[AutoPR- Security] Patch ignition-flatcar for CVE-2026-27141 [MEDIUM] (microsoft#16935)

azurelinux-security · web-flow · commit c3d0b412ba6b · 2026-05-04T14:46:42.000+05:30
diff --git a/SPECS/ignition-flatcar/CVE-2026-27141.patch b/SPECS/ignition-flatcar/CVE-2026-27141.patch
@@ -0,0 +1,46 @@
+From db9b39ea4a35a9367797791c4da2d2f0bf700775 Mon Sep 17 00:00:00 2001
+From: Konnyaku <beifengxuanxiao@126.com>
+Date: Tue, 17 Feb 2026 21:23:54 +0800
+Subject: [PATCH] http2: fix nil panic in typeFrameParser for unassigned frame
+ types
+
+The addition of FramePriorityUpdate (0x10) in RFC 9218 introduced a gap
+in the frameParsers array indices (0x0a-0x0f). These indices were
+initialized to nil, causing a panic when typeFrameParser accessed them
+for unassigned frame types (e.g., ALTSVC 0x0a).
+
+This change adds a nil check in typeFrameParser to safely fallback to
+parseUnknownFrame for these unassigned types, preventing the crash.
+
+Fixes golang/go#77652
+
+Change-Id: I14d7ad85afc1eafabc46417a9fff10f9e0a22446
+Reviewed-on: https://go-review.googlesource.com/c/net/+/746180
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Auto-Submit: Damien Neil <dneil@google.com>
+Reviewed-by: Mark Freeman <markfreeman@google.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/golang/net/commit/19f580fd686a6bb31d4af15febe789827169bc26.patch
+---
+ vendor/golang.org/x/net/http2/frame.go | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
+index db3264d..4642564 100644
+--- a/vendor/golang.org/x/net/http2/frame.go
++++ b/vendor/golang.org/x/net/http2/frame.go
+@@ -139,7 +139,9 @@ var frameParsers = [...]frameParser{
+ 
+ func typeFrameParser(t FrameType) frameParser {
+ 	if int(t) < len(frameParsers) {
+-		return frameParsers[t]
++		if f := frameParsers[t]; f != nil {
++			return f
++		}
+ 	}
+ 	return parseUnknownFrame
+ }
+-- 
+2.45.4
+
diff --git a/SPECS/ignition-flatcar/ignition-flatcar.spec b/SPECS/ignition-flatcar/ignition-flatcar.spec
@@ -24,7 +24,7 @@ Version:                2.22.0
 %global dracutlibdir %{_prefix}/lib/dracut
 
 Name:           ignition-flatcar
-Release:        1%{?dist}
+Release:        2%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Summary:        First boot installer and configuration tool
@@ -53,6 +53,7 @@ Patch16:        0017-revert-internal-oem-drop-noop-OEMs.patch
 Patch17:        0018-docs-Add-re-added-platforms-to-docs-to-pass-tests.patch
 Patch18:        0019-usr-share-oem-oem.patch
 Patch19:        0020-internal-exec-stages-mount-Mount-oem.patch
+Patch20:        CVE-2026-27141.patch
 
 BuildRequires: libblkid-devel
 BuildRequires: systemd-rpm-macros
@@ -201,6 +202,9 @@ VERSION=%{version} GOARCH=%{goarch} ./test
 %endif
 
 %changelog
+* Wed Apr 29 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.22.0-2
+- Patch for CVE-2026-27141
+
 * Fri Jan 16 2026 Sumit Jena <v-sumitjena@microsoft.com> - 2.22.0-1
 - Initial Azure Linux import from the source project (license: same as "License" tag).
 - License verified.
