[AutoPR- Security] Patch kf-kcoreaddons for CVE-2026-41526 [MEDIUM]

[azurelinux-security]

Auto Patch kf-kcoreaddons for CVE-2026-41526.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1107272&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch kf-kcoreaddons for CVE-2026-41526 (MEDIUM).

Change Log

• CVE-2026-41526

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-41526

Test Methodology

• Pipeline build id: Buddy Build URL

[Kanishk-Bansal]

Build

[AkarshHCL]

Buddy Build is successful.

[azurelinux-security]

🔒 CVE Patch Review: CVE-2026-41526

PR #16992 — [AutoPR- Security] Patch kf-kcoreaddons for CVE-2026-41526 [MEDIUM]
Package: kf-kcoreaddons | Branch: 3.0-dev

---

Spec File Validation

Check	Status	Detail
Release bump	✅	Release bumped 1 → 2
Patch entry	✅	Patch entries added: ['CVE-2026-41526.patch'] (covers ['CVE-2026-41526'])
Patch application	✅	%autosetup found — all patches applied automatically
Changelog	✅	Changelog entry looks good
Signatures	✅	No source tarball changes — signatures N/A
Manifests	✅	Not a toolchain PR — manifests N/A

---

Build Verification

• Build status: ✅ PASSED
• Artifact downloaded: ✅
• CVE applied during build: ✅
• Warnings (20):
  • L247: time="2026-05-05T09:39:46Z" level=debug msg="CMake Warning:"
  • L350: time="2026-05-05T09:39:48Z" level=debug msg="CMake Warning:"
  • L2744: time="2026-05-05T09:39:58Z" level=debug msg="/usr/src/azl/BUILD/kcoreaddons-v5.249.0/src/lib/text/kstringhandler.cpp:132:65: warning: 'QRegularExpressionMatchIterator QRegularExpression::globalMatch(QStringView, qsizetype, MatchType, MatchOptions) const' is deprecated: Use globalMatchView instead. [-Wdeprecated-declarations]"
  • L2759: time="2026-05-05T09:39:59Z" level=debug msg="/usr/src/azl/BUILD/kcoreaddons-v5.249.0/src/lib/util/kformatprivate.cpp:389:72: warning: arithmetic between enumeration type 'TimeConstants' and floating-point type 'double' is deprecated [-Wdeprecated-enum-float-conversion]"
  • L2762: time="2026-05-05T09:39:59Z" level=debug msg="/usr/src/azl/BUILD/kcoreaddons-v5.249.0/src/lib/util/kformatprivate.cpp:392:74: warning: arithmetic between enumeration type 'TimeConstants' and floating-point type 'double' is deprecated [-Wdeprecated-enum-float-conversion]"
  • L2765: time="2026-05-05T09:39:59Z" level=debug msg="/usr/src/azl/BUILD/kcoreaddons-v5.249.0/src/lib/util/kformatprivate.cpp:395:78: warning: arithmetic between enumeration type 'TimeConstants' and floating-point type 'double' is deprecated [-Wdeprecated-enum-float-conversion]"
  • L2768: time="2026-05-05T09:39:59Z" level=debug msg="/usr/src/azl/BUILD/kcoreaddons-v5.249.0/src/lib/util/kformatprivate.cpp:398:78: warning: arithmetic between enumeration type 'TimeConstants' and floating-point type 'double' is deprecated [-Wdeprecated-enum-float-conversion]"
  • L2885: time="2026-05-05T09:40:04Z" level=debug msg="cc1plus: warning: /usr/include/qt6/QtCore/6.6.3: No such file or directory [-Wmissing-include-dirs]"
  • L2886: time="2026-05-05T09:40:04Z" level=debug msg="cc1plus: warning: /usr/include/qt6/QtCore/6.6.3/QtCore: No such file or directory [-Wmissing-include-dirs]"
  • L2887: time="2026-05-05T09:40:05Z" level=debug msg="cc1plus: warning: /usr/include/qt6/QtCore/6.6.3: No such file or directory [-Wmissing-include-dirs]"
  • … and 10 more

🤖 AI Build Log Analysis

• Risk: low
• Summary: The kf-kcoreaddons 5.249.0-2.azl3 package rebuilt successfully with the CVE-2026-41526 patch applied. The patch step ran in silent mode with fuzz disabled and did not report any failures, and the subsequent CMake build, install, and RPM packaging phases completed without compilation or linker errors. Tests were disabled (--nocheck). Final runtime, devel, and debuginfo RPMs were produced.
• AI-detected warnings:
  • Multiple RPM macro parsing warnings: '/usr/lib/rpm/macros.d/macros.releaseversions: Macro %azl_* needs whitespace before body' (repeated across several lines).
  • Bogus date in %changelog: 'Fri May 25 2023 ... - 5.61.0-4'.
  • Could not canonicalize hostname during rpmbuild environment setup.
  • During dependency setup: 'failed to link /etc/xdg/qtchooser/*.conf ... exists and it is not a symlink' (non-fatal, environment/configuration issue).

---

🧪 Test Log Analysis

• Test status: ❌ FAILED
• Test warnings (20):
  • L259: time="2026-05-05T09:40:10Z" level=debug msg="CMake Warning:"
  • L362: time="2026-05-05T09:40:12Z" level=debug msg="CMake Warning:"
  • L2756: time="2026-05-05T09:40:22Z" level=debug msg="/usr/src/azl/BUILD/kcoreaddons-v5.249.0/src/lib/text/kstringhandler.cpp:132:65: warning: 'QRegularExpressionMatchIterator QRegularExpression::globalMatch(QStringView, qsizetype, MatchType, MatchOptions) const' is deprecated: Use globalMatchView instead. [-Wdeprecated-declarations]"
  • L2771: time="2026-05-05T09:40:22Z" level=debug msg="/usr/src/azl/BUILD/kcoreaddons-v5.249.0/src/lib/util/kformatprivate.cpp:389:72: warning: arithmetic between enumeration type 'TimeConstants' and floating-point type 'double' is deprecated [-Wdeprecated-enum-float-conversion]"
  • L2774: time="2026-05-05T09:40:22Z" level=debug msg="/usr/src/azl/BUILD/kcoreaddons-v5.249.0/src/lib/util/kformatprivate.cpp:392:74: warning: arithmetic between enumeration type 'TimeConstants' and floating-point type 'double' is deprecated [-Wdeprecated-enum-float-conversion]"
  • L2777: time="2026-05-05T09:40:22Z" level=debug msg="/usr/src/azl/BUILD/kcoreaddons-v5.249.0/src/lib/util/kformatprivate.cpp:395:78: warning: arithmetic between enumeration type 'TimeConstants' and floating-point type 'double' is deprecated [-Wdeprecated-enum-float-conversion]"
  • L2780: time="2026-05-05T09:40:22Z" level=debug msg="/usr/src/azl/BUILD/kcoreaddons-v5.249.0/src/lib/util/kformatprivate.cpp:398:78: warning: arithmetic between enumeration type 'TimeConstants' and floating-point type 'double' is deprecated [-Wdeprecated-enum-float-conversion]"
  • L2897: time="2026-05-05T09:40:28Z" level=debug msg="cc1plus: warning: /usr/include/qt6/QtCore/6.6.3: No such file or directory [-Wmissing-include-dirs]"
  • L2898: time="2026-05-05T09:40:28Z" level=debug msg="cc1plus: warning: /usr/include/qt6/QtCore/6.6.3/QtCore: No such file or directory [-Wmissing-include-dirs]"
  • L2899: time="2026-05-05T09:40:28Z" level=debug msg="cc1plus: warning: /usr/include/qt6/QtCore/6.6.3: No such file or directory [-Wmissing-include-dirs]"

🤖 AI Test Log Analysis

• Risk: high
• Summary: The kf-kcoreaddons build completed, but the %check phase did not run any tests because the test harness attempted to use xvfb-run, which was not available in the chroot. As a result, the test suite was entirely skipped and the script reported an exit status of 0 despite not executing tests, leaving the CVE fix unvalidated.
• AI-detected test issues:
  • xvfb-run: command not found during %check; test suite invocation failed and no tests were executed
  • %check script printed EXIT STATUS 0 even though the test command failed, masking the lack of test execution

---

Patch Analysis

• Match type: backport
• Risk assessment: low
• Summary: The PR patch faithfully backports the upstream fix to KShell::quoteArg by removing Unicode control characters (QChar::Other_Control) before deciding whether to quote, and updating tests to reflect the removal of control characters. The implementation and expected behavior match upstream; differences are limited to minor test macro usage and pre-existing code style in the base (arg.length vs arg.isEmpty), indicating a typical backport adaptation.

Detailed analysis

Core fix equivalence:

• In src/lib/util/kshell_unix.cpp, both patches introduce a local variable 'quoted' initialized from 'arg', call quoted.removeIf with a lambda filtering QChar::Other_Control, and then:
  • Return "''" if quoted.isEmpty().
  • Iterate over quoted to detect special characters and apply single-quote escaping (replace(''', "'\''") wrapped in single quotes).
  • Return quoted when no special characters are present.
• This is functionally identical between upstream and PR. The PR starts from a base that used '!arg.length()' whereas upstream used 'arg.isEmpty()', but after patch both use 'quoted.isEmpty()'.

Tests:

• autotests/kshelltest.cpp gains the same new test cases for control characters and various Unicode inputs ("a\x01", "\x01", "a\x02", "a\x7f", emojis, and Japanese characters), confirming removal of control characters and correct handling of non-control Unicode.
• The splitJoin() test is updated to remove the ESC (\x1b) control character from the expected string, matching the behavior change.
• Minor differences: the PR uses QVERIFY(err == KShell::NoError) where upstream uses QCOMPARE(err, KShell::NoError). This is a trivial test macro difference with no impact on the fix.

Scope and completeness:

• No hunks are missing; all functional changes to quoteArg and all test updates from upstream are present.

Risk assessment:

• Low. The change removes control characters from arguments before quoting, which aligns with the security intent (preventing unexpected shell behavior due to control chars). Potential impact is limited to cases where code intentionally relied on control characters in shell arguments, which is uncommon and generally unsafe. The quoting logic remains unchanged aside from filtering, minimizing regression risk.

Context line differences:

• Index and surrounding context lines differ slightly due to base version differences (e.g., '!arg.length()' vs 'arg.isEmpty()'), consistent with a backport. The adapted lines are safe and equivalent in behavior after the patch is applied.

Raw diff (upstream vs PR)

--- upstream
+++ pr
@@ -1,71 +1,80 @@
-From 6153c9ae025fa570174bb4a143df38fa2f46606b Mon Sep 17 00:00:00 2001
-From: Tobias Fella <tobias.fella@kde.org>
-Date: Wed, 8 Apr 2026 16:08:02 +0200
-Subject: [PATCH] Remove control characters when quoting args Using these
- characters can lead to unexpected results.
-
----
- autotests/kshelltest.cpp     | 10 +++++++++-
- src/lib/util/kshell_unix.cpp | 15 ++++++++++-----
- 2 files changed, 19 insertions(+), 6 deletions(-)
-
-diff --git a/autotests/kshelltest.cpp b/autotests/kshelltest.cpp
-index 09dbe3f0..5a4f4709 100644
---- a/autotests/kshelltest.cpp
-+++ b/autotests/kshelltest.cpp
-@@ -79,6 +79,14 @@ void KShellTest::quoteArg()
-     QCOMPARE(KShell::quoteArg(QStringLiteral("a % space")), QStringLiteral("\"a %PERCENT_SIGN% space\""));
- #else
-     QCOMPARE(KShell::quoteArg(QStringLiteral("a space")), QStringLiteral("'a space'"));
-+    QCOMPARE(KShell::quoteArg(QStringLiteral("a\x01")), QStringLiteral("a"));
-+    QCOMPARE(KShell::quoteArg(QStringLiteral("\x01")), QStringLiteral("''"));
-+    QCOMPARE(KShell::quoteArg(QStringLiteral("a\x02")), QStringLiteral("a"));
-+    QCOMPARE(KShell::quoteArg(QStringLiteral("a\x7f")), QStringLiteral("a"));
-+    QCOMPARE(KShell::quoteArg(QStringLiteral("🫠")), QStringLiteral("🫠"));
-+    QCOMPARE(KShell::quoteArg(QStringLiteral("👩‍👩‍👧‍👦")), QStringLiteral("👩‍👩‍👧‍👦"));
-+    QCOMPARE(KShell::quoteArg(QStringLiteral("ひらがな")), QStringLiteral("ひらがな"));
-+    QCOMPARE(KShell::quoteArg(QStringLiteral("ひらがな\x1")), QStringLiteral("ひらがな"));
- #endif
- }
- 
-@@ -124,7 +132,7 @@ void KShellTest::splitJoin()
-     QCOMPARE(err, KShell::NoError);
- #else
-     QCOMPARE(sj(QString::fromUtf8("\"~qU4rK\" 'text' 'jo'\"jo\" $'crap' $'\\\\\\'\\e\\x21' ha\\ lo \\a"), KShell::NoOptions, &err),
--             QString::fromUtf8("'~qU4rK' text jojo crap '\\'\\''\x1b!' 'ha lo' a"));
-+             QString::fromUtf8("'~qU4rK' text jojo crap '\\'\\''!' 'ha lo' a"));
-     QCOMPARE(err, KShell::NoError);
- 
-     QCOMPARE(sj(QStringLiteral("\"~qU4rK\" 'text'"), KShell::TildeExpand, &err), QStringLiteral("'~qU4rK' text"));
-diff --git a/src/lib/util/kshell_unix.cpp b/src/lib/util/kshell_unix.cpp
-index e87afc8c..61c0aad4 100644
---- a/src/lib/util/kshell_unix.cpp
-+++ b/src/lib/util/kshell_unix.cpp
-@@ -294,14 +294,19 @@ inline static bool isSpecial(QChar cUnicode)
- 
- QString KShell::quoteArg(const QString &arg)
- {
--    if (arg.isEmpty()) {
-+    auto quoted = arg;
-+    quoted.removeIf([](const QChar &input) {
-+        return input.category() == QChar::Other_Control;
-+    });
-+    if (quoted.isEmpty()) {
-         return QStringLiteral("''");
-     }
--    for (int i = 0; i < arg.length(); i++) {
--        if (isSpecial(arg.unicode()[i])) {
+diff --git a/SPECS/kf-kcoreaddons/CVE-2026-41526.patch b/SPECS/kf-kcoreaddons/CVE-2026-41526.patch
+new file mode 100644
+index 00000000000..f6a3e31daeb
+--- /dev/null
++++ b/SPECS/kf-kcoreaddons/CVE-2026-41526.patch
+@@ -0,0 +1,74 @@
++From 33523981f61acf8e2a389f90031c6524576a18d9 Mon Sep 17 00:00:00 2001
++From: AllSpark <allspark@microsoft.com>
++Date: Fri, 1 May 2026 17:09:03 +0000
++Subject: [PATCH] Remove control characters when quoting args
 +
-+    for (int i = 0; i < quoted.length(); i++) {
-+        if (isSpecial(quoted.unicode()[i])) {
-             QChar q(QLatin1Char('\''));
--            return q + QString(arg).replace(q, QLatin1String("'\\''")) + q;
-+            return q + QString(quoted).replace(q, QLatin1String("'\\''")) + q;
-         }
-     }
--    return arg;
-+    return quoted;
- }
--- 
-GitLab
-
++Using these characters can lead to unexpected results.
++
++Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
++Upstream-reference: AI Backport of https://invent.kde.org/frameworks/kcoreaddons/-/commit/6153c9ae025fa570174bb4a143df38fa2f46606b.patch
++---
++ autotests/kshelltest.cpp     | 10 +++++++++-
++ src/lib/util/kshell_unix.cpp | 15 ++++++++++-----
++ 2 files changed, 19 insertions(+), 6 deletions(-)
++
++diff --git a/autotests/kshelltest.cpp b/autotests/kshelltest.cpp
++index e08bb91..afed14d 100644
++--- a/autotests/kshelltest.cpp
+++++ b/autotests/kshelltest.cpp
++@@ -78,6 +78,14 @@ void KShellTest::quoteArg()
++     QCOMPARE(KShell::quoteArg(QStringLiteral("a % space")), QStringLiteral("\"a %PERCENT_SIGN% space\""));
++ #else
++     QCOMPARE(KShell::quoteArg(QStringLiteral("a space")), QStringLiteral("'a space'"));
+++    QCOMPARE(KShell::quoteArg(QStringLiteral("a\x01")), QStringLiteral("a"));
+++    QCOMPARE(KShell::quoteArg(QStringLiteral("\x01")), QStringLiteral("''"));
+++    QCOMPARE(KShell::quoteArg(QStringLiteral("a\x02")), QStringLiteral("a"));
+++    QCOMPARE(KShell::quoteArg(QStringLiteral("a\x7f")), QStringLiteral("a"));
+++    QCOMPARE(KShell::quoteArg(QStringLiteral("🫠")), QStringLiteral("🫠"));
+++    QCOMPARE(KShell::quoteArg(QStringLiteral("👩‍👩‍👧‍👦")), QStringLiteral("👩‍👩‍👧‍👦"));
+++    QCOMPARE(KShell::quoteArg(QStringLiteral("ひらがな")), QStringLiteral("ひらがな"));
+++    QCOMPARE(KShell::quoteArg(QStringLiteral("ひらがな\x1")), QStringLiteral("ひらがな"));
++ #endif
++ }
++ 
++@@ -123,7 +131,7 @@ void KShellTest::splitJoin()
++     QVERIFY(err == KShell::NoError);
++ #else
++     QCOMPARE(sj(QString::fromUtf8("\"~qU4rK\" 'text' 'jo'\"jo\" $'crap' $'\\\\\\'\\e\\x21' ha\\ lo \\a"), KShell::NoOptions, &err),
++-             QString::fromUtf8("'~qU4rK' text jojo crap '\\'\\''\x1b!' 'ha lo' a"));
+++             QString::fromUtf8("'~qU4rK' text jojo crap '\\'\\''!' 'ha lo' a"));
++     QVERIFY(err == KShell::NoError);
++ 
++     QCOMPARE(sj(QStringLiteral("\"~qU4rK\" 'text'"), KShell::TildeExpand, &err), QStringLiteral("'~qU4rK' text"));
++diff --git a/src/lib/util/kshell_unix.cpp b/src/lib/util/kshell_unix.cpp
++index 616c7c1..61c0aad 100644
++--- a/src/lib/util/kshell_unix.cpp
+++++ b/src/lib/util/kshell_unix.cpp
++@@ -294,14 +294,19 @@ inline static bool isSpecial(QChar cUnicode)
++ 
++ QString KShell::quoteArg(const QString &arg)
++ {
++-    if (!arg.length()) {
+++    auto quoted = arg;
+++    quoted.removeIf([](const QChar &input) {
+++        return input.category() == QChar::Other_Control;
+++    });
+++    if (quoted.isEmpty()) {
++         return QStringLiteral("''");
++     }
++-    for (int i = 0; i < arg.length(); i++) {
++-        if (isSpecial(arg.unicode()[i])) {
+++
+++    for (int i = 0; i < quoted.length(); i++) {
+++        if (isSpecial(quoted.unicode()[i])) {
++             QChar q(QLatin1Char('\''));
++-            return q + QString(arg).replace(q, QLatin1String("'\\''")) + q;
+++            return q + QString(quoted).replace(q, QLatin1String("'\\''")) + q;
++         }
++     }
++-    return arg;
+++    return quoted;
++ }
++-- 
++2.45.4
++

---

Verdict

❌ CHANGES REQUESTED — Please address the issues flagged above.

[Kanishk-Bansal]

Patch Analysis (Patch Matches Upstream)
AI test analysis fix is not needed

• Buddy Build 
• patch applied during the build (check rpm.log)
• patch include an upstream reference
• PR has security tag

[kgodara912]

Patch matches with upstream reference except one removed line. Buddy build is successful. LGTM.