From 488ae791435ecc4c61aec767cd5a7cb7b0b52735 Mon Sep 17 00:00:00 2001
From: xh <xingheyd@163.com>
Date: Tue, 22 Jul 2025 07:23:10 +0000
Subject: [PATCH] fix CVE-2025-47268

---
 backport-CVE-2025-47268.patch | 139 ++++++++++++++++++++++++++++++++++
 iputils.spec                  |  10 ++-
 2 files changed, 148 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-47268.patch

diff --git a/backport-CVE-2025-47268.patch b/backport-CVE-2025-47268.patch
new file mode 100644
index 0000000..502eb63
--- /dev/null
+++ b/backport-CVE-2025-47268.patch
@@ -0,0 +1,139 @@
+From 070cfacd7348386173231fb16fad4983d4e6ae40 Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Mon, 5 May 2025 23:55:57 +0200
+Subject: [PATCH] ping: Fix signed 64-bit integer overflow in RTT calculation
+
+Crafted ICMP Echo Reply packet can cause signed integer overflow in
+
+1) triptime calculation:
+triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+
+2) tsum2 increment which uses triptime
+rts->tsum2 += (double)((long long)triptime * (long long)triptime);
+
+3) final tmvar:
+tmvar = (rts->tsum2 / total) - (tmavg * tmavg)
+
+    $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
+    $ export LDFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer"
+    $ meson setup .. -Db_sanitize=address,undefined
+    $ ninja
+    $ ./ping/ping -c2 127.0.0.1
+
+    PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
+    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.061 ms
+    ../ping/ping_common.c:757:25: runtime error: signed integer overflow: -2513732689199106 * 1000000 cannot be represented in type 'long int'
+    ../ping/ping_common.c:757:12: runtime error: signed integer overflow: -4975495174606980224 + -6510615555425289427 cannot be represented in type 'long int'
+    ../ping/ping_common.c:769:47: runtime error: signed integer overflow: 6960633343677281965 * 6960633343677281965 cannot be represented in type 'long int'
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    ./ping/ping: Warning: time of day goes back (-7256972569576721377us), taking countermeasures
+    ./ping/ping: Warning: time of day goes back (-7256972569576721232us), taking countermeasures
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    ../ping/ping_common.c:265:16: runtime error: signed integer overflow: 6960633343677281965 * 2 cannot be represented in type 'long int'
+    64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.565 ms
+
+    --- 127.0.0.1 ping statistics ---
+    2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1002ms
+    ../ping/ping_common.c:940:42: runtime error: signed integer overflow: 1740158335919320832 * 1740158335919320832 cannot be represented in type 'long int'
+    rtt min/avg/max/mdev = 0.000/1740158335919320.832/6960633343677281.965/-1623514645242292.-224 ms
+
+To fix the overflow check allowed ranges of struct timeval members:
+* tv_sec <0, LONG_MAX/1000000>
+* tv_usec <0, 999999>
+
+Fix includes 2 new error messages (needs translation).
+Also existing message "time of day goes back ..." needed to be modified
+as it now prints tv->tv_sec which is a second (needs translation update).
+
+After fix:
+
+    $ ./ping/ping -c2 127.0.0.1
+    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.057 ms
+    ./ping/ping: Warning: invalid tv_usec -6510615555424928611 us
+    ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures
+    ./ping/ping: Warning: invalid tv_usec -6510615555424928461 us
+    ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    ./ping/ping: Warning: invalid tv_usec -6510615555425884541 us
+    ./ping/ping: Warning: time of day goes back (-4243165695442945 s), taking countermeasures
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.111 ms
+
+    --- 127.0.0.1 ping statistics ---
+    2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 101ms
+    rtt min/avg/max/mdev = 0.000/0.042/0.111/0.046 ms
+
+Fixes: https://github.com/iputils/iputils/issues/584
+Fixes: CVE-2025-47268
+Link: https://github.com/Zephkek/ping-rtt-overflow/
+Co-developed-by: Cyril Hrubis <chrubis@suse.cz>
+Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
+Reviewed-by: Noah Meyerhans <noahm@debian.org>
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+
+Conflict: context adapt and ping/ping_common.c -> ping_common.c
+Reference: https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40
+---
+ iputils_common.h |  3 +++
+ ping_common.c    | 22 +++++++++++++++++++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/iputils_common.h b/iputils_common.h
+index 97f9572..afca2d3 100644
+--- a/iputils_common.h
++++ b/iputils_common.h
+@@ -9,6 +9,9 @@
+ 	  !!__builtin_types_compatible_p(__typeof__(arr), \
+ 					 __typeof__(&arr[0]))])) * 0)
+ 
++/* 1000001 = 1000000 tv_sec + 1 tv_usec */
++#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
++
+ #if defined(USE_IDN) || defined(ENABLE_NLS)
+ # include <locale.h>
+ #endif
+diff --git a/ping_common.c b/ping_common.c
+index 466e3fa..9d1cb38 100644
+--- a/ping_common.c
++++ b/ping_common.c
+@@ -801,16 +801,32 @@ int gather_statistics(uint8_t *icmph, int icmplen,
+ 
+ restamp:
+ 		tvsub(tv, &tmp_tv);
+-		triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+-		if (triptime < 0) {
+-			error(0, 0, _("Warning: time of day goes back (%ldus), taking countermeasures"), triptime);
++
++		if (tv->tv_usec >= 1000000) {
++			error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec);
++			tv->tv_usec = 999999;
++		}
++
++		if (tv->tv_usec < 0) {
++			error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec);
++			tv->tv_usec = 0;
++		}
++
++		if (tv->tv_sec > TV_SEC_MAX_VAL) {
++			error(0, 0, _("Warning: invalid tv_sec %ld s"), tv->tv_sec);
++			triptime = 0;
++		} else if (tv->tv_sec < 0) {
++			error(0, 0, _("Warning: time of day goes back (%ld s), taking countermeasures"), tv->tv_sec);
+ 			triptime = 0;
+ 			if (!(options & F_LATENCY)) {
+ 				gettimeofday(tv, NULL);
+ 				options |= F_LATENCY;
+ 				goto restamp;
+ 			}
++		} else {
++			triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+ 		}
++
+ 		if (!csfailed) {
+ 			tsum += triptime;
+ 			tsum2 += (long long)triptime *(long long)triptime;
+-- 
+2.33.0
+
diff --git a/iputils.spec b/iputils.spec
index 4d3239f..e961d70 100644
--- a/iputils.spec
+++ b/iputils.spec
@@ -1,6 +1,6 @@
 Name:            iputils
 Version:         20190709
-Release:         9
+Release:         10
 Summary:         Network monitoring tools including ping
 License:         BSD and GPLv2+
 URL:             https://github.com/iputils/iputils
@@ -21,6 +21,7 @@ Patch6003:       bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.
 Patch6004:       backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
 Patch6005:       backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
 Patch6006:       backport-ping6-Avoid-binding-to-non-VRF.patch
+Patch6007:       backport-CVE-2025-47268.patch
 
 Patch9000:       bugfix-fix-ping-dead-loop.patch
 Patch9001:       bugfix-arping-w-does-not-take-effect.patch
@@ -55,6 +56,7 @@ cp %{SOURCE4} %{SOURCE5} .
 %patch6004 -p1
 %patch6005 -p1
 %patch6006 -p1
+%patch6007 -p1
 %patch9000 -p1
 %patch9001 -p1
 %patch9002 -p1
@@ -113,6 +115,12 @@ install -cp ifenslave.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
 %{_mandir}/man8/*.8.gz
 
 %changelog
+* Tue Jul 22 2025 xinghe <xinghe2@h-partners.com> - 20190709-10
+- Type:cves
+- CVE:CVE-2025-47268
+- SUG:NA
+- DESC:fix CVE-2025-47268
+
 * Sat May 14 2022 yanglu <yanglu72@h-partners.com> - 20190709-9
 - Type:bugfix
 - Id:NA
-- 
Gitee