microsoft · azurelinux-security · Jan 5, 2026 · Jan 5, 2026
@@ -0,0 +1,63 @@
+From bb5606c9903224549612e709a843f6eb17e31c38 Mon Sep 17 00:00:00 2001
+From: Frank Denis <github@pureftpd.org>
+Date: Mon, 29 Dec 2025 23:22:15 +0100
+Subject: [PATCH] core_ed25519_is_valid_point: check Y==Z in addition to X==0
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae.patch
+---
+ src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c | 5 ++++-
+ test/default/core_ed25519.c                             | 7 ++++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
+index 8129d8b..6feecc2 100644
+--- a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
++++ b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
+@@ -1029,10 +1029,13 @@ int
+ ge25519_is_on_main_subgroup(const ge25519_p3 *p)
+ {
+     ge25519_p3 pl;
++    fe25519    t;
+
+     ge25519_mul_l(&pl, p);
+
+-    return fe25519_iszero(pl.X);
++    fe25519_sub(t, pl.Y, pl.Z);
++
++    return fe25519_iszero(pl.X) & fe25519_iszero(t);
+ }
+
+ int
+diff --git a/test/default/core_ed25519.c b/test/default/core_ed25519.c
+index b246126..54ceeed 100644
+--- a/test/default/core_ed25519.c
++++ b/test/default/core_ed25519.c
+@@ -13,6 +13,10 @@ static const unsigned char max_canonical_p[32] = {
+     0xe4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
+ };
++static const unsigned char not_main_subgroup_p[32] = {
++    0x95, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
++    0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99
++};
+ static const unsigned char L_p1[32] = {
+     0xee, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
+@@ -142,11 +146,12 @@ main(void)
+     assert(crypto_core_ed25519_is_valid_point(p) == 0);
+
+     p[0] = 9;
+-    assert(crypto_core_ed25519_is_valid_point(p) == 1);
++    assert(crypto_core_ed25519_is_valid_point(p) == 0);
+
+     assert(crypto_core_ed25519_is_valid_point(max_canonical_p) == 1);
+     assert(crypto_core_ed25519_is_valid_point(non_canonical_invalid_p) == 0);
+     assert(crypto_core_ed25519_is_valid_point(non_canonical_p) == 0);
++    assert(crypto_core_ed25519_is_valid_point(not_main_subgroup_p) == 0);
+
+     memcpy(p2, p, crypto_core_ed25519_BYTES);
+     add_P(p2);
+-- 
+2.45.4
+
@@ -3,12 +3,13 @@
 Summary:        The Sodium crypto library
 Name:           libsodium
 Version:        1.0.19
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ISC
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://libsodium.org/
 Source0:        https://download.libsodium.org/%{name}/releases/%{name}-%{version}.tar.gz
+Patch0:         CVE-2025-69277.patch
 BuildRequires:  gcc
 BuildRequires:  make
 
@@ -34,7 +35,7 @@ This package contains libraries and header files for
 developing applications that use %{name} libraries.
 
 %prep
-%autosetup -n %{name}-stable
+%autosetup -p1 -n %{name}-stable
 
 %build
 %configure \
@@ -68,6 +69,9 @@ find %{buildroot} -type f -name "*.a" -delete -print
 
 
 %changelog
+* Mon Jan 05 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.19-2
+- Patch for CVE-2025-69277
+
 * Fri Feb 02 2024 Thien Trung Vuong <tvuong@microsoft.com> - 1.0.19-1
 - Update to version 1.0.19
 - Update soname to 26