Import from CS git

2025-12-10 09:41:43 +00:00 · 2025-12-10 09:41:43 +00:00 · 8e41b3cd33
commit 8e41b3cd33
parent 62d582b535
2 changed files with 53 additions and 1 deletions
--- a/SOURCES/0096-CVE-2025-12744.patch
+++ b/SOURCES/0096-CVE-2025-12744.patch
@ -0,0 +1,46 @@
+From c74aec7aaf4b674cb36ccda3d43207bd9ee8c049 Mon Sep 17 00:00:00 2001
+From: Michal Srb <michal@redhat.com>
+Date: Tue, 18 Nov 2025 06:42:19 +0100
+Subject: [PATCH] a-a-save-container-data: validate input
+
+Check that the Container ID contains only alphanumeric characters.
+
+Resolves: CVE-2025-12744
+
+Signed-off-by: Michal Srb <michal@redhat.com>
+---
+ src/daemon/abrt-action-save-container-data.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/src/daemon/abrt-action-save-container-data.c b/src/daemon/abrt-action-save-container-data.c
+index 9a5bfa4..ee452b2 100644
+--- a/src/daemon/abrt-action-save-container-data.c
+++ b/src/daemon/abrt-action-save-container-data.c
+@@ -101,6 +101,24 @@ void dump_docker_info(struct dump_dir *dd, const char *root_dir)
+             continue;
+         }
+ 
+        /* Check that the Container ID contains only alphanumeric characters */
+        bool valid_id = true;
+        for (int i = 0; i < 12; i++)
+        {
+            if (!g_ascii_isalnum(container_id[i]))
+            {
+                valid_id = false;
+                break;
+            }
+        }
+        if (!valid_id)
+        {
+            log_debug("Container ID contains invalid characters: '%s'", container_id);
+            g_free(container_id);
+            container_id = NULL;
+            continue;
+        }
+
+         char *docker_inspect_cmdline = NULL;
+         if (root_dir != NULL)
+             docker_inspect_cmdline = xasprintf("chroot %s /bin/sh -c \"docker inspect %s\"", root_dir, container_id);
+-- 
+2.51.1
+
--- a/SPECS/abrt.spec
+++ b/SPECS/abrt.spec
@ -55,7 +55,7 @@
 Summary: Automatic bug detection and reporting tool
 Name: abrt
 Version: 2.10.9
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: GPLv2+
 URL: https://abrt.readthedocs.org/
 Source: https://github.com/abrt/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
@ -162,6 +162,8 @@ Patch0090: 0090-skip-journal-reporting.patch
 Patch0091: 0091-plugins-Update-sosreport-event.patch
 # git format-patch -1 a58e1fb2 --start-number=92
 Patch0092: 0092-abrt-dump-oops-Fix-vmcore-call-trace-parsing.patch
+# CVE-2025-12744
+Patch0096: 0096-CVE-2025-12744.patch

 # autogen.sh is need to regenerate all the Makefile files
 Patch1000: 1000-Add-autogen.sh.patch
@ -1380,6 +1382,10 @@ killall abrt-dbus >/dev/null 2>&1 || :
 %config(noreplace) %{_sysconfdir}/profile.d/abrt-console-notification.sh

 %changelog
+* Tue Nov 18 2025 Michal Srb <michal@redhat.com> - 2.10.9-25
+- a-a-save-container-data: validate input
+- Resolves: CVE-2025-12744
+
 * Thu Feb 16 2023 Matěj Grabovský <mgrabovs@redhat.com> - 2.10.9-24
 - Revert part of patch for rhbz#2137499
 - Resolves: rhbz#2137499