From f1eb14de33bf1e18941162e16fcb86f6e8259fd3 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Tue, 3 Feb 2026 08:48:11 +0000 Subject: [PATCH] Patch telegraf for CVE-2025-11065 --- SPECS/telegraf/CVE-2025-11065.patch | 285 ++++++++++++++++++++++++++++ SPECS/telegraf/telegraf.spec | 6 +- 2 files changed, 290 insertions(+), 1 deletion(-) create mode 100644 SPECS/telegraf/CVE-2025-11065.patch diff --git a/SPECS/telegraf/CVE-2025-11065.patch b/SPECS/telegraf/CVE-2025-11065.patch new file mode 100644 index 00000000000..e2d9087a7c1 --- /dev/null +++ b/SPECS/telegraf/CVE-2025-11065.patch @@ -0,0 +1,285 @@ +From 354f89e02e3256f28c4f542989b41ec855b2d79b Mon Sep 17 00:00:00 2001 +From: Mark Sagi-Kazar +Date: Sat, 12 Jul 2025 07:25:50 +0200 +Subject: [PATCH] fix: error message leaks + +Signed-off-by: Mark Sagi-Kazar + +Upstream Patch reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c.patch +--- + .../mitchellh/mapstructure/decode_hooks.go | 12 +- + .../mitchellh/mapstructure/error.go | 156 ++++++++++++++++++ + .../mitchellh/mapstructure/mapstructure.go | 10 +- + 3 files changed, 169 insertions(+), 9 deletions(-) + +diff --git a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go +index 3a754ca7..4dfab7d3 100644 +--- a/vendor/github.com/mitchellh/mapstructure/decode_hooks.go ++++ b/vendor/github.com/mitchellh/mapstructure/decode_hooks.go +@@ -134,7 +134,9 @@ func StringToTimeDurationHookFunc() DecodeHookFunc { + } + + // Convert it by parsing +- return time.ParseDuration(data.(string)) ++ d, err := time.ParseDuration(data.(string)) ++ ++ return d, wrapTimeParseDurationError(err) + } + } + +@@ -155,7 +157,7 @@ func StringToIPHookFunc() DecodeHookFunc { + // Convert it by parsing + ip := net.ParseIP(data.(string)) + if ip == nil { +- return net.IP{}, fmt.Errorf("failed parsing ip %v", data) ++ return net.IP{}, fmt.Errorf("failed parsing ip") + } + + return ip, nil +@@ -178,7 +180,7 @@ func StringToIPNetHookFunc() DecodeHookFunc { + + // Convert it by parsing + _, net, err := net.ParseCIDR(data.(string)) +- return net, err ++ return net, wrapNetParseError(err) + } + } + +@@ -197,7 +199,9 @@ func StringToTimeHookFunc(layout string) DecodeHookFunc { + } + + // Convert it by parsing +- return time.Parse(layout, data.(string)) ++ ti, err := time.Parse(layout, data.(string)) ++ ++ return ti, wrapTimeParseError(err) + } + } + +diff --git a/vendor/github.com/mitchellh/mapstructure/error.go b/vendor/github.com/mitchellh/mapstructure/error.go +index 47a99e5a..8c3b0786 100644 +--- a/vendor/github.com/mitchellh/mapstructure/error.go ++++ b/vendor/github.com/mitchellh/mapstructure/error.go +@@ -3,8 +3,12 @@ package mapstructure + import ( + "errors" + "fmt" ++ "net" ++ "net/url" + "sort" ++ "strconv" + "strings" ++ "time" + ) + + // Error implements the error interface and can represents multiple +@@ -48,3 +52,155 @@ func appendErrors(errors []string, err error) []string { + return append(errors, e.Error()) + } + } ++ ++func wrapStrconvNumError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if err, ok := err.(*strconv.NumError); ok { ++ return &strconvNumError{Err: err} ++ } ++ ++ return err ++} ++ ++type strconvNumError struct { ++ Err *strconv.NumError ++} ++ ++func (e *strconvNumError) Error() string { ++ return "strconv." + e.Err.Func + ": " + e.Err.Err.Error() ++} ++ ++func (e *strconvNumError) Unwrap() error { return e.Err } ++ ++func wrapUrlError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if err, ok := err.(*url.Error); ok { ++ return &urlError{Err: err} ++ } ++ ++ return err ++} ++ ++type urlError struct { ++ Err *url.Error ++} ++ ++func (e *urlError) Error() string { ++ return fmt.Sprintf("%s", e.Err.Err) ++} ++ ++func (e *urlError) Unwrap() error { return e.Err } ++ ++func wrapNetParseError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if err, ok := err.(*net.ParseError); ok { ++ return &netParseError{Err: err} ++ } ++ ++ return err ++} ++ ++type netParseError struct { ++ Err *net.ParseError ++} ++ ++func (e *netParseError) Error() string { ++ return "invalid " + e.Err.Type ++} ++ ++func (e *netParseError) Unwrap() error { return e.Err } ++ ++func wrapTimeParseError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if err, ok := err.(*time.ParseError); ok { ++ return &timeParseError{Err: err} ++ } ++ ++ return err ++} ++ ++type timeParseError struct { ++ Err *time.ParseError ++} ++ ++func (e *timeParseError) Error() string { ++ if e.Err.Message == "" { ++ return fmt.Sprintf("parsing time as %q: cannot parse as %q", e.Err.Layout, e.Err.LayoutElem) ++ } ++ ++ return "parsing time " + e.Err.Message ++} ++ ++func (e *timeParseError) Unwrap() error { return e.Err } ++ ++func wrapNetIPParseAddrError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if errMsg := err.Error(); strings.HasPrefix(errMsg, "ParseAddr") { ++ errPieces := strings.Split(errMsg, ": ") ++ ++ return fmt.Errorf("ParseAddr: %s", errPieces[len(errPieces)-1]) ++ } ++ ++ return err ++} ++ ++func wrapNetIPParseAddrPortError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ errMsg := err.Error() ++ if strings.HasPrefix(errMsg, "invalid port ") { ++ return errors.New("invalid port") ++ } else if strings.HasPrefix(errMsg, "invalid ip:port ") { ++ return errors.New("invalid ip:port") ++ } ++ ++ return err ++} ++ ++func wrapNetIPParsePrefixError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ if errMsg := err.Error(); strings.HasPrefix(errMsg, "netip.ParsePrefix") { ++ errPieces := strings.Split(errMsg, ": ") ++ ++ return fmt.Errorf("netip.ParsePrefix: %s", errPieces[len(errPieces)-1]) ++ } ++ ++ return err ++} ++ ++func wrapTimeParseDurationError(err error) error { ++ if err == nil { ++ return nil ++ } ++ ++ errMsg := err.Error() ++ if strings.HasPrefix(errMsg, "time: unknown unit ") { ++ return errors.New("time: unknown unit") ++ } else if strings.HasPrefix(errMsg, "time: ") { ++ idx := strings.LastIndex(errMsg, " ") ++ ++ return errors.New(errMsg[:idx]) ++ } ++ ++ return err ++} +diff --git a/vendor/github.com/mitchellh/mapstructure/mapstructure.go b/vendor/github.com/mitchellh/mapstructure/mapstructure.go +index 7581806a..4845a28f 100644 +--- a/vendor/github.com/mitchellh/mapstructure/mapstructure.go ++++ b/vendor/github.com/mitchellh/mapstructure/mapstructure.go +@@ -642,7 +642,7 @@ func (d *Decoder) decodeInt(name string, data interface{}, val reflect.Value) er + if err == nil { + val.SetInt(i) + } else { +- return fmt.Errorf("cannot parse '%s' as int: %s", name, err) ++ return fmt.Errorf("cannot parse '%s' as int: %s", name, wrapStrconvNumError(err)) + } + case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number": + jn := data.(json.Number) +@@ -699,14 +699,14 @@ func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) e + if err == nil { + val.SetUint(i) + } else { +- return fmt.Errorf("cannot parse '%s' as uint: %s", name, err) ++ return fmt.Errorf("cannot parse '%s' as uint: %s", name, wrapStrconvNumError(err)) + } + case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number": + jn := data.(json.Number) + i, err := strconv.ParseUint(string(jn), 0, 64) + if err != nil { + return fmt.Errorf( +- "error decoding json.Number into %s: %s", name, err) ++ "error decoding json.Number into %s: %s", name, wrapStrconvNumError(err)) + } + val.SetUint(i) + default: +@@ -738,7 +738,7 @@ func (d *Decoder) decodeBool(name string, data interface{}, val reflect.Value) e + } else if dataVal.String() == "" { + val.SetBool(false) + } else { +- return fmt.Errorf("cannot parse '%s' as bool: %s", name, err) ++ return fmt.Errorf("cannot parse '%s' as bool: %s", name, wrapStrconvNumError(err)) + } + default: + return fmt.Errorf( +@@ -777,7 +777,7 @@ func (d *Decoder) decodeFloat(name string, data interface{}, val reflect.Value) + if err == nil { + val.SetFloat(f) + } else { +- return fmt.Errorf("cannot parse '%s' as float: %s", name, err) ++ return fmt.Errorf("cannot parse '%s' as float: %s", name, wrapStrconvNumError(err)) + } + case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number": + jn := data.(json.Number) +-- +2.45.4 + diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec index d9a8e024de2..ce3970452a5 100644 --- a/SPECS/telegraf/telegraf.spec +++ b/SPECS/telegraf/telegraf.spec @@ -1,7 +1,7 @@ Summary: agent for collecting, processing, aggregating, and writing metrics. Name: telegraf Version: 1.31.0 -Release: 12%{?dist} +Release: 13%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -25,6 +25,7 @@ Patch10: CVE-2025-30215.patch Patch11: CVE-2025-22872.patch Patch12: CVE-2025-47913.patch Patch13: CVE-2025-10543.patch +Patch14: CVE-2025-11065.patch BuildRequires: golang BuildRequires: systemd-devel @@ -89,6 +90,9 @@ fi %dir %{_sysconfdir}/%{name}/telegraf.d %changelog +* Tue Feb 03 2026 Azure Linux Security Servicing Account - 1.31.0-13 +- Patch for CVE-2025-11065 + * Mon Dec 08 2025 Azure Linux Security Servicing Account - 1.31.0-12 - Patch for CVE-2025-10543