new file mode 100644
@@ -0,0 +1,39 @@
+From 9b5107ff91b72c0104d9dbeee076f37f584ea4b4 Mon Sep 17 00:00:00 2001
+From: "R.E. Wolff" <R.E.Wolff@BitWizard.nl>
+Date: Sun, 29 Jun 2025 14:06:00 +0200
+Subject: [PATCH] Added protection against use of MTR_PACKET under special
+ circumstances
+
+CVE: CVE-2025-49809
+Upstream-Status: Backport [https://github.com/traviscross/mtr/commit/5226f105f087c29d3cfad9f28000e7536af91ac6]
+(cherry picked from commit 5226f105f087c29d3cfad9f28000e7536af91ac6)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ ui/cmdpipe.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/ui/cmdpipe.c b/ui/cmdpipe.c
+index d22b236..1a66293 100644
+--- a/ui/cmdpipe.c
++++ b/ui/cmdpipe.c
+@@ -220,10 +220,17 @@ void execute_packet_child(
+ the path to the mtr-packet executable. This is necessary
+ for debugging changes for mtr-packet.
+ */
+- char *mtr_packet_path = getenv("MTR_PACKET");
+- if (mtr_packet_path == NULL) {
++ char * mtr_packet_path = NULL;
++
++ // In the rare case that mtr-packet is not setuid-root,
++ // and a select group of users has sudo privileges to run
++ // mtr and not much else, THEN create /etc/mtr.is.run.under.sudo
++ // to prevent a privilege escalation when one of those accounts
++ // is compromised. CVE-2025-49809
++ if (access ("/etc/mtr.is.run.under.sudo", F_OK) != 0)
++ mtr_packet_path = getenv("MTR_PACKET");
++ if (mtr_packet_path == NULL)
+ mtr_packet_path = "mtr-packet";
+- }
+
+ /*
+ First, try to execute mtr-packet from PATH
@@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
file://ui/mtr.c;beginline=5;endline=16;md5=00a894a39d53726a27386534d1c4e468"
SRCREV = "852e5617fbf331cf292723702161f0ac9afe257c"
-SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https"
+SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https \
+ file://CVE-2025-49809.patch \
+"
S = "${WORKDIR}/git"