From f62bb189358be4d129821789033b8e7e6a594a00 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Fri, 27 Mar 2026 06:50:51 +0000
Subject: [PATCH] Patch terraform for CVE-2026-4645

---
 SPECS/terraform/CVE-2026-4645.patch | 34 +++++++++++++++++++++++++++++
 SPECS/terraform/terraform.spec      |  6 ++++-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/terraform/CVE-2026-4645.patch

diff --git a/SPECS/terraform/CVE-2026-4645.patch b/SPECS/terraform/CVE-2026-4645.patch
new file mode 100644
index 00000000000..a2db9f0f978
--- /dev/null
+++ b/SPECS/terraform/CVE-2026-4645.patch
@@ -0,0 +1,34 @@
+From 23302c7c2835c78efa0d218d66a0e2aa1f6a9a02 Mon Sep 17 00:00:00 2001
+From: zhengchun <zhengchunster@gmail.com>
+Date: Sat, 21 Feb 2026 21:32:17 +0800
+Subject: [PATCH] fix #121
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494.patch
+---
+ vendor/github.com/antchfx/xpath/query.go | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/vendor/github.com/antchfx/xpath/query.go b/vendor/github.com/antchfx/xpath/query.go
+index 47f8076..61cdaa2 100644
+--- a/vendor/github.com/antchfx/xpath/query.go
++++ b/vendor/github.com/antchfx/xpath/query.go
+@@ -677,15 +677,6 @@ type logicalQuery struct {
+ }
+ 
+ func (l *logicalQuery) Select(t iterator) NodeNavigator {
+-	// When a XPath expr is logical expression.
+-	node := t.Current().Copy()
+-	val := l.Evaluate(t)
+-	switch val.(type) {
+-	case bool:
+-		if val.(bool) == true {
+-			return node
+-		}
+-	}
+ 	return nil
+ }
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/terraform/terraform.spec b/SPECS/terraform/terraform.spec
index 5803b77f4f4..93adfc1010d 100644
--- a/SPECS/terraform/terraform.spec
+++ b/SPECS/terraform/terraform.spec
@@ -1,7 +1,7 @@
 Summary:        Infrastructure as code deployment management tool
 Name:           terraform
 Version:        1.3.2
-Release:        29%{?dist}
+Release:        30%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -42,6 +42,7 @@ Patch11:        CVE-2023-48795.patch
 Patch12:        CVE-2025-58058.patch
 Patch13:        CVE-2025-11065.patch
 Patch14:        CVE-2025-47911.patch
+Patch15:        CVE-2026-4645.patch
 
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -72,6 +73,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform
 %{_bindir}/terraform
 
 %changelog
+* Fri Mar 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.3.2-30
+- Patch for CVE-2026-4645
+
 * Wed Feb 18 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.3.2-29
 - Patch for CVE-2025-47911