[AutoPR- Security] Patch cmake for CVE-2025-10966, CVE-2025-14524 [MEDIUM]

[azurelinux-security]

Auto Patch cmake for CVE-2025-10966, CVE-2025-14524.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1032055&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch cmake for CVE-2025-10966 (MEDIUM), CVE-2025-14524 (MEDIUM).

Change Log

• CVE-2025-10966
• CVE-2025-14524

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-10966
• https://nvd.nist.gov/vuln/detail/CVE-2025-14524

Test Methodology

• Pipeline build id: Buddy Build URL

[Kanishk-Bansal]

Buddy Build

[suresh-thelkar]

Code changes look good to me. Since one of the patches is very huge, it is better to run full build and verify all the ptests as well.
Also, GitHub Checks are failing. Please look into it and fix them.

[Kanishk-Bansal]

Full Build

[Kanishk-Bansal]

Passed

[kgodara912]

The removal of wolfssh looks fine. Also, the 15224 patch looks fine. Please check the libssh.c CVEs properly.

[kgodara912]

This doesn't seem correct because the variable sshc is not defined in this function. The condition above rc == SSH_OK check is for ssh->ssh_session and not sshc. This also means that this path is not compiling as part of package. We need to correct the variable to ssh->ssh_session instead of sshc->ssh_session. Also, if the file is not compiling then we can dispute both the CVEs of libssh.c in this PR.

[BinduSri-6522866]

libssh and libssh2 both are not used in the cmake curl build in spec file, also "USE_LIBSSH" and USE_LIBSSH2 macros are not defined and hence the source code for affected files is not compiled. Requested dispute.

[kgodara912]

Buddy build after recent changes.

[BinduSri-6522866]

Buddy build passed.

[Kanishk-Bansal]

CVE-2025-15224, CVE-2025-15079 dispute has been raised

[kgodara912]

Buddy build is successful. Patches almost match with respective upstream references. Full build was also successful. LGTM.