Bug 34446 - spdlog new security issue CVE-2025-6140
Summary: spdlog new security issue CVE-2025-6140
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-07-08 17:19 CEST by Nicolas Salguero
Modified: 2025-11-15 08:16 CET (History)
3 users (show)

See Also:
Source RPM: spdlog-1.11.0-4.mga9.src.rpm
CVE: CVE-2025-6140
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-07-08 17:19:24 CEST 
openSUSE has issued an advisory on July 5:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/PKLBHCP4H6J6LCEJELBPDKGM2W4ZWDNC/
Nicolas Salguero 2025-07-08 17:19:37 CEST

CVE: (none) => CVE-2025-6140
Source RPM: (none) => spdlog-1.11.0-4.mga9.src.rpm

Comment 1 Lewis Smith 2025-07-19 21:13:55 CEST 
https://bugzilla.suse.com/show_bug.cgi?id=1244696
includes these github refs:

https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094
is the patch.

https://github.com/gabime/spdlog/issues/3360
https://github.com/gabime/spdlog/issues/3360#issuecomment-2729579422
are the same: a POC.

Assigning directly to DavidG, who normally maintains this ppkg.

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2025-11-13 15:54:34 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Spdlog pattern_formatter-inl.h scoped_padder resource consumption. (CVE-2025-6140)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/PKLBHCP4H6J6LCEJELBPDKGM2W4ZWDNC/
========================

Updated packages in core/updates_testing:
========================
lib(64)spdlog-devel-1.11.0-4.1.mga9
lib(64)spdlog1.11-1.11.0-4.1.mga9

from SRPM:
spdlog-1.11.0-4.1.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs
Status: NEW => ASSIGNED

katnatek 2025-11-13 19:56:13 CET

Keywords: (none) => advisory

Comment 3 Herman Viaene 2025-11-14 14:14:03 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
No previous updates, so
#  urpmq --whatrequires lib64spdlog1.11
gave me a list, many of them I had no idea how to handle those.
First picked kodi, run it under strace, and had it to add some files to its catalogue and play it. But the trace had no ref to spdlog.
Second try with gerbera. Had some issues to get this to start, but succeeded. After opening port 49152 in the firewall, I was able to access files from my desktop PC. Remark: as stated in the feedback of starting gerbera, it apparently can only be connected via the  explicit IP-address.
Anyway, the trace now has a ref to 
openat(AT_FDCWD, "/lib64/libspdlog.so.1.11", O_RDONLY|O_CLOEXEC) = 3
So in the end all is well.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2025-11-15 02:58:44 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-11-15 08:16:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0294.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.