[AutoPR- Security] Patch telegraf for CVE-2026-42151, CVE-2026-41889 [MEDIUM] (microsoft#17221)

Co-authored-by: SumitJenaHCL <v-sumitjena@microsoft.com>
Co-authored-by: jykanase <v-jykanase@microsoft.com>

Author: 3 people

SPECS/telegraf/CVE-2026-41889.patch

@@ -0,0 +1,167 @@
+From: Jack Christensen <jack@jackchristensen.com>
+Date: Sat, 18 Apr 2026 23:46:10 +0000
+Subject: [PATCH] Fix SQL sanitizer bugs with dollar-quoted strings and
+ placeholder overflow
+
+The simple-protocol SQL sanitizer treated $N found inside PostgreSQL
+dollar-quoted strings ($$...$$ and $tag$...$tag$) as placeholders and
+substituted them into what PostgreSQL considers literal text. A crafted
+arg value could then close the dollar-quote from inside and run
+arbitrary SQL (see the new proof-of-concept test in query_test.go).
+
+The lexer now recognizes dollar-quoted strings using PostgreSQL's tag
+grammar (from scan.l) and preserves their contents verbatim.
+
+Placeholder numbers are also clamped at MaxInt32 rather than silently
+overflowing. Previously "$92233720368547758070" wrapped to -10; if the
+wrap had landed on a valid positive index it would have aliased a
+different argument.
+
+Adds unit tests, fuzz seeds, and an integration PoC.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+
+Upstream Patch Reference: https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da.patch
+---
+ .../pgx/v4/internal/sanitize/sanitize.go      | 97 +++++++++++++++++--
+ 1 file changed, 89 insertions(+), 8 deletions(-)
+
+diff --git a/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go b/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go
+index 4c345d50..e6db478c 100644
+--- a/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go
++++ b/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go
+@@ -4,6 +4,7 @@ import (
+ 	"bytes"
+ 	"encoding/hex"
+ 	"fmt"
++	"math"
+ 	"strconv"
+ 	"strings"
+ 	"time"
+@@ -100,12 +101,13 @@ func QuoteBytes(buf []byte) string {
+ }
+ 
+ type sqlLexer struct {
+-	src     string
+-	start   int
+-	pos     int
+-	nested  int // multiline comment nesting level.
+-	stateFn stateFn
+-	parts   []Part
++	src       string
++	start     int
++	pos       int
++	nested    int    // multiline comment nesting level.
++	dollarTag string // active tag while inside a dollar-quoted string (may be empty for $$).
++	stateFn   stateFn
++	parts     []Part
+ }
+ 
+ type stateFn func(*sqlLexer) stateFn
+@@ -135,6 +137,15 @@ func rawState(l *sqlLexer) stateFn {
+ 				l.start = l.pos
+ 				return placeholderState
+ 			}
++			// PostgreSQL dollar-quoted string: $[tag]$...$[tag]$. The $ was
++			// just consumed; try to match the rest of the opening tag.
++			// Without this, placeholders embedded inside dollar-quoted
++			// literals would be incorrectly substituted.
++			if tagLen, ok := scanDollarQuoteTag(l.src[l.pos:]); ok {
++				l.dollarTag = l.src[l.pos : l.pos+tagLen]
++				l.pos += tagLen + 1 // advance past tag and closing '$'
++				return dollarQuoteState
++			}
+ 		case '-':
+ 			nextRune, width := utf8.DecodeRuneInString(l.src[l.pos:])
+ 			if nextRune == '-' {
+@@ -217,8 +228,16 @@ func placeholderState(l *sqlLexer) stateFn {
+ 		l.pos += width
+ 
+ 		if '0' <= r && r <= '9' {
+-			num *= 10
+-			num += int(r - '0')
++			// Clamp rather than silently wrap on pathological input like
++			// "$92233720368547758070" which would otherwise overflow int and
++			// could land on a valid args index. Any value above MaxInt32 far
++			// exceeds any plausible args length, so Sanitize will correctly
++			// return "insufficient arguments".
++			if num > (math.MaxInt32-9)/10 {
++				num = math.MaxInt32
++			} else {
++				num = num*10 + int(r-'0')
++			}
+ 		} else {
+ 			l.parts = append(l.parts, num)
+ 			l.pos -= width
+@@ -228,6 +247,68 @@ func placeholderState(l *sqlLexer) stateFn {
+ 	}
+ }
+ 
++// dollarQuoteState consumes the body of a PostgreSQL dollar-quoted string
++// ($[tag]$...$[tag]$). The opening tag (including its terminating '$') has
++// already been consumed.
++func dollarQuoteState(l *sqlLexer) stateFn {
++	closer := "$" + l.dollarTag + "$"
++	idx := strings.Index(l.src[l.pos:], closer)
++	if idx < 0 {
++		// Unterminated — mirror the behavior of other quoted-string states by
++		// consuming the remaining input into the current part and stopping.
++		if len(l.src)-l.start > 0 {
++			l.parts = append(l.parts, l.src[l.start:])
++			l.start = len(l.src)
++		}
++		l.pos = len(l.src)
++		return nil
++	}
++	l.pos += idx + len(closer)
++	l.dollarTag = ""
++	return rawState
++}
++
++// scanDollarQuoteTag checks whether src begins with an optional dollar-quoted
++// string tag followed by a closing '$'. src must point just past the opening
++// '$'. Returns the byte length of the tag (zero for an anonymous $$) and
++// whether a valid tag was found.
++//
++// Tag grammar matches the PostgreSQL lexer (scan.l):
++//
++//	dolq_start: [A-Za-z_\x80-\xff]
++//	dolq_cont:  [A-Za-z0-9_\x80-\xff]
++func scanDollarQuoteTag(src string) (int, bool) {
++	first := true
++	for i := 0; i < len(src); {
++		r, w := utf8.DecodeRuneInString(src[i:])
++		if r == '$' {
++			return i, true
++		}
++		if !isDollarTagRune(r, first) {
++			return 0, false
++		}
++		first = false
++		i += w
++	}
++	return 0, false
++}
++
++func isDollarTagRune(r rune, first bool) bool {
++	switch {
++	case r == '_':
++		return true
++	case 'a' <= r && r <= 'z':
++		return true
++	case 'A' <= r && r <= 'Z':
++		return true
++	case !first && '0' <= r && r <= '9':
++		return true
++	case r >= 0x80 && r != utf8.RuneError:
++		return true
++	}
++	return false
++}
++
+ func escapeStringState(l *sqlLexer) stateFn {
+ 	for {
+ 		r, width := utf8.DecodeRuneInString(l.src[l.pos:])
+-- 
+2.45.4
+

SPECS/telegraf/CVE-2026-42151.patch

@@ -0,0 +1,49 @@
+From 5ccebcdb3f2d8db76b3b559d070d667b903e1358 Mon Sep 17 00:00:00 2001
+From: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
+Date: Mon, 27 Apr 2026 12:16:46 +0200
+Subject: [PATCH] remote/azuread: use Secret type for OAuth client_secret
+
+The ClientSecret field in OAuthConfig was typed as plain string,
+causing it to be exposed in plaintext via the /-/config HTTP endpoint.
+Change it to config_util.Secret so Prometheus redacts it as <secret>.
+
+Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
+
+Upstream Patch Reference: https://github.com/prometheus/prometheus/commit/5ccebcdb3f2d8db76b3b559d070d667b903e1358.patch
+---
+ .../prometheus/prometheus/storage/remote/azuread/azuread.go  | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/prometheus/prometheus/storage/remote/azuread/azuread.go b/vendor/github.com/prometheus/prometheus/storage/remote/azuread/azuread.go
+index cb4587b0..eb04982a 100644
+--- a/vendor/github.com/prometheus/prometheus/storage/remote/azuread/azuread.go
++++ b/vendor/github.com/prometheus/prometheus/storage/remote/azuread/azuread.go
+@@ -29,6 +29,7 @@ import (
+ 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+ 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+ 	"github.com/google/uuid"
++	config_util "github.com/prometheus/common/config"
+ )
+ 
+ const (
+@@ -55,7 +56,7 @@ type OAuthConfig struct {
+ 	ClientID string `yaml:"client_id,omitempty"`
+ 
+ 	// ClientSecret is the clientSecret of the azure active directory application that is being used to authenticate.
+-	ClientSecret string `yaml:"client_secret,omitempty"`
++	ClientSecret config_util.Secret `yaml:"client_secret,omitempty"`
+ 
+ 	// TenantID is the tenantId of the azure active directory application that is being used to authenticate.
+ 	TenantID string `yaml:"tenant_id,omitempty"`
+@@ -238,7 +239,7 @@ func newManagedIdentityTokenCredential(clientOpts *azcore.ClientOptions, managed
+ // newOAuthTokenCredential returns new OAuth token credential
+ func newOAuthTokenCredential(clientOpts *azcore.ClientOptions, oAuthConfig *OAuthConfig) (azcore.TokenCredential, error) {
+ 	opts := &azidentity.ClientSecretCredentialOptions{ClientOptions: *clientOpts}
+-	return azidentity.NewClientSecretCredential(oAuthConfig.TenantID, oAuthConfig.ClientID, oAuthConfig.ClientSecret, opts)
++	return azidentity.NewClientSecretCredential(oAuthConfig.TenantID, oAuthConfig.ClientID, string(oAuthConfig.ClientSecret), opts)
+ }
+ 
+ // newTokenProvider helps to fetch accessToken for different types of credential. This also takes care of
+-- 
+2.45.4
+

SPECS/telegraf/telegraf.spec

@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.31.0
-Release:        21%{?dist}
+Release:        22%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -49,6 +49,8 @@ Patch32:        CVE-2026-42506.patch
 Patch33:        CVE-2026-42508.patch
 Patch34:        CVE-2026-46597.patch
 Patch35:        CVE-2026-27136.patch
+Patch36:        CVE-2026-41889.patch
+Patch37:        CVE-2026-42151.patch
 
 BuildRequires:  golang
 BuildRequires:  systemd-devel
@@ -113,6 +115,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Thu May 28 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-22
+- Patch for CVE-2026-41889, CVE-2026-42151
+
 * Wed May 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-21
 - Patch for CVE-2026-46597, CVE-2026-42508, CVE-2026-42506, CVE-2026-39834, CVE-2026-39832, CVE-2026-39830, CVE-2026-39829, CVE-2026-39821, CVE-2026-27136