePath string, _ os.FileMode) ([]byte, error) { return os.ReadFile(filePath) } diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec index c50196d110e..2fb805a016a 100644 --- a/SPECS/telegraf/telegraf.spec +++ b/SPECS/telegraf/telegraf.spec @@ -1,7 +1,7 @@ Summary: agent for collecting, processing, aggregating, and writing metrics. Name: telegraf Version: 1.31.0 -Release: 23%{?dist} +Release: 24%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -58,6 +58,8 @@ Patch41: CVE-2026-39828.patch Patch43: CVE-2026-39835.patch Patch44: CVE-2026-42502.patch Patch45: CVE-2026-46598.patch +Patch46: CVE-2025-29923.patch +Patch47: CVE-2025-46327.patch BuildRequires: golang BuildRequires: systemd-devel @@ -122,6 +124,10 @@ fi %dir %{_sysconfdir}/%{name}/telegraf.d %changelog +* Thu Jun 04 2026 Jyoti kanase - 1.31.0-24 +- Patch CVE-2025-29923 +- Patch CVE-2025-46327 + * Tue Jun 02 2026 Azure Linux Security Servicing Account - 1.31.0-23 - Patch for CVE-2026-46598, CVE-2026-42502, CVE-2026-39835, CVE-2026-39828, CVE-2026-39827, CVE-2026-25681, CVE-2026-25680