From 36049c9efdc5a200f5ee7a599f6a21c3d8aa94e4 Mon Sep 17 00:00:00 2001
From: xh <xingheyd@163.com>
Date: Mon, 8 Sep 2025 06:27:14 +0000
Subject: [PATCH] fix CVE-2025-48964

---
 backport-CVE-2025-48964.patch | 109 ++++++++++++++++++++++++++++++++++
 iputils.spec                  |  10 +++-
 2 files changed, 118 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-48964.patch

diff --git a/backport-CVE-2025-48964.patch b/backport-CVE-2025-48964.patch
new file mode 100644
index 0000000..9922284
--- /dev/null
+++ b/backport-CVE-2025-48964.patch
@@ -0,0 +1,109 @@
+From afa36390394a6e0cceba03b52b59b6d41710608c Mon Sep 17 00:00:00 2001
+From: Cyril Hrubis <metan@ucw.cz>
+Date: Fri, 16 May 2025 17:57:10 +0200
+Subject: [PATCH] ping: Fix moving average rtt calculation
+
+The rts->rtt counts an exponential weight moving average in a fixed
+point, that means that even if we limit the triptime to fit into a 32bit
+number the average will overflow because because fixed point needs eight
+more bits.
+
+We also have to limit the triptime to 32bit number because otherwise the
+moving average may stil overflow if we manage to produce a large enough
+triptime.
+
+Fixes: CVE-2025-48964
+Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1243772
+Closes: https://github.com/iputils/iputils-ghsa-25fr-jw29-74f9/pull/1
+Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Tested-by: Petr Vorel <pvorel@suse.cz>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Signed-off-by: Cyril Hrubis <metan@ucw.cz>
+
+Conflict: ping/ping.h -> ping.h, ping/ping_common.c -> ping_common.c, context adapt
+Reference: http://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c
+---
+ iputils_common.h |  2 +-
+ ping.h           |  2 +-
+ ping_common.c    | 10 +++++-----
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/iputils_common.h b/iputils_common.h
+index afca2d3..aa3b429 100644
+--- a/iputils_common.h
++++ b/iputils_common.h
+@@ -10,7 +10,7 @@
+ 					 __typeof__(&arr[0]))])) * 0)
+ 
+ /* 1000001 = 1000000 tv_sec + 1 tv_usec */
+-#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
++#define TV_SEC_MAX_VAL (INT32_MAX/1000001)
+ 
+ #if defined(USE_IDN) || defined(ENABLE_NLS)
+ # include <locale.h>
+diff --git a/ping.h b/ping.h
+index 4195d4c..c377188 100644
+--- a/ping.h
++++ b/ping.h
+@@ -179,7 +179,7 @@ extern long tmin;			/* minimum round trip time */
+ extern long tmax;			/* maximum round trip time */
+ extern double tsum;			/* sum of all times, for doing average */
+ extern double tsum2;
+-extern int rtt;
++extern uint64_t rtt;
+ extern uint16_t acked;
+ extern int pipesize;
+ 
+diff --git a/ping_common.c b/ping_common.c
+index 9d1cb38..054cc6e 100644
+--- a/ping_common.c
++++ b/ping_common.c
+@@ -41,7 +41,7 @@ int options;
+ int mark;
+ int sndbuf;
+ int ttl;
+-int rtt;
++uint64_t rtt;
+ int rtt_addend;
+ uint16_t acked;
+ 
+@@ -328,7 +328,7 @@ int __schedule_exit(int next)
+ 
+ static inline void update_interval(void)
+ {
+-	int est = rtt ? rtt / 8 : interval * 1000;
++	int est = rtt ? (int)(rtt / 8) : interval * 1000;
+ 
+ 	interval = (est + rtt_addend + 500) / 1000;
+ 	if (uid && interval < MINUSERINTERVAL)
+@@ -835,7 +835,7 @@ restamp:
+ 			if (triptime > tmax)
+ 				tmax = triptime;
+ 			if (!rtt)
+-				rtt = triptime * 8;
++				rtt = ((uint64_t)triptime) * 8;
+ 			else
+ 				rtt += triptime - rtt / 8;
+ 			if (options & F_ADAPTIVE)
+@@ -999,7 +999,7 @@ void finish(void)
+ 		int ipg = (1000000 * (long long)tv.tv_sec + tv.tv_usec) / (ntransmitted - 1);
+ 
+ 		printf(_("%sipg/ewma %d.%03d/%d.%03d ms"),
+-		       comma, ipg / 1000, ipg % 1000, rtt / 8000, (rtt / 8) % 1000);
++		       comma, ipg / 1000, ipg % 1000, (int)(rtt / 8000), (int)((rtt / 8) % 1000));
+ 	}
+ 	putchar('\n');
+ 	exit(!nreceived || (deadline && nreceived < npackets));
+@@ -1024,7 +1024,7 @@ void status(void)
+ 		fprintf(stderr, _(", min/avg/ewma/max = %ld.%03ld/%lu.%03ld/%d.%03d/%ld.%03ld ms"),
+ 			(long)tmin / 1000, (long)tmin % 1000,
+ 			tavg / 1000, tavg % 1000,
+-			rtt / 8000, (rtt / 8) % 1000, (long)tmax / 1000, (long)tmax % 1000);
++			(int)(rtt / 8000), (int)((rtt / 8) % 1000), (long)tmax / 1000, (long)tmax % 1000);
+ 	}
+ 	fprintf(stderr, "\n");
+ }
+-- 
+2.27.0
diff --git a/iputils.spec b/iputils.spec
index e961d70..d239ac7 100644
--- a/iputils.spec
+++ b/iputils.spec
@@ -1,6 +1,6 @@
 Name:            iputils
 Version:         20190709
-Release:         10
+Release:         11
 Summary:         Network monitoring tools including ping
 License:         BSD and GPLv2+
 URL:             https://github.com/iputils/iputils
@@ -22,6 +22,7 @@ Patch6004:       backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
 Patch6005:       backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
 Patch6006:       backport-ping6-Avoid-binding-to-non-VRF.patch
 Patch6007:       backport-CVE-2025-47268.patch
+Patch6008:       backport-CVE-2025-48964.patch
 
 Patch9000:       bugfix-fix-ping-dead-loop.patch
 Patch9001:       bugfix-arping-w-does-not-take-effect.patch
@@ -57,6 +58,7 @@ cp %{SOURCE4} %{SOURCE5} .
 %patch6005 -p1
 %patch6006 -p1
 %patch6007 -p1
+%patch6008 -p1
 %patch9000 -p1
 %patch9001 -p1
 %patch9002 -p1
@@ -115,6 +117,12 @@ install -cp ifenslave.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
 %{_mandir}/man8/*.8.gz
 
 %changelog
+* Mon Sep 08 2025 xinghe <xinghe2@h-partners.com> - 20190709-11
+- Type:cves
+- CVE:CVE-2025-48964
+- SUG:NA
+- DESC:fix CVE-2025-48964
+
 * Tue Jul 22 2025 xinghe <xinghe2@h-partners.com> - 20190709-10
 - Type:cves
 - CVE:CVE-2025-47268
-- 
Gitee