Sync from SUSE:SLFO:1.1 iputils revision 8c23314ae015984ea154f8c197c80e28

iputils-CVE-2025-47268.patch

@@ -0,0 +1,137 @@
+From 7ec315109dfa20d7734033ff5ffabf44d5ae8ddd Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Mon, 5 May 2025 23:55:57 +0200
+Subject: [PATCH] ping: Fix signed 64-bit integer overflow in RTT calculation
+
+Crafted ICMP Echo Reply packet can cause signed integer overflow in
+
+1) triptime calculation:
+triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+
+2) tsum2 increment which uses triptime
+rts->tsum2 += (double)((long long)triptime * (long long)triptime);
+
+3) final tmvar:
+tmvar = (rts->tsum2 / total) - (tmavg * tmavg)
+
+    $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
+    $ export LDFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer"
+    $ meson setup .. -Db_sanitize=address,undefined
+    $ ninja
+    $ ./ping/ping -c2 127.0.0.1
+
+    PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
+    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.061 ms
+    ../ping/ping_common.c:757:25: runtime error: signed integer overflow: -2513732689199106 * 1000000 cannot be represented in type 'long int'
+    ../ping/ping_common.c:757:12: runtime error: signed integer overflow: -4975495174606980224 + -6510615555425289427 cannot be represented in type 'long int'
+    ../ping/ping_common.c:769:47: runtime error: signed integer overflow: 6960633343677281965 * 6960633343677281965 cannot be represented in type 'long int'
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    ./ping/ping: Warning: time of day goes back (-7256972569576721377us), taking countermeasures
+    ./ping/ping: Warning: time of day goes back (-7256972569576721232us), taking countermeasures
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    ../ping/ping_common.c:265:16: runtime error: signed integer overflow: 6960633343677281965 * 2 cannot be represented in type 'long int'
+    64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.565 ms
+
+    --- 127.0.0.1 ping statistics ---
+    2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1002ms
+    ../ping/ping_common.c:940:42: runtime error: signed integer overflow: 1740158335919320832 * 1740158335919320832 cannot be represented in type 'long int'
+    rtt min/avg/max/mdev = 0.000/1740158335919320.832/6960633343677281.965/-1623514645242292.-224 ms
+
+To fix the overflow check allowed ranges of struct timeval members:
+* tv_sec <0, LONG_MAX/1000000>
+* tv_usec <0, 999999>
+
+Fix includes 2 new error messages (needs translation).
+Also existing message "time of day goes back ..." needed to be modified
+as it now prints tv->tv_sec which is a second (needs translation update).
+
+After fix:
+
+    $ ./ping/ping -c2 127.0.0.1
+    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.057 ms
+    ./ping/ping: Warning: invalid tv_usec -6510615555424928611 us
+    ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures
+    ./ping/ping: Warning: invalid tv_usec -6510615555424928461 us
+    ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    ./ping/ping: Warning: invalid tv_usec -6510615555425884541 us
+    ./ping/ping: Warning: time of day goes back (-4243165695442945 s), taking countermeasures
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.111 ms
+
+    --- 127.0.0.1 ping statistics ---
+    2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 101ms
+    rtt min/avg/max/mdev = 0.000/0.042/0.111/0.046 ms
+
+Fixes: https://github.com/iputils/iputils/issues/584
+Fixes: CVE-2025-472
+Link: https://github.com/Zephkek/ping-rtt-overflow/
+Co-developed-by: Cyril Hrubis <chrubis@suse.cz>
+Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
+Reviewed-by: Noah Meyerhans <noahm@debian.org>
+[ pvorel: backport of upstream 070cfacd7348386173231fb16fad4983d4e6ae40 to 20221126 ]
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+---
+ iputils_common.h   |  3 +++
+ ping/ping_common.c | 22 +++++++++++++++++++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/iputils_common.h b/iputils_common.h
+index 67b495e..3a9c5c6 100644
+--- a/iputils_common.h
++++ b/iputils_common.h
+@@ -10,6 +10,9 @@
+ 	  !!__builtin_types_compatible_p(__typeof__(arr), \
+ 					 __typeof__(&arr[0]))])) * 0)
+ 
++/* 1000001 = 1000000 tv_sec + 1 tv_usec */
++#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
++
+ #ifdef __GNUC__
+ # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m)))
+ #else
+diff --git a/ping/ping_common.c b/ping/ping_common.c
+index d188fb8..687613a 100644
+--- a/ping/ping_common.c
++++ b/ping/ping_common.c
+@@ -741,16 +741,32 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen,
+ 
+ restamp:
+ 		tvsub(tv, &tmp_tv);
+-		triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+-		if (triptime < 0) {
+-			error(0, 0, _("Warning: time of day goes back (%ldus), taking countermeasures"), triptime);
++
++		if (tv->tv_usec >= 1000000) {
++			error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec);
++			tv->tv_usec = 999999;
++		}
++
++		if (tv->tv_usec < 0) {
++			error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec);
++			tv->tv_usec = 0;
++		}
++
++		if (tv->tv_sec > TV_SEC_MAX_VAL) {
++			error(0, 0, _("Warning: invalid tv_sec %ld s"), tv->tv_sec);
++			triptime = 0;
++		} else if (tv->tv_sec < 0) {
++			error(0, 0, _("Warning: time of day goes back (%ld s), taking countermeasures"), tv->tv_sec);
+ 			triptime = 0;
+ 			if (!rts->opt_latency) {
+ 				gettimeofday(tv, NULL);
+ 				rts->opt_latency = 1;
+ 				goto restamp;
+ 			}
++		} else {
++			triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+ 		}
++
+ 		if (!csfailed) {
+ 			rts->tsum += triptime;
+ 			rts->tsum2 += (double)((long long)triptime * (long long)triptime);
+-- 
+2.49.0
+

iputils-CVE-2025-48964_01.patch

@@ -0,0 +1,67 @@
+From f4f57679b736367716389d05187bab40666b521d Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Fri, 9 May 2025 11:07:02 +0200
+Subject: [PATCH 1/4] ping: Fix integer overflow in large -s and -l values
+
+Maximum of preload value (-l) is 65536, but due multiplication with
+packat size (-s) there can be integer overflow:
+
+    $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
+    $ meson setup ..
+    $ ninja && sudo ./ping/ping -c1 -l 65536 -s 30000 ::1
+    ../ping/ping_common.c:451:24: runtime error: signed integer overflow: 65536 * 46528 cannot be represented in type 'int'
+    PING ::1 (::1) 30000 data bytes
+    30008 bytes from ::1: icmp_seq=1 ttl=64 time=0.052 ms
+
+Because setsockopt() requires int, instead of making hold and rcvbuf
+variables bigger (long int) limit them to INT_MAX. This will often lead
+to warning about rcvbuf is not enough to hold preload, because on
+current kernel 6.14 and ICMP datagram socket is the max. socket buffer
+size 425984, but probably better not to depend on this value.
+
+After fix:
+
+    $ sudo ./ping/ping -c1 -l 65536 -s 30000 127.0.0.1
+    ./ping/ping: WARNING: buffer size overflow, reduce packet size or preload
+    ./ping/ping: WARNING: probably, rcvbuf is not enough to hold preload
+    PING 127.0.0.1 (127.0.0.1) 30000(30028) bytes of data.
+    30008 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.053 ms
+
+Link: https://github.com/iputils/iputils/pull/585#pullrequestreview-2820034501
+Closes: https://github.com/iputils/iputils/pull/586
+Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Suggested-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
+[ pvorel: backport of upstream f30f0e5397542a6ebf6bf1d5f6cd785637293393 to 20221126 ]
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+---
+ ping/ping_common.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/ping/ping_common.c b/ping/ping_common.c
+index 687613a..0d0da76 100644
+--- a/ping/ping_common.c
++++ b/ping/ping_common.c
+@@ -443,9 +443,18 @@ void sock_setbufs(struct ping_rts *rts, socket_st *sock, int alloc)
+ 		rts->sndbuf = alloc;
+ 	setsockopt(sock->fd, SOL_SOCKET, SO_SNDBUF, (char *)&rts->sndbuf, sizeof(rts->sndbuf));
+ 
+-	rcvbuf = hold = alloc * rts->preload;
++	if (alloc > INT_MAX / rts->preload) {
++		error(0, 0, _("WARNING: buffer size overflow, reduce packet size or preload"));
++		hold = INT_MAX;
++	} else {
++		hold = alloc * rts->preload;
++	}
++
++	rcvbuf = hold;
++
+ 	if (hold < 65536)
+ 		hold = 65536;
++
+ 	setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF, (char *)&hold, sizeof(hold));
+ 	if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF, (char *)&hold, &tmplen) == 0) {
+ 		if (hold < rcvbuf)
+-- 
+2.49.0
+

iputils-CVE-2025-48964_02.patch

@@ -0,0 +1,112 @@
+From 88b9a8ff19ac55c43b714fefc28d718fb4dcd611 Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Fri, 9 May 2025 17:18:09 +0200
+Subject: [PATCH 2/4] ping: Fix integer overflow in large -W value
+
+918e824 changed probably as a side effect max -W (time to wait for a
+response in sec) value from INT_MAX / 1000000 (i.e. 2147 s => ~ 35 min)
+to INT_MAX / 1000 (i.e. 2147483 s => ~ 586 h).  This allows int overflow
+with -W > 2148 s (value which was not previously allowed):
+
+    $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
+    $ meson setup ..
+    $ ninja && ./ping/ping -c1 -W 2148 8.8.8.8
+    ../ping/ping_common.c:269:37: runtime error: signed integer overflow: 2148000 * 1000 cannot be represented in type 'int'
+
+It could be fixed by simple casting global_rts->lingertime in:
+waittime = (unsigned long)global_rts->lingertime * 1000;
+
+But because max -W value is unreasonably large anyway fix the problem by:
+1) storing lingertime as uint32_t (fixed 32bit unsigned int, requires C99)
+instead of previous int (first contribution to
+https://github.com/iputils/iputils/issues/410).
+
+2) Converting lingertime to us during getopts parsing (ping since ever -
+git era was converting lingertime during getopts only to ms, converting
+to us was done for some reason later in __schedule_exit()).
+
+New -W max value is now 71 min (over 1 hour) which should be enough
+(-W also allows -W0 for an infinite timeout, see 3b43f90):
+
+    $ ./ping/ping -c1 -W 4294 8.8.8.8
+    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
+    64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=13.4 ms
+
+    --- 8.8.8.8 ping statistics ---
+    1 packets transmitted, 1 received, 0% packet loss, time 0ms
+    rtt min/avg/max/mdev = 13.422/13.422/13.422/0.000 ms
+
+Fixes: 918e824 ("ping: add support for sub-second timeouts")
+Closes: https://github.com/iputils/iputils/pull/588
+Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Tested-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Suggested-by: Cyril Hrubis <chrubis@suse.cz>
+Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
+[ pvorel: backport of upstream f7d19893aed9188de758b6be940be01501b5315b to 20221126 ]
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+---
+ ping/ping.c        | 6 +++---
+ ping/ping.h        | 2 +-
+ ping/ping_common.c | 7 ++++---
+ 3 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/ping/ping.c b/ping/ping.c
+index 02d358e..814ee71 100644
+--- a/ping/ping.c
++++ b/ping/ping.c
+@@ -543,10 +543,10 @@ main(int argc, char **argv)
+ 			double optval;
+ 
+ 			optval = ping_strtod(optarg, _("bad linger time"));
+-			if (isless(optval, 0) || isgreater(optval, (double)INT_MAX / 1000))
++			if (isless(optval, 0) || isgreater(optval, (double)UINT_MAX / 1000000))
+ 				error(2, 0, _("bad linger time: %s"), optarg);
+-			/* lingertime will be converted to usec later */
+-			rts.lingertime = (int)(optval * 1000);
++
++			rts.lingertime = (uint32_t)(optval * 1000000);
+ 		}
+ 			break;
+ 		default:
+diff --git a/ping/ping.h b/ping/ping.h
+index 46cfbe7..f667c62 100644
+--- a/ping/ping.h
++++ b/ping/ping.h
+@@ -163,7 +163,7 @@ struct ping_rts {
+ 	int interval;			/* interval between packets (msec) */
+ 	int preload;
+ 	int deadline;			/* time to die */
+-	int lingertime;
++	uint32_t lingertime;
+ 	struct timespec start_time, cur_time;
+ 	volatile int exiting;
+ 	volatile int status_snapshot;
+diff --git a/ping/ping_common.c b/ping/ping_common.c
+index 0d0da76..0fbb825 100644
+--- a/ping/ping_common.c
++++ b/ping/ping_common.c
+@@ -264,8 +264,9 @@ int __schedule_exit(int next)
+ 		waittime = 2 * global_rts->tmax;
+ 		if (waittime < 1000 * (unsigned long)global_rts->interval)
+ 			waittime = 1000 * global_rts->interval;
+-	} else
+-		waittime = global_rts->lingertime * 1000;
++	} else {
++		waittime = global_rts->lingertime;
++	}
+ 
+ 	if (next < 0 || (unsigned long)next < waittime / 1000)
+ 		next = waittime / 1000;
+@@ -387,7 +388,7 @@ resend:
+ 		if (nores_interval > 500)
+ 			nores_interval = 500;
+ 		oom_count++;
+-		if (oom_count * nores_interval < rts->lingertime)
++		if ((uint32_t)(oom_count * nores_interval) < rts->lingertime)
+ 			return nores_interval;
+ 		i = 0;
+ 		/* Fall to hard error. It is to avoid complete deadlock
+-- 
+2.49.0
+

iputils-CVE-2025-48964_03.patch

@@ -0,0 +1,100 @@
+From 73315cde2e2edd9b0afafe93f96ee5db738ef129 Mon Sep 17 00:00:00 2001
+From: Cyril Hrubis <chrubis@suse.cz>
+Date: Fri, 16 May 2025 17:57:10 +0200
+Subject: [PATCH 4/4] ping: Fix moving average rtt calculation
+
+The rts->rtt counts an exponential weight moving average in a fixed
+point, that means that even if we limit the triptime to fit into a 32bit
+number the average will overflow because because fixed point needs eight
+more bits.
+
+We also have to limit the triptime to 32bit number because otherwise the
+moving average may stil overflow if we manage to produce a large enough
+triptime.
+
+Fixes: CVE-2025-48964
+Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1243772
+Closes: https://github.com/iputils/iputils-ghsa-25fr-jw29-74f9/pull/1
+Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Tested-by: Petr Vorel <pvorel@suse.cz>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+[ pvorel: backport of upstream afa36390394a6e0cceba03b52b59b6d41710608c to 20221126 ]
+Signed-off-by: Cyril Hrubis <chrubis@suse.cz>
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+---
+ iputils_common.h   | 2 +-
+ ping/ping.h        | 2 +-
+ ping/ping_common.c | 8 ++++----
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/iputils_common.h b/iputils_common.h
+index 3a9c5c6..6c1289b 100644
+--- a/iputils_common.h
++++ b/iputils_common.h
+@@ -11,7 +11,7 @@
+ 					 __typeof__(&arr[0]))])) * 0)
+ 
+ /* 1000001 = 1000000 tv_sec + 1 tv_usec */
+-#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
++#define TV_SEC_MAX_VAL (INT32_MAX/1000001)
+ 
+ #ifdef __GNUC__
+ # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m)))
+diff --git a/ping/ping.h b/ping/ping.h
+index f667c62..242d3c3 100644
+--- a/ping/ping.h
++++ b/ping/ping.h
+@@ -181,7 +181,7 @@ struct ping_rts {
+ 	long tmax;			/* maximum round trip time */
+ 	double tsum;			/* sum of all times, for doing average */
+ 	double tsum2;
+-	int rtt;
++	uint64_t rtt;                   /* Exponential weight moving average calculated in fixed point */
+ 	int rtt_addend;
+ 	uint16_t acked;
+ 	int pipesize;
+diff --git a/ping/ping_common.c b/ping/ping_common.c
+index 0fbb825..808fc05 100644
+--- a/ping/ping_common.c
++++ b/ping/ping_common.c
+@@ -281,7 +281,7 @@ int __schedule_exit(int next)
+ 
+ static inline void update_interval(struct ping_rts *rts)
+ {
+-	int est = rts->rtt ? rts->rtt / 8 : rts->interval * 1000;
++	int est = rts->rtt ? (int)(rts->rtt / 8) : rts->interval * 1000;
+ 
+ 	rts->interval = (est + rts->rtt_addend + 500) / 1000;
+ 	if (rts->uid && rts->interval < MINUSERINTERVAL)
+@@ -785,7 +785,7 @@ restamp:
+ 			if (triptime > rts->tmax)
+ 				rts->tmax = triptime;
+ 			if (!rts->rtt)
+-				rts->rtt = triptime * 8;
++				rts->rtt = ((uint64_t)triptime) * 8;
+ 			else
+ 				rts->rtt += triptime - rts->rtt / 8;
+ 			if (rts->opt_adaptive)
+@@ -955,7 +955,7 @@ int finish(struct ping_rts *rts)
+ 		int ipg = (1000000 * (long long)tv.tv_sec + tv.tv_nsec / 1000) / (rts->ntransmitted - 1);
+ 
+ 		printf(_("%sipg/ewma %d.%03d/%d.%03d ms"),
+-		       comma, ipg / 1000, ipg % 1000, rts->rtt / 8000, (rts->rtt / 8) % 1000);
++		       comma, ipg / 1000, ipg % 1000, (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000));
+ 	}
+ 	putchar('\n');
+ 	return (!rts->nreceived || (rts->deadline && rts->nreceived < rts->npackets));
+@@ -980,7 +980,7 @@ void status(struct ping_rts *rts)
+ 		fprintf(stderr, _(", min/avg/ewma/max = %ld.%03ld/%lu.%03ld/%d.%03d/%ld.%03ld ms"),
+ 			(long)rts->tmin / 1000, (long)rts->tmin % 1000,
+ 			tavg / 1000, tavg % 1000,
+-			rts->rtt / 8000, (rts->rtt / 8) % 1000, (long)rts->tmax / 1000, (long)rts->tmax % 1000);
++			(int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000), (long)rts->tmax / 1000, (long)rts->tmax % 1000);
+ 	}
+ 	fprintf(stderr, "\n");
+ }
+-- 
+2.49.0
+

iputils-CVE-2025-48964_regression.patch

@@ -0,0 +1,55 @@
+From a41fbf36f331e1b0945c8e30581381e2f2fdff6e Mon Sep 17 00:00:00 2001
+From: Cyril Hrubis <chrubis@suse.cz>
+Date: Thu, 5 Jun 2025 15:39:00 +0200
+Subject: [PATCH] ping: Fix regression in -c1
+
+We change the rts->lingertime to be stored directly in us instead of ms
+in order to simplify the overflow checks, however we missed two places
+where the value was not properly converted.
+
+The initialization of the lingertime has to be converted to us as well
+since the MAXWAIT is in seconds it has to be multiplied by 1000000 now.
+
+The check againts the nores_interval has to be updated too since the
+nores_interval is initialized from rts->interval that is stored in ms
+and the oom_count is a counter, hence the product of the multiplication
+is still in ms and the rts->lingertime has to be divided by 1000 in this
+case to be converted back to ms.
+
+Fixes: f7d1989 ("ping: Fix integer overflow in large -W value")
+Fixes: https://github.com/iputils/iputils/issues/596
+Closes: https://github.com/iputils/iputils/pull/597
+Reported-by: Alberto Salvia Novella <es20490446e.wordpress.com>
+Co-developed-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Cyril Hrubis <chrubis@suse.cz>
+---
+ ping/ping.c        | 2 +-
+ ping/ping_common.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ping/ping.c b/ping/ping.c
+index 63b943e0..1e976a90 100644
+--- a/ping/ping.c
++++ b/ping/ping.c
+@@ -335,7 +335,7 @@ main(int argc, char **argv)
+ 	static struct ping_rts rts = {
+ 		.interval = 1000,
+ 		.preload = 1,
+-		.lingertime = MAXWAIT * 1000,
++		.lingertime = MAXWAIT * 1000000,
+ 		.confirm_flag = MSG_CONFIRM,
+ 		.tmin = LONG_MAX,
+ 		.pipesize = -1,
+diff --git a/ping/ping_common.c b/ping/ping_common.c
+index fad52280..9a0c1248 100644
+--- a/ping/ping_common.c
++++ b/ping/ping_common.c
+@@ -389,7 +389,7 @@ int pinger(struct ping_rts *rts, ping_func_set_st *fset, socket_st *sock)
+ 		if (nores_interval > 500)
+ 			nores_interval = 500;
+ 		oom_count++;
+-		if ((uint32_t)(oom_count * nores_interval) < rts->lingertime)
++		if ((uint32_t)(oom_count * nores_interval) < rts->lingertime/1000)
+ 			return nores_interval;
+ 		i = 0;
+ 		/* Fall to hard error. It is to avoid complete deadlock

iputils-invalid-ttl-s390x.patch

@@ -0,0 +1,46 @@
+From c9c82b4576f0b616793ffbdc815c02e2e4da1f5c Mon Sep 17 00:00:00 2001
+From: Radoslav Kolev <radoslav.kolev@suse.com>
+Date: Thu, 15 May 2025 17:56:52 +0300
+Subject: [PATCH] ping: Fix ipv4 ttl value when using SOCK_DGRAM on big endian
+ systems
+
+7e7ffff attempted to fix a GCC warning about strict aliasing (which
+it seems may have been an erroneous one in the first place), but
+caused the ttl value when pinging an ipv4 address using SOCK_DGRAM
+on a big endian system (for ex. IBM S390) to always appear as 0.
+
+Using memcpy() instead of directly casting the value should be the
+safest option, fixing the issue and also avoiding the possibility
+of unaligned access to the value returned by CMSG_DATA.
+
+Fixes: 7e7ffff ("ping: Silence GCC warnings when building with -fstrict-aliasing")
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
+Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
+---
+ ping/ping.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/ping/ping.c b/ping/ping.c
+index 0faa8704..63b943e0 100644
+--- a/ping/ping.c
++++ b/ping/ping.c
+@@ -1642,7 +1642,7 @@ int ping4_parse_reply(struct ping_rts *rts, struct socket_st *sock,
+ 	int csfailed;
+ 	struct cmsghdr *cmsgh;
+ 	int reply_ttl;
+-	uint8_t *opts, *tmp_ttl;
++	uint8_t *opts;
+ 	int olen;
+ 	int wrong_source = 0;
+ 
+@@ -1670,8 +1670,7 @@ int ping4_parse_reply(struct ping_rts *rts, struct socket_st *sock,
+ 			if (cmsgh->cmsg_type == IP_TTL) {
+ 				if (cmsgh->cmsg_len < sizeof(int))
+ 					continue;
+-				tmp_ttl = (uint8_t *)CMSG_DATA(cmsgh);
+-				reply_ttl = (int)*tmp_ttl;
++				memcpy(&reply_ttl, CMSG_DATA(cmsgh), sizeof(reply_ttl));
+ 			} else if (cmsgh->cmsg_type == IP_RETOPTS) {
+ 				opts = (uint8_t *)CMSG_DATA(cmsgh);
+ 				olen = cmsgh->cmsg_len;

iputils.changes

@@ -1,23 +1,26 @@
 -------------------------------------------------------------------
-Thu Sep  5 10:47:27 UTC 2024 - Petr Vorel <pvorel@suse.cz>
+Tue Jun 10 07:18:36 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
 
-- Update to version 20240905 (mostly ping fixes release)
-  https://github.com/iputils/iputils/releases/tag/20240905
-- Fix tarball url
+- Security fix [bsc#1243772, CVE-2025-48964]
+  * Fix  integer overflow in ping statistics via zero timestamp
+  * Add iputils-CVE-2025-48964_01.patch
+  * Add iputils-CVE-2025-48964_02.patch
+  * Add iputils-CVE-2025-48964_03.patch
+  * Add iputils-CVE-2025-48964_regression.patch
 
 -------------------------------------------------------------------
-Wed Jan 17 11:13:09 UTC 2024 - Petr Vorel <pvorel@suse.cz>
+Fri May 16 12:51:08 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
 
-- Update to version 20240117 (ping bugfix release)
-  https://github.com/iputils/iputils/releases/tag/20240117
+- Fix bsc#1243284 - ping on s390x prints invalid ttl 
+  * Add iputils-invalid-ttl-s390x.patch
+  * Fix ipv4 ttl value when using SOCK_DGRAM on big endian systems
 
 -------------------------------------------------------------------
-Fri Dec 22 20:49:52 UTC 2023 - Petr Vorel <pvorel@suse.cz>
+Tue May 13 06:12:11 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
 
-- Update to version 20231222
-  https://github.com/iputils/iputils/releases/tag/20231222
-- Use tar.xz instead of tar.gz
-- Update source URL
+- Security fix [bsc#1242300, CVE-2025-47268] 
+  * integer overflow in RTT calculation can lead to undefined behavior 
+  * Add iputils-CVE-2025-47268.patch
 
 -------------------------------------------------------------------
 Tue Dec 27 12:27:43 UTC 2022 - Ludwig Nussel <lnussel@suse.com>

iputils.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package iputils
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,13 +17,24 @@
 
 
 Name:           iputils
-Version:        20240905
+Version:        20221126
 Release:        0
 Summary:        IPv4 and IPv6 Networking Utilities
 License:        BSD-3-Clause AND GPL-2.0-or-later
 Group:          Productivity/Networking/Other
 URL:            https://github.com/iputils/iputils
-Source0:        https://github.com/iputils/iputils/releases/download/%{version}/iputils-%{version}.tar.xz
+Source0:        https://github.com/iputils/iputils/archive/%{version}.tar.gz
+# PATCH-FIX-UPSTREAM: bcs#1242300 CVE-2025-47268  integer overflow in RTT calculation can lead to undefine    d behavior
+Patch1:         iputils-CVE-2025-47268.patch
+#PATCH-FIX-UPSTREAM: bsc#1243284 ping on s390x prints invalid ttl
+Patch2:         iputils-invalid-ttl-s390x.patch
+#PATCH-FIX-UPSTREAM: bsc#1243772 CVE-2025-48964 integer overflow in ping statistics via zero timestamp
+Patch3:         iputils-CVE-2025-48964_01.patch
+Patch4:         iputils-CVE-2025-48964_02.patch
+Patch6:         iputils-CVE-2025-48964_03.patch
+#PATCH-FIX-UPSTREAM: Fix regression in -c1
+Patch7:         iputils-CVE-2025-48964_regression.patch
+
 BuildRequires:  docbook5-xsl-stylesheets
 BuildRequires:  docbook_5
 BuildRequires:  iproute2
@@ -33,6 +44,7 @@ BuildRequires:  libcap-progs
 BuildRequires:  meson
 BuildRequires:  opensp
 BuildRequires:  perl-SGMLS
+BuildRequires:  netcfg
 BuildRequires:  pkgconfig
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(libidn2)