Upgrade libsodium to 1.0.19-FINAL for CVE-2025-69277 [Medium]

[Kanishk-Bansal]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Upgrade libsodium for CVE-2025-69277 (MEDIUM).

Change Log

• CVE-2025-69277

Does this affect the toolchain?

NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-69277

Test Methodology

• Pipeline build id: Buddy Build URL

[Kanishk-Bansal]

Source Publish - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1019879&view=results
Buddy Build - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1020106&view=results
Fix Code is present in 1.0.19-final tag - jedisct1/libsodium@9368c26

[Kanishk-Bansal]

libsodium released 1.0.19-FINAL pointer release which has the CVE fix. This is in their practise to release -stable and -final release for any CVE fixes. The commit jedisct1/libsodium@9368c26 shows that the fix has been taken to 1.0.19-FINAL for which I have uploaded a tarball at blob storage with -final to fix this CVE as a part of upgrade

[mayankfz]

changes looks fine, buddy build passes.

[kgodara912]

Upstream versioning for libsodium is a little different than the normal packages. They don't update version number for the fix as explained in above comment. Buddy build is successful. LGTM.

[kgodara912]

Please change this to same as above with 2%{?dist}

[Kanishk-Bansal]

Buddy Build

[kgodara912]

Buddy build is successful. The upstream libsodium project versioning is different than other general upstream packages. The new source code is fixing the CVE. Also, as per the release notes, it is guaranteed to be compatible with the previous 1.0.19 series releases. LGTM.