Skip to content

[AutoPR- Security] Patch gawk for CVE-2026-40553, CVE-2026-40468, CVE-2026-40467 [MEDIUM]#18022

Open
azurelinux-security wants to merge 2 commits into
microsoft:3.0-devfrom
azurelinux-security:azure-autosec/gawk/3.0/1160392
Open

[AutoPR- Security] Patch gawk for CVE-2026-40553, CVE-2026-40468, CVE-2026-40467 [MEDIUM]#18022
azurelinux-security wants to merge 2 commits into
microsoft:3.0-devfrom
azurelinux-security:azure-autosec/gawk/3.0/1160392

Conversation

@azurelinux-security

@azurelinux-security azurelinux-security commented Jul 15, 2026

Copy link
Copy Markdown

Auto Patch gawk for CVE-2026-40553, CVE-2026-40468, CVE-2026-40467.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1160392&view=results

CVE-2026-40553 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1160402&view=results
CVE-2026-40468 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1160401&view=results
CVE-2026-40467 : Single Patch Backporter Pipeline Run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1160403&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

Change Log
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
There may be pipelines that require an authorized user to comment /azp run to run.

@AkarshHCL

Copy link
Copy Markdown
  1. Changed from applying each patch one by one to using autosetup macro.
  2. Skipped the failing pma test due to reason-persistent memory allocator requires MAP_FIXED mmap which may not work reliably in chroot build environments.
    3.Tried local build after these fixes screenshot of successful build-
image 4. Patches are also getting applied cleanly - Screenshot 2026-07-16 142501 5. Did changes to AI backported patches which Ai missed , to make them in sync with upstream patches.

@v-aaditya

v-aaditya commented Jul 16, 2026

Copy link
Copy Markdown

Peer-Review -

  1. All the 3 CVEs affect the gawk package version 5.2.2 as it is in affected range of <= 5.4.0 and affected files and functions are present in current source.
  2. All the 3 AI patches after modification, completely match with upstream patches respectively.
  3. AI patches have respective upstream patch references.
  4. Local build is successful and patches apply cleanly.
  5. Re-triggered the Buddy Build.
  6. LGTM. Need to look into circular dependency issue. PR can be opened for review once the Buddy Build has passed.

@AkarshHCL
AkarshHCL force-pushed the azure-autosec/gawk/3.0/1160392 branch from 0ad57d0 to b5e5c69 Compare July 16, 2026 11:58
@Kanishk-Bansal
Kanishk-Bansal marked this pull request as ready for review July 17, 2026 07:04
@Kanishk-Bansal
Kanishk-Bansal requested a review from a team as a code owner July 17, 2026 07:04
@Kanishk-Bansal

Copy link
Copy Markdown

/azurepipelines run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
Successfully started running 1 pipeline(s).
2 pipeline(s) were filtered out due to trigger conditions.

@Kanishk-Bansal Kanishk-Bansal left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM

  • Buddy Build 
  • patch applied during the build (check rpm.log)
  • patch include an upstream reference
  • PR has security tag

Comment thread SPECS/gawk/gawk.spec
sed -i 's/ pty1 / /' test/Makefile
# Skip pma test - persistent memory allocator requires MAP_FIXED mmap
# which may not work reliably in chroot build environments
sed -i 's/$(MAKE) $(NEED_PMA)/echo "skipping pma test"/' test/Makefile

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

skipping is the only solution to test failures because of chroot restrictions

@Kanishk-Bansal Kanishk-Bansal added the ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review label Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3.0-dev PRs Destined for AzureLinux 3.0 AI Backport AutoPR-Security Packaging ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants