[AutoPR- Security] Patch cloud-hypervisor for CVE-2026-24799 [MEDIUM]#15746
[AutoPR- Security] Patch cloud-hypervisor for CVE-2026-24799 [MEDIUM]#15746azurelinux-security wants to merge 2 commits intomicrosoft:mainfrom
Conversation
jykanase
force-pushed
the
azure-autosec/cloud-hypervisor/2.0/1044343
branch
from
84b4426 to
2aa0851
Compare
| pushd vendor/libz-sys/src/zlib | ||
| %patch0 -p1 | ||
| %patch4 -p1 | ||
| %patch6 -p1 |
There was a problem hiding this comment.
Why patch 5 application is missing?
There was a problem hiding this comment.
It is not missing it is getting applied at https://github.com/azurelinux-security/azurelinux/blob/2aa085167e7e84e7ac093fd2d13761e5893a2683/SPECS/cloud-hypervisor/cloud-hypervisor.spec#L92
There was a problem hiding this comment.
Recommend differentiating patch scope via naming and grouping for clarity. Prefix patch filenames based on target (e.g., zlib-, cloud-hypervisor-). This will improve maintainability and reviewability.
bhagyapathak
left a comment
bhagyapathak
left a comment
There was a problem hiding this comment.
Recommend differentiating patch scope via naming and grouping for clarity. Prefix patch filenames based on target (e.g., zlib-, cloud-hypervisor-). This will improves maintainability, reviewability.
| pushd vendor/libz-sys/src/zlib | ||
| %patch0 -p1 | ||
| %patch4 -p1 | ||
| %patch6 -p1 |
There was a problem hiding this comment.
Recommend differentiating patch scope via naming and grouping for clarity. Prefix patch filenames based on target (e.g., zlib-, cloud-hypervisor-). This will improve maintainability and reviewability.
bhagyapathak
left a comment
bhagyapathak
left a comment
There was a problem hiding this comment.
Patch Analysis (Whether the patch applies cleanly/Backported/Minor Changes)
- Buddy Build
- patch applied during the build (check
rpm.log) - patch include an upstream reference
- PR has security tag
- ptest regression
Approving with suggestion.
bhagyapathak
added
the
ready-for-stable-review
kgodara912
left a comment
kgodara912
left a comment
There was a problem hiding this comment.
Please modify the patch to avoid null pointer dereference.
| if (copy > have) copy = have; | ||
| if (copy) { | ||
| + len = state->head->extra_len - state->length; | ||
| if (state->head != Z_NULL && |
There was a problem hiding this comment.
This is not correct. We are checking, state->head != Z_NULL but before that we have already dereferenced it in the line above as state->head->extra_len. Please modify the patch accordingly. The len = condition can be moved inside if after the other two checks.
Kanishk-Bansal
removed
security
AutoPR-Security
AI Backport
ready-for-stable-review
|
Already fixed in CVE-2025-1744.patch, hence disputing it |
5 participants
Auto Patch cloud-hypervisor for CVE-2026-24799.
Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1044343&view=results
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology