Skip to content

[AutoPR- Security] Patch ignition-flatcar for CVE-2026-27141 [MEDIUM] #16935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
azurelinux-security wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
+51 −1
Open

[AutoPR- Security] Patch ignition-flatcar for CVE-2026-27141 [MEDIUM] #16935

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions SPECS/ignition-flatcar/CVE-2026-27141.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
From db9b39ea4a35a9367797791c4da2d2f0bf700775 Mon Sep 17 00:00:00 2001
From: Konnyaku <beifengxuanxiao@126.com>
Date: Tue, 17 Feb 2026 21:23:54 +0800
Subject: [PATCH] http2: fix nil panic in typeFrameParser for unassigned frame
types

The addition of FramePriorityUpdate (0x10) in RFC 9218 introduced a gap
in the frameParsers array indices (0x0a-0x0f). These indices were
initialized to nil, causing a panic when typeFrameParser accessed them
for unassigned frame types (e.g., ALTSVC 0x0a).

This change adds a nil check in typeFrameParser to safely fallback to
parseUnknownFrame for these unassigned types, preventing the crash.

Fixes golang/go#77652

Change-Id: I14d7ad85afc1eafabc46417a9fff10f9e0a22446
Reviewed-on: https://go-review.googlesource.com/c/net/+/746180
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/golang/net/commit/19f580fd686a6bb31d4af15febe789827169bc26.patch
---
vendor/golang.org/x/net/http2/frame.go | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
index db3264d..4642564 100644
--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
@@ -139,7 +139,9 @@ var frameParsers = [...]frameParser{

func typeFrameParser(t FrameType) frameParser {
if int(t) < len(frameParsers) {
- return frameParsers[t]
+ if f := frameParsers[t]; f != nil {
+ return f
+ }
}
return parseUnknownFrame
}
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/ignition-flatcar/ignition-flatcar.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ Version: 2.22.0
%global dracutlibdir %{_prefix}/lib/dracut

Name: ignition-flatcar
Release: 1%{?dist}
Release: 2%{?dist}
Vendor: Microsoft Corporation
Distribution: Azure Linux
Summary: First boot installer and configuration tool
Expand Down Expand Up @@ -53,6 +53,7 @@ Patch16: 0017-revert-internal-oem-drop-noop-OEMs.patch
Patch17: 0018-docs-Add-re-added-platforms-to-docs-to-pass-tests.patch
Patch18: 0019-usr-share-oem-oem.patch
Patch19: 0020-internal-exec-stages-mount-Mount-oem.patch
Patch20: CVE-2026-27141.patch

BuildRequires: libblkid-devel
BuildRequires: systemd-rpm-macros
Expand Down Expand Up @@ -201,6 +202,9 @@ VERSION=%{version} GOARCH=%{goarch} ./test
%endif

%changelog
* Wed Apr 29 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.22.0-2
- Patch for CVE-2026-27141

* Fri Jan 16 2026 Sumit Jena <v-sumitjena@microsoft.com> - 2.22.0-1
- Initial Azure Linux import from the source project (license: same as "License" tag).
- License verified.
Loading