Add support for GPG subkeys

apply debranding

SOURCES/0096-CVE-2025-12744.patch

@@ -0,0 +1,46 @@
+From c74aec7aaf4b674cb36ccda3d43207bd9ee8c049 Mon Sep 17 00:00:00 2001
+From: Michal Srb <michal@redhat.com>
+Date: Tue, 18 Nov 2025 06:42:19 +0100
+Subject: [PATCH] a-a-save-container-data: validate input
+
+Check that the Container ID contains only alphanumeric characters.
+
+Resolves: CVE-2025-12744
+
+Signed-off-by: Michal Srb <michal@redhat.com>
+---
+ src/daemon/abrt-action-save-container-data.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/src/daemon/abrt-action-save-container-data.c b/src/daemon/abrt-action-save-container-data.c
+index 9a5bfa4..ee452b2 100644
+--- a/src/daemon/abrt-action-save-container-data.c
++++ b/src/daemon/abrt-action-save-container-data.c
+@@ -101,6 +101,24 @@ void dump_docker_info(struct dump_dir *dd, const char *root_dir)
+             continue;
+         }
+ 
++        /* Check that the Container ID contains only alphanumeric characters */
++        bool valid_id = true;
++        for (int i = 0; i < 12; i++)
++        {
++            if (!g_ascii_isalnum(container_id[i]))
++            {
++                valid_id = false;
++                break;
++            }
++        }
++        if (!valid_id)
++        {
++            log_debug("Container ID contains invalid characters: '%s'", container_id);
++            g_free(container_id);
++            container_id = NULL;
++            continue;
++        }
++
+         char *docker_inspect_cmdline = NULL;
+         if (root_dir != NULL)
+             docker_inspect_cmdline = xasprintf("chroot %s /bin/sh -c \"docker inspect %s\"", root_dir, container_id);
+-- 
+2.51.1
+

SPECS/abrt.spec

@@ -55,7 +55,7 @@
 Summary: Automatic bug detection and reporting tool
 Name: abrt
 Version: 2.10.9
-Release: 24%{?dist}.alma
+Release: 25%{?dist}.alma.1
 License: GPLv2+
 URL: https://abrt.readthedocs.org/
 Source: https://github.com/abrt/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
@@ -162,11 +162,13 @@ Patch0090: 0090-skip-journal-reporting.patch
 Patch0091: 0091-plugins-Update-sosreport-event.patch
 # git format-patch -1 a58e1fb2 --start-number=92
 Patch0092: 0092-abrt-dump-oops-Fix-vmcore-call-trace-parsing.patch
+# CVE-2025-12744
+Patch0096: 0096-CVE-2025-12744.patch
 
 # autogen.sh is need to regenerate all the Makefile files
 Patch1000: 1000-Add-autogen.sh.patch
 
-# AlmaLinux: add support for GPG subkeys
+# AlmaLinux Patch
 Patch9100: 9100-add_gpg_subkeys_support.patch
 
 BuildRequires: %{dbus_devel}
@@ -1373,12 +1375,20 @@ killall abrt-dbus >/dev/null 2>&1 || :
 %config(noreplace) %{_sysconfdir}/profile.d/abrt-console-notification.sh
 
 %changelog
-* Tue May 16 2023 Andrei Lukoshko <alukoshko@almalinux.org> - 2.10.9-24.alma
+* Wed Dec 10 2025 Andrei Lukoshko <alukoshko@almalinux.org> - 2.10.9-25.alma.1
 - Add support for GPG subkeys
 
+* Wed Dec 10 2025 Sergey Fokin <sfokin@cloudlinux.com> - 2.10.9-25.alma.1
+- apply debranding
+
+* Tue Nov 18 2025 Michal Srb <michal@redhat.com> - 2.10.9-25
+- a-a-save-container-data: validate input
+- Resolves: CVE-2025-12744
+
 * Thu Feb 16 2023 Matěj Grabovský <mgrabovs@redhat.com> - 2.10.9-24
 - Revert part of patch for rhbz#2137499
 - Resolves: rhbz#2137499
+
 * Fri Feb 3 2023 Michal Fabík <mfabik@redhat.com> - 2.10.9-23
 - Fix vmcore call trace parsing in kernel versions >=4.10
 - Resolves: rhbz#1993225
@@ -1425,9 +1435,6 @@ killall abrt-dbus >/dev/null 2>&1 || :
 * Wed Mar 11 2020 Ernestas Kulik <ekulik@redhat.com> - 2.10.9-12
 - Fix #1798494, #1805728, #1809949
 
-* Mon Dec 23 2019 Sergey Fokin <sfokin@cloudlinux.com> - 2.10.9-11.cloudlinux
-- apply debranding
-
 * Tue Jul 16 2019 Michal Fabik <mfabik@redhat.com> - 2.10.9-11
 - a-a-list-dsos: Fix decoding of strings from rpm
 Resolves: rhbz#1694970