From 8c1c450ccfa6853f9e03914da841e51ff4bd9cf7 Mon Sep 17 00:00:00 2001
From: wubijie <wubijie@kylinos.cn>
Date: Wed, 6 Aug 2025 19:41:29 +0800
Subject: [PATCH] fix CVE-2025-8283

---
 backport-CVE-2025-8283.patch | 84 ++++++++++++++++++++++++++++++++++++
 netavark.spec                |  7 ++-
 2 files changed, 89 insertions(+), 2 deletions(-)
 create mode 100644 backport-CVE-2025-8283.patch

diff --git a/backport-CVE-2025-8283.patch b/backport-CVE-2025-8283.patch
new file mode 100644
index 0000000..02e9c7e
--- /dev/null
+++ b/backport-CVE-2025-8283.patch
@@ -0,0 +1,84 @@
+From 03f12695a696c7fe407eefebd7d5ad3cf2e934fe Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Tue, 27 May 2025 14:57:54 +0200
+Subject: [PATCH] Revert "remove search domain from response"
+
+This reverts commit 9035c677338a62a21ab58698527e9756ce1de842.
+The commit broke the name lookup for podman containers when other host
+search domains are defined that respond to the same name.
+
+Fixes: containers/podman#26198
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+---
+ src/network/bridge.rs          | 7 ++++++-
+ test/100-bridge-iptables.bats  | 2 --
+ test/200-bridge-firewalld.bats | 2 --
+ test/250-bridge-nftables.bats  | 2 --
+ 4 files changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/src/network/bridge.rs b/src/network/bridge.rs
+index 01a9a3999..63fa0f5f1 100644
+--- a/src/network/bridge.rs
++++ b/src/network/bridge.rs
+@@ -17,7 +17,7 @@ use crate::{
+         iptables::MAX_HASH_SIZE,
+         state::{remove_fw_config, write_fw_config},
+     },
+-    network::{core_utils::disable_ipv6_autoconf, types},
++    network::{constants, core_utils::disable_ipv6_autoconf, types},
+ };
+ 
+ use super::{
+@@ -227,6 +227,11 @@ impl driver::NetworkDriver for Bridge<'_> {
+             let _ = response
+                 .dns_server_ips
+                 .insert(data.ipam.nameservers.clone());
++            // Note: this is being added so podman setup is backward compatible with the design
++            // which we had with dnsname/dnsmasq.
++            let _ = response
++                .dns_search_domains
++                .insert(vec![constants::PODMAN_DEFAULT_SEARCH_DOMAIN.to_string()]);
+ 
+             let mut ipv4 = Vec::new();
+             let mut ipv6 = Vec::new();
+diff --git a/test/100-bridge-iptables.bats b/test/100-bridge-iptables.bats
+index f7b9fbf20..7ec2f5329 100644
+--- a/test/100-bridge-iptables.bats
++++ b/test/100-bridge-iptables.bats
+@@ -316,8 +316,6 @@ fw_driver=iptables
+ 
+     NETAVARK_DNS_PORT="$dns_port" run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge.json \
+         setup $(get_container_netns_path)
+-    config="$output"
+-    assert_json "$config" ".podman1.dns_search_domains" == "[]" "empty search domains"
+ 
+     # check iptables
+     run_in_host_netns iptables -t nat -S NETAVARK-HOSTPORT-DNAT
+diff --git a/test/200-bridge-firewalld.bats b/test/200-bridge-firewalld.bats
+index f6cc3a6fe..c2441d917 100644
+--- a/test/200-bridge-firewalld.bats
++++ b/test/200-bridge-firewalld.bats
+@@ -162,8 +162,6 @@ function setup() {
+     NETAVARK_DNS_PORT="$dns_port" \
+         run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge.json \
+         setup $(get_container_netns_path)
+-    config="$output"
+-    assert_json "$config" ".podman1.dns_search_domains" == "[]" "empty search domains"
+ 
+     # check iptables
+     # firewall-cmd --list-rich-rules does not guarantee order, use sort
+diff --git a/test/250-bridge-nftables.bats b/test/250-bridge-nftables.bats
+index 3cfdf6cfc..c24b1c289 100644
+--- a/test/250-bridge-nftables.bats
++++ b/test/250-bridge-nftables.bats
+@@ -314,8 +314,6 @@ export NETAVARK_FW=nftables
+ 
+     NETAVARK_DNS_PORT="$dns_port" run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge.json \
+         setup $(get_container_netns_path)
+-    config="$output"
+-    assert_json "$config" ".podman1.dns_search_domains" == "[]" "empty search domains"
+ 
+     # check nftables
+     run_in_host_netns nft list chain inet netavark NETAVARK-HOSTPORT-DNAT
+
diff --git a/netavark.spec b/netavark.spec
index 761f8cf..3440cf7 100644
--- a/netavark.spec
+++ b/netavark.spec
@@ -2,7 +2,7 @@
 
 Name:          netavark
 Version:       1.13.0
-Release:       2
+Release:       3
 Summary:       OCI network stack
 License:       ASL 2.0 and BSD and MIT
 URL:           https://github.com/containers/%{name}
@@ -10,7 +10,7 @@ Source0:       %{url}/archive/refs/tags/v%{version}.tar.gz
 Source1:       %{url}/releases/download/v%{version}/%{name}-v%{version}-vendor.tar.gz
 Source2:       https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.2.tar.gz
 Patch1:	       0001-add-loongarch64-support-for-nix.patch
-
+Patch2:        backport-CVE-2025-8283.patch
 BuildRequires: cargo
 BuildRequires: make
 BuildRequires: protobuf-c
@@ -301,6 +301,9 @@ go-md2man -in %{name}.1.md -out %{name}.1
 %{_unitdir}/%{name}-firewalld-reload.service
 
 %changelog
+* Wed Aug 06 2025 wubijie <wubijie@kylinos.cn> - 1.13.0-3
+- fix CVE-2025-8283
+
 * Fri Dec 13 2024 yangzhenyu <dev11101@linx-info.com> - 1.13.0-2
 - DESC: include all patch in source
 
-- 
Gitee