[AutoPR- Security] Patch fluent-bit for CVE-2025-62408 [MEDIUM]

[azurelinux-security]

Auto Patch fluent-bit for CVE-2025-62408.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1006572&view=results
AI Backport- https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1002278&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch fluent-bit for CVE-2025-62408 (MEDIUM).

Change Log

• CVE-2025-62408

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-62408

Test Methodology

• Pipeline build id: Buddy Build URL

[akhila-guruju]

Upstream Patch Modified: Yes
Slight variation in func names and struct type when compared with upstream codebase. Mapping is provided below.

In src/lib/ares_process.c file:
azl codebase ---> upstream
ares__free_query() ---> ares_free_query()
ares__send_query() ---> ares_send_query()
ares__array_t ---> ares_array_t
read_tcp_data() ---> read_answers()

In src/lib/ares_qcache.c file:
azl codebase ---> upstream
ares_qcache_insert() ---> ares_qcache_insert_int()

[Kanishk-Bansal]

Buddy Build

[akhila-guruju]

Buddy Build has passed.

[bhagyapathak]

Patch Analysis - The update backports into the existing codebase without altering externally observable behavior. The change is limited to internal query requeueing and callback sequencing logic, adapted for compatibility with the current implementation. No public APIs, configuration, or runtime semantics are modified.

• Buddy Build
• patch applied during the build (check rpm.log)
• patch include an upstream reference
• PR has security tag
• ptest regression

[kgodara912]

Please check the corner case for read data.

[kgodara912]

This seems incorrect. Before these changes, there was one ares__send_query(query, now) for all entry.type. Now the upstream code has reduced that to only when if (entry.type == REQUEUE_REQUEUE), then call to internal_status = ares_send_query(entry.server, query, now);; but in our backport, the call is removed for all the cases. We should send the query as upstream is sending for that specific request type.