[Low] Patch telegraf for CVE-2025-29923, CVE-2025-46327#14747
Conversation
|
Buddy Build is successful. |
d69000a to
1403f5b
Compare
1403f5b to
079f50f
Compare
079f50f to
20c15ca
Compare
mfrw
left a comment
There was a problem hiding this comment.
can we please rebase this to the latest 3.0-dev
20c15ca to
d45e935
Compare
mfrw
left a comment
There was a problem hiding this comment.
LGTM ✅
Did a thorough check on this CVE patch series:
- Spec
Releasebumped23 → 24, andPatch46/47/48declared in correct order. -
%prepuses%autosetup -a1 -p1— so the newPatchNdeclarations get applied automatically; no manual%patchNline needed. - All three patches apply cleanly w.r.t the vendored sources in
v1.31.0/vendor. - Cross-checked every backport against its upstream commit (see per-patch notes below).
- ADO Test Build green — buildId 1133197.
Per-patch verification
CVE-2025-29923.patch (go-redis CLIENT SETINFO panic)
- Backport of upstream
d236865(PR #3295). - The dropped
UnstableResp3refs are expected — that symbol doesn't exist in the older vendored copy shipped in this telegraf release. - The
DisableIndentity → DisableIdentitydeprecation rename is preserved exactly as upstream. - Patch looks good w.r.t upstream ✅.
CVE-2025-46327-prereqs.patch (4-commit prereq stack on snowflakedb/gosnowflake)
- 1/4 →
e926883 - 2/4 →
d8df82e - 3/4 →
61b822d - 4/4 →
40e4f5c - All four match upstream exactly. Patch looks good w.r.t upstream ✅.
CVE-2025-46327.patch (snowflake easy-logging perm-check TOCTOU race)
- Backport of upstream
ba94a48(PR #1382). - The replacement of the racy
os.Stat → os.ReadFilepair withgetFileContents(filePath, expectedPerm)(singleOpen+fstaton the same fd) is exactly the upstream approach. - Patch looks good w.r.t upstream ✅.
Test Build
Test Build: 1133197 — ✅ succeeded (34 min)
| Stage | AMD64 | ARM64 |
|---|---|---|
| build | ✅ | ✅ |
| postbuild | ✅ | ✅ |
| test_install | ✅ | ✅ |
Only warnings on the run are pre-existing Component Governance alerts that fire on every buddy build — not caused by this PR.
Signed-Off By: @mfrw
kgodara912
left a comment
There was a problem hiding this comment.
The patch is too big for low CVE. Is there any better approach to backport the change?
a2eedf7 to
d1be704
Compare
kgodara912
left a comment
There was a problem hiding this comment.
Both the patches are backported with one only very minor change and other one backported with AI with functionality adopted to the current version of telegraf. Buddy build is successful. LGTM.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
Required backporting four patches so that the actual patch would apply. Any patches that were changed beyond adding the patch link to the commit message have been re-written such that I am listed as the author, and the main changes made were simply omitting changes to files that we do not ship.
Change Log
[Low] Patch telegraf for GHSA-92cp-5422-2mw7
Patch did not apply cleanly, I had to remove all references to UnstableResp3 as that symbol is not present in the version we ship.
Upstream Patch Link: https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6.patch
Patch was found via astrolabe
[Low] Patch telegraf for GHSA-6jgm-j7h2-2fqg
Required backporting four patches so that the actual patch would apply. Any patches that were changed beyond adding the patch link to the commit message have been re-written such that I am listed as the author, and the main changes made were simply omitting changes to files that we do not ship.
Initial patch was found via astrolabe, backported supporting patches were found via git blame.
Does this affect the toolchain?
NO
Associated issues
Links to CVEs
Test Methodology