Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch fluent-bit for CVE-2025-63657 [HIGH] - branch 3.0-dev" #16778

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Aditya Singh <v-aditysing@microsoft.com>

Author: 3 people

SPECS/fluent-bit/CVE-2025-63657.patch

@@ -0,0 +1,97 @@
+From f9d883c5792fc1b3f9cd29dd8ff255c6c99944a2 Mon Sep 17 00:00:00 2001
+From: Eduardo Silva <eduardo@chronosphere.io>
+Date: Thu, 9 Apr 2026 12:11:57 -0600
+Subject: [PATCH] server: parser: harden boundary checks
+
+Tighten parser and helper validation around explicit lengths and
+buffer boundaries.
+
+Require exact header literal matches, validate chunk length tokens,
+and guard helper routines that previously trusted inconsistent
+pointer or length state.
+
+Verified by rebuilding with cmake --build build and replaying the
+reported malformed request fixtures against build/bin/monkey.
+
+Signed-off-by: Eduardo Silva <eduardo@chronosphere.io>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/monkey/monkey/commit/ffe0d0ed1b074ea6f3965c37bb754e9f19130a82.patch
+---
+ lib/monkey/include/monkey/mk_http_parser.h |  6 +++++-
+ lib/monkey/mk_server/mk_http_parser.c      | 10 ++++++++++
+ lib/monkey/mk_server/mk_mimetype.c         |  7 ++++++-
+ lib/monkey/mk_server/mk_user.c             |  2 +-
+ 4 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/lib/monkey/include/monkey/mk_http_parser.h b/lib/monkey/include/monkey/mk_http_parser.h
+index 6d45c39..5ae5c60 100644
+--- a/lib/monkey/include/monkey/mk_http_parser.h
++++ b/lib/monkey/include/monkey/mk_http_parser.h
+@@ -335,7 +335,11 @@ static inline void mk_http_parser_init(struct mk_http_parser *p)
+ 
+ static inline int mk_http_parser_more(struct mk_http_parser *p, int len)
+ {
+-    if (abs(len - p->i) - 1 > 0) {
++    if (len <= 0 || p->i < 0) {
++        return MK_FALSE;
++    }
++
++    if ((p->i + 1) < len) {
+         return MK_TRUE;
+     }
+ 
+diff --git a/lib/monkey/mk_server/mk_http_parser.c b/lib/monkey/mk_server/mk_http_parser.c
+index 4e7aa31..898df31 100644
+--- a/lib/monkey/mk_server/mk_http_parser.c
++++ b/lib/monkey/mk_server/mk_http_parser.c
+@@ -172,6 +172,16 @@ static inline void request_set(mk_ptr_t *ptr, struct mk_http_parser *p, char *bu
+ static inline int header_cmp(const char *expected, char *value, int len)
+ {
+     int i = 0;
++    size_t expected_len;
++
++    if (len < 0) {
++        return -1;
++    }
++
++    expected_len = strlen(expected);
++    if ((size_t) len != expected_len) {
++        return -1;
++    }
+ 
+     if (len >= 8) {
+         if (expected[0] != tolower(value[0])) return -1;
+diff --git a/lib/monkey/mk_server/mk_mimetype.c b/lib/monkey/mk_server/mk_mimetype.c
+index b86b4ef..5462ea5 100644
+--- a/lib/monkey/mk_server/mk_mimetype.c
++++ b/lib/monkey/mk_server/mk_mimetype.c
+@@ -197,7 +197,12 @@ struct mk_mimetype *mk_mimetype_find(struct mk_server *server, mk_ptr_t *filenam
+ {
+     int j, len;
+ 
+-    j = len = filename->len;
++    if (!filename->data || filename->len <= 0) {
++        return NULL;
++    }
++
++    len = filename->len;
++    j = len - 1;
+ 
+     /* looking for extension */
+     while (j >= 0 && filename->data[j] != '.') {
+diff --git a/lib/monkey/mk_server/mk_user.c b/lib/monkey/mk_server/mk_user.c
+index 7200ff0..716331a 100644
+--- a/lib/monkey/mk_server/mk_user.c
++++ b/lib/monkey/mk_server/mk_user.c
+@@ -46,7 +46,7 @@ int mk_user_init(struct mk_http_session *cs, struct mk_http_request *sr,
+     }
+ 
+     limit = mk_string_char_search(sr->uri_processed.data + offset, '/',
+-                                  sr->uri_processed.len);
++                                  sr->uri_processed.len - offset);
+ 
+     if (limit == -1) {
+         limit = (sr->uri_processed.len) - offset;
+-- 
+2.45.4
+

SPECS/fluent-bit/fluent-bit.spec

@@ -1,7 +1,7 @@
 Summary:        Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
 Name:           fluent-bit
 Version:        3.1.10
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -19,6 +19,7 @@ Patch8:         CVE-2025-12970.patch
 Patch9:         CVE-2025-12977.patch
 Patch10:        CVE-2025-12969.patch
 Patch11:        CVE-2025-62408.patch
+Patch12:        CVE-2025-63657.patch
 BuildRequires:  bison
 BuildRequires:  cmake
 BuildRequires:  cyrus-sasl-devel
@@ -93,6 +94,9 @@ Development files for %{name}
 %{_libdir}/fluent-bit/*.so
 
 %changelog
+* Mon Apr 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.1.10-5
+- Patch for CVE-2025-63649, CVE-2025-63656 and CVE-2025-63657
+
 * Wed Dec 17 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.1.10-4
 - Patch for CVE-2025-62408
 
@@ -120,7 +124,7 @@ Development files for %{name}
 * Tue Dec 10 2024 Sudipta Pandit <sudpandit@microsoft.com> - 3.1.9-2
 - Backport fixes for CVE-2024-27532
 
-* Tue Nov 23 2024 Paul Meyer <paul.meyer@microsoft.com> - 3.1.9-1
+* Sat Nov 23 2024 Paul Meyer <paul.meyer@microsoft.com> - 3.1.9-1
 - Update to 3.1.9 to enable Lua filter plugin using system luajit library.
 - Remove patches for CVE-2024-25629 and CVE-2024-28182 as they are fixed in 3.1.9.
 - [Jon Slobodzian] Reconciled with Fasttrack/3.0 on 11/23, updated Changelog date from 11/5.