Skip to content

[AUTO-CHERRYPICK] Fix : patch application of CVE-2025-4802 in glibc (re-apply: #14582) - branch 3.0-dev #14755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[AUTO-CHERRYPICK] Fix : patch application of CVE-2025-4802 in glibc (re-apply: #14582) - branch 3.0-dev #14755

wants to merge 1 commit into from

Conversation

@aaruag
Copy link
Contributor

@aaruag aaruag commented Oct 1, 2025

This is an auto-generated pull request to cherry-pick commit d3975f8 to 3.0-dev. Original PR: #14669

@PawelWMS @Kanishk-Bansal @CBL-Mariner-Bot
Fix : patch application of CVE-2025-4802 in glibc (re-apply: #14582) (
0dfc726 
#14669)

Signed-off-by: Kanishk Bansal <[email protected]>
Co-authored-by: Kanishk Bansal <[email protected]>
Co-authored-by: Kanishk Bansal <[email protected]>
(cherry picked from commit d3975f8)
@aaruag aaruag added the Auto Fast-track Cherry-pick Automatic cherry-pick from fast-track branch label Oct 1, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added Packaging specs-extended PR to fix SPECS-EXTENDED 3.0-dev PRs Destined for AzureLinux 3.0 labels Oct 1, 2025
@CBL-Mariner-Bot
Copy link
Collaborator

🚨 PR Check Failed - Critical Issues Found

Found 2 critical/error issue(s) that must be fixed.

🔍 Critical Issues Detected:

  1. Missing Patch File (ERROR)
    • Patch file 'CVE-2022-2990.patch' is referenced in the spec but not found in the directory
    • 💡 Fix: Add the missing patch file or update the Patch reference
  2. Missing Patch File (ERROR)
    • Patch file 'CVE-2022-2989.patch' is referenced in the spec but not found in the directory
    • 💡 Fix: Add the missing patch file or update the Patch reference

🤖 AI Analysis Summary:

Brief Analysis: The spec file is in a conflicted merge state showing two divergent histories – one branch uses version 1.41.4 with a “0001-Run-selective-tests.patch” while the other branch (commit d3975f8) switches to version 1.18.0 and references a CVE patch (“CVE-2022-2990.patch”). This discrepancy creates inconsistency in versioning and patch application.

Critical Issues Found:
• Merge conflict markers remain in the spec file.
• The CVE-2022-2990.patch reference is declared but the file is missing.
• Version numbers and changelog entries are inconsistent.

Recommended Actions:
• Resolve the merge conflict and choose one consistent version and patch set.
• Either provide the missing CVE-2022-2990.patch file or update the spec to keep the correct, available patch.
• Update the changelog to clearly document any CVE fix with proper CVE IDs and ensure all patch references use sequential numbering and proper %patch/%autopatch directives.

📋 For detailed analysis and recommendations, check the Azure DevOps pipeline logs.

@PawelWMS PawelWMS closed this Oct 2, 2025
@PawelWMS PawelWMS deleted the cblmargh/cherry-pick-pr-14669-to-3.0-dev branch October 2, 2025 17:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Auto Fast-track Cherry-pick Automatic cherry-pick from fast-track branch Packaging specs-extended PR to fix SPECS-EXTENDED

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aaruag @CBL-Mariner-Bot @PawelWMS