[Low] Patch cmake for CVE-2025-5916, CVE-2025-5917 & CVE-2025-5918

[durgajagadeesh]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Patch cmake for CVE-2025-5916 & CVE-2025-5917 & CVE-2025-5918
For CVE-2025-5916
Astrolabe patch reference: libarchive/libarchive#2568
Patch modified: No.
- Only one file available in azure source archive_read_support_format_warc.c
- And non available files in Azure source are Makefile.am, test_read_format_warc.c and test_read_format_warc_incomplete.warc.uu

For CVE-2025-5917
Astrolabe patch reference: libarchive/libarchive#2588
Patch modified: No.
Astroloabe patch reference: libarchive/libarchive#2588

For CVE-2025-5918
Astrolabe patch reference: libarchive/libarchive#2584
Patch modified: yes.
- Added new variable "skip" with data type "int64_t" and assigned with "request;" to match the code with Upstream patch.
- One test file is not available in azure source code: archive_read_open_filename.c

Change Log

• New files: CVE-2025-5916.patch, CVE-2025-5917.patch & CVE-2025-5918.patch
• Modified: cmake.spec
• Bump up the Release

Does this affect the toolchain?

Yes

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-5916
• https://nvd.nist.gov/vuln/detail/CVE-2025-5917
• https://nvd.nist.gov/vuln/detail/CVE-2025-5918

Test Methodology

• Local Build
• Patch applies cleanly.

-Built successfully with tests.

cmake-3.21.4-19.cm2.src.rpm.log
cmake-3.21.4-19.cm2.src.rpm.test.log

[Copilot]

Pull Request Overview

This PR patches cmake to address CVE-2025-5916, CVE-2025-5917, and CVE-2025-5918 by applying upstream fixes from libarchive and updating version numbers accordingly.

• Bump cmake release version and update manifests for x86_64 and aarch64.
• Add three patch files for the corresponding CVEs with modifications in files handling file skip operations and entry name building in libarchive.

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
toolkit/resources/manifests/package/toolchain_x86_64.txt	Bump cmake RPM version for x86_64.
toolkit/resources/manifests/package/toolchain_aarch64.txt	Bump cmake RPM version for aarch64.
SPECS/cmake/cmake.spec	Update Release field and add new patch entries for the three CVEs.
SPECS/cmake/CVE-2025-5916.patch	Patch archive_read_support_format_warc.c to verify _warc_skip return value.
SPECS/cmake/CVE-2025-5917.patch	Adjust constants in archive_write_set_format_pax.c for building entry names.
SPECS/cmake/CVE-2025-5918.patch	Update several libarchive files to add file size checks and improve lseek behavior.

[Kanishk-Bansal]

Patch for CVE-2025-5916, CVE-2025-5917 LGTM to me

[Kanishk-Bansal]

For CVE-2025-5918 how have you validated these changes?

[durgajagadeesh]

Hi @Kanishk-Bansal,
The skip variable in the file_skip_lseek function has been introduced in the latest upstream patch within the if condition. It is initialized with the value of request, which represents the number of bytes the file pointer should move.

Based on This i have initialized the skip in the CVE-2025-5918.patch to align with upstream patch.

This skip addition, This skip prevents seeking beyond the end of the file.

-thanks!