[AutoPR- Security] Patch cloud-provider-kubevirt for CVE-2026-42502, CVE-2026-25681, CVE-2026-25680 [MEDIUM]

[azurelinux-security]

Auto Patch cloud-provider-kubevirt for CVE-2026-42502, CVE-2026-25681, CVE-2026-25680.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1130142&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch cloud-provider-kubevirt for CVE-2026-42502 (MEDIUM), CVE-2026-25681 (MEDIUM), CVE-2026-25680 (MEDIUM).

Change Log

• CVE-2026-42502
• CVE-2026-25681
• CVE-2026-25680

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-42502
• https://nvd.nist.gov/vuln/detail/CVE-2026-25681
• https://nvd.nist.gov/vuln/detail/CVE-2026-25680

Test Methodology

• Pipeline build id: Buddy Build URL

[azurelinux-security]

🔒 CVE Patch Review: CVE-2026-25680, CVE-2026-25681, CVE-2026-42502

PR #17575 — [AutoPR- Security] Patch cloud-provider-kubevirt for CVE-2026-42502, CVE-2026-25681, CVE-2026-25680 [MEDIUM]
Package: cloud-provider-kubevirt | Branch: 3.0-dev

---

Spec File Validation

Check	Status	Detail
Release bump	✅	Release bumped 4 → 5
Patch entry	✅	Patch entries added: ['CVE-2026-25680.patch', 'CVE-2026-25681.patch', 'CVE-2026-42502.patch'] (covers ['CVE-2026-25680', 'CVE-2026-25681', 'CVE-2026-42502'])
Patch application	✅	%autosetup/%autopatch found in full spec — patches applied automatically
Changelog	✅	Changelog entry looks good
Signatures	✅	No source tarball changes — signatures N/A
Manifests	✅	Not a toolchain PR — manifests N/A

---

Build Verification

Build log analysis was skipped (no build ID available).

---

Patch Analysis

• Match type: backport
• Risk assessment: low
• Summary: The PR applies the upstream fix verbatim to the vendored path vendor/golang.org/x/net/html/parse.go: it imports cmp and slices, adds attrCompare, sorts attributes before comparison, replaces the cubic attribute matching with slices.Equal, and sorts the top element’s attributes before appending. Aside from packaging metadata and file path differences due to vendoring, the code changes are identical to upstream. | The PR applies the same fix as upstream to the vendored golang.org/x/net/html package: it replaces writeQuoted with writeDoctypeQuoted for DOCTYPE PUBLIC/SYSTEM identifiers, adds escaping of '>' to '>' within those quoted identifiers, and errors if both quote types appear. A matching test file is added. Differences are limited to file paths and context/line numbers due to vendoring, with no missing hunks. | The PR applies the upstream functional fix to vendor/golang.org/x/net/html/render.go by adding the same ancestor-namespace and htmlIntegrationPoint check in childTextNodesAreLiteral for raw-text elements. This ensures foster-parented nodes in foreign content are rendered with escaped text when appropriate. The PR omits only the upstream test additions and a test blacklist change, which do not affect runtime behavior.
• Missing hunks:
  • Addition to html/parse_test.go: renderTestBlacklist updated to include '<style>' due to fostering behavior.
  • New test html/render_test.go: TestRenderFosteredForeignContent to validate the escaping behavior for fostered foreign content.
  • New test data file html/testdata/go/fostered_foreign_content.dat used by parser/render tests.
  Detailed analysis

  1. Core fix equivalence: The PR introduces the same optimizations as upstream to the HTML parser’s formatting element handling. It adds imports for cmp and slices, defines attrCompare to provide a stable sort order for attributes (Namespace, Key, Val), sorts the current token’s attributes prior to the Noah’s Ark identical-element search, replaces the nested attribute comparison with slices.Equal, and sorts the attributes of the element being appended to the active formatting elements (AFE) stack. These changes match upstream line-for-line in logic.

  2. Differences: The only differences are non-functional: the PR patch is stored under SPECS as a packaging patch and modifies the vendored file path vendor/golang.org/x/net/html/parse.go instead of html/parse.go. It also includes distribution-specific Signed-off-by and Upstream-reference headers. The code hunks themselves are identical to upstream.

  3. Missing hunks: Upstream modified only html/parse.go; the PR modifies the corresponding vendored file with no omissions. No tests or other files were part of the upstream patch, so nothing is missing.

  4. Risk of incompleteness/regressions: Low. The logic is equivalent but significantly more efficient. Attributes are sorted before equality checks, ensuring set-equivalence while improving performance. The patch also ensures AFE entries are stored with sorted attributes, so future comparisons are consistent. The primary potential build risk is dependency on Go’s standard library packages cmp and slices (Go 1.21+), but this mirrors upstream’s change and is expected. Functionally, the behavior remains correct and more performant.

  5. Backport/context safety: While applied to a vendored path, the surrounding context and hunks match upstream, indicating a clean transplant without adjustments that could alter behavior.

  ---

  Comparison shows the PR patch mirrors the upstream changes in function and behavior:

  • In render.go, all calls to writeQuoted for DOCTYPE PUBLIC/SYSTEM identifiers are replaced with writeDoctypeQuoted, exactly as upstream.
  • The helper function is renamed to writeDoctypeQuoted and updated to:
    • Use single quotes if a double quote is present, and explicitly reject strings containing both quote types by returning an error.
    • Replace any '>' characters with '>' before writing, preventing the abrupt-doctype-system-identifier parse error.
  • Comments are updated to match upstream, documenting the escape behavior and rationale.
  • The test file doctype_named_entity.dat is added under the vendor path with identical contents to upstream.

  Path differences (vendor/golang.org/x/net/...) and slightly different context line numbers indicate application to a vendored snapshot, consistent with a backport. No upstream hunks are missing, and no extra changes are introduced. Imports are not shown in the diff; upstream did not adjust imports either, implying errors and strings were already present in the target file. The change is narrowly scoped to DOCTYPE identifier rendering and matches upstream semantics, making regression risk low. The added rejection of mixed-quote identifiers only affects invalid/constructed Nodes and is consistent with upstream’s safety checks.

  Core functional change: Both upstream and PR modify childTextNodesAreLiteral in html/render.go to handle foster-parented nodes correctly. Specifically, within the case for raw-text elements (iframe, noembed, noframes, noscript, plaintext, script, style, xmp), they add a loop that climbs ancestors until a node with a non-empty Namespace is found. If such an ancestor exists and is not an HTML integration point (htmlIntegrationPoint returns false), the function returns false, forcing escaped text rather than raw text. If the ancestor is an integration point (or none is found), the function retains the prior behavior and returns true. The PR’s inserted code block matches the upstream hunk line-for-line in logic and placement, including the same element list and the same ancestor traversal and integration point checks. Context lines (the initial n.Namespace != "" early return and the surrounding switch) align, indicating safe application against the vendored version. Differences from upstream: The PR patch applies only to vendor/golang.org/x/net/html/render.go inside the cloud-provider-kubevirt source tree and does not include upstream’s test changes (parse_test.go blacklist entry, a new render test, and a new testdata file). These omissions are test-only and do not affect the runtime fix. Potential compatibility considerations: The change depends on htmlIntegrationPoint being present and semantically consistent in the vendored x/net/html package; given the context and file paths, this is expected. No other parts of the codebase were modified, and no additional functional hunks from upstream are missing. Overall, this is a faithful backport of the security fix, with low risk of regressions.

  ---

  Verdict

  ✅ APPROVED — All checks passed. Ready to merge.

[azurelinux-security]

🔒 CVE Patch Review: CVE-2026-25680, CVE-2026-25681, CVE-2026-42502

PR #17575 — [AutoPR- Security] Patch cloud-provider-kubevirt for CVE-2026-42502, CVE-2026-25681, CVE-2026-25680 [MEDIUM]
Package: cloud-provider-kubevirt | Branch: 3.0-dev

---

Spec File Validation

Check	Status	Detail
Release bump	✅	Release bumped 4 → 5
Patch entry	✅	Patch entries added: ['CVE-2026-25680.patch', 'CVE-2026-25681.patch', 'CVE-2026-42502.patch'] (covers ['CVE-2026-25680', 'CVE-2026-25681', 'CVE-2026-42502'])
Patch application	✅	%autosetup/%autopatch found in full spec — patches applied automatically
Changelog	✅	Changelog entry looks good
Signatures	✅	No source tarball changes — signatures N/A
Manifests	✅	Not a toolchain PR — manifests N/A

---

Build Verification

Build log analysis was skipped (no build ID available).

---

Patch Analysis

• Match type: backport
• Risk assessment: low
• Summary: The PR applies the upstream change verbatim to the vendored x/net/html parser: it adds cmp and slices imports, introduces attrCompare, sorts the new element’s attributes, replaces the cubic attribute comparison with slices.Equal, and sorts the top node’s attributes before appending. Aside from path and packaging metadata differences, the code hunks match upstream exactly. | The PR applies the upstream fix to the vendored golang.org/x/net/html package, changing DOCTYPE identifier rendering to escape '>' as >, renaming writeQuoted to writeDoctypeQuoted, updating all call sites, and adding the same test file. Apart from path and context/line differences consistent with a vendored backport, the changes are functionally identical to upstream. | The PR applies the upstream functional change to golang.org/x/net/html's childTextNodesAreLiteral in the vendored tree, adding the ancestor-namespace and HTML integration point check so that raw-text elements (e.g., style, script) are not rendered as literal when fostered into foreign content. Test additions and related testdata from upstream are not included, which is typical for a vendor backport.
• Missing hunks:
  • Addition to html/parse_test.go renderTestBlacklist for the fostered foreign content case
  • New test TestRenderFosteredForeignContent in html/render_test.go
  • New test data file html/testdata/go/fostered_foreign_content.dat

Detailed analysis

Core change parity:

• Imports: Both patches add imports for "cmp" and "slices" alongside existing imports.
• New helper: attrCompare(a, b Attribute) using cmp.Or and cmp.Compare for Namespace, Key, Val is present in both.
• Sorting new token attrs: In addFormattingElement, both sort the local attr slice with slices.SortFunc(attr, attrCompare) before comparisons.
• Equality check: The nested O(n^2) attribute matching loop guarded by len equality is replaced with if !slices.Equal(n.Attr, attr) { continue findIdenticalElements } in both patches, moving to an O(n log n) + O(n) approach with sorted attributes.
• Sorting the top node’s attributes: After finding identical elements, both patches fetch top := p.top(), sort top.Attr with slices.SortFunc, and then append top to p.afe, ensuring future comparisons are efficient and consistent.

Context/path differences:

• Upstream modifies html/parse.go in the x/net/html module; the PR applies the same hunks to vendor/golang.org/x/net/html/parse.go within the cloud-provider-kubevirt source tree and wraps it as a SPEC patch file. This is expected in a packaged vendored dependency and does not change semantics.
• Additional metadata (Signed-off-by, Upstream-reference) in the PR patch header is packaging-related and does not affect code.

Completeness:

• No hunks from the upstream change are missing. All functional changes are present in the PR with identical logic and placement.

Risk assessment:

• Low from a functional standpoint: the logic is identical to upstream and addresses both the performance issue and the subtle correctness asymmetry of the previous comparison by performing a proper sorted equality check.
• The only potential build-time consideration is that the change uses standard library packages "cmp" and "slices" (introduced in Go 1.21). If the package is built with an older Go toolchain, compilation would fail. Assuming a modern Go toolchain (typical in 2026), this is not a concern.

---

Comparison shows the PR patch mirrors the upstream commit in substance. In vendor/golang.org/x/net/html/render.go, all three call sites in render1 that previously used writeQuoted now call writeDoctypeQuoted for PUBLIC and SYSTEM identifiers, matching upstream. The helper function is renamed from writeQuoted to writeDoctypeQuoted and gains the same new behavior: it escapes all '>' characters via strings.ReplaceAll(s, ">", ">") to avoid abrupt-doctype-system-identifier parse errors, and it adds a safety check returning errors.New("doctype contains both quote types, cannot be safely rendered") if both quote types appear. The comments around the function are updated identically. The context/line numbers differ slightly (-251 vs -267), which is expected in a backport, but the code inside the hunks is the same. The PR also adds vendor/golang.org/x/net/html/testdata/go/doctype_named_entity.dat with the exact contents from upstream. No upstream hunks are missing, and there are no extra behavioral changes. As this is a straightforward backport to a vendored copy, the risk is low and equivalent to upstream; the only potential consideration is that the file already imported strings (as used before) and errors is commonly imported in render.go, which upstream also relied upon without altering imports. The fix should prevent sanitizer bypass via '>' in DOCTYPE identifiers without introducing regressions beyond rejecting malformed nodes with both quote types, exactly as upstream intended.

Core fix comparison: The upstream patch changes html/render.go in childTextNodesAreLiteral to handle fostered nodes whose effective context is a non-HTML namespace. Specifically, for raw-text elements (iframe, noembed, noframes, noscript, plaintext, script, style, xmp), it walks up ancestor nodes until it finds a non-empty namespace; if found and the ancestor is not an HTML integration point, it returns false (i.e., do not treat child text nodes as literal). This prevents emitting raw, unescaped text when such elements are fostered into foreign content. The PR patch applies exactly this logic in vendor/golang.org/x/net/html/render.go with identical code: same switch cases, same ancestor walk, same htmlIntegrationPoint(p) guard, same return values, and equivalent whitespace/context. Differences vs upstream: The PR only modifies the vendored render.go and does not include the upstream test changes (parse_test.go blacklist entry, a new render test, and a new .dat test file). This is expected in a packaging backport where tests are not shipped or run. No other behavioral changes are present. Preconditions/compatibility: The change relies on htmlIntegrationPoint existing in the vendored version; this function is part of x/net/html and is used identically upstream for integration point determination, so compatibility risk is low. Security impact: The fix closes the hole where fostered raw-text elements in foreign content could be treated as literal, potentially allowing unescaped content. Risk of regression is low because the new logic only affects cases where an ancestor has a non-empty namespace and is not an HTML integration point; in normal HTML trees behavior is unchanged. Overall, the PR is a faithful backport of the upstream fix without tests.

---

Verdict

✅ APPROVED — All checks passed. Ready to merge.

[Kanishk-Bansal]

Patch Analysis (matches upstream, test files omitted)
in the prep section we cant make it one command as I tried to build but the current vendor is getting override and causing build failures, we need to keep the current logic to rm -rf vendor

• Buddy Build 
• patch applied during the build (check rpm.log)
• patch include an upstream reference
• PR has security tag

[kgodara912]

All 3 patches match with respective upstream references except the last where tests are omitted as vendor tarballs dont' have test files. Buddy build is successful. PR checks are known failures with recent twisted changes. LGTM.