35263 – cmake new security issue CVE-2025-9301

Bug 35263 - cmake new security issue CVE-2025-9301

Summary: cmake new security issue CVE-2025-9301

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-03-24 14:34 CET by Nicolas Salguero
Modified:	2026-03-27 23:55 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	cmake-3.26.4-1.mga9.src.rpm
CVE:	CVE-2025-9301
Status comment:

Flags:	mageia: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-24 14:34:49 CET

Fedora has issued an advisory on March 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LRYGBCSAOIXW3H7GXSATU2RXSYBKTGFL/

Nicolas Salguero 2026-03-24 14:42:40 CET

CVE: (none) => CVE-2025-9301
Flags: (none) => affects_mga9+
Source RPM: (none) => cmake-4.1.3-1.mga10.src.rpm, cmake-3.26.4-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2026-03-24 15:33:26 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

cmake cmForEachCommand.cxx ReplayItems assertion. (CVE-2025-9301)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LRYGBCSAOIXW3H7GXSATU2RXSYBKTGFL/
========================

Updated packages in core/updates_testing:
========================
cmake-3.26.4-1.1.mga9
cmake-qtgui-3.26.4-1.1.mga9

from SRPM:
cmake-3.26.4-1.1.mga9.src.rpm

Flags: affects_mga9+ => (none)
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Source RPM: cmake-4.1.3-1.mga10.src.rpm, cmake-3.26.4-1.mga9.src.rpm => cmake-3.26.4-1.mga9.src.rpm
Assignee: bugsquad => qa-bugs
Version: Cauldron => 9

katnatek 2026-03-24 18:57:23 CET

Keywords: (none) => advisory

Comment 2 PC LX 2026-03-25 18:06:10 CET

Installed and tested without issues.


Tested on several dozen CMakeLists.txt files without issues.
Tested both the GUI and CLI.



System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.6.120-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Jan 14 01:59:53 UTC 2026 x86_64 GNU/Linux
$ rpm -q cmake cmake-qtgui
cmake-3.26.4-1.1.mga9
cmake-qtgui-3.26.4-1.1.mga9

CC: (none) => mageia

Comment 3 PC LX 2026-03-27 14:08:41 CET

Have been using this update for 3 days without issues, so I'm giving an OK for x86_64.

Flags: (none) => test_passed_mga9_64+
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2026-03-27 22:05:17 CET

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2026-03-27 23:55:17 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0069.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.