[AutoPR- Security] Patch docker-buildx for CVE-2026-46598, CVE-2026-42502, CVE-2026-39835, CVE-2026-39827, CVE-2026-25681, CVE-2026-25680 [MEDIUM]

[azurelinux-security]

Auto Patch docker-buildx for CVE-2026-46598, CVE-2026-42502, CVE-2026-39835, CVE-2026-39827, CVE-2026-25681, CVE-2026-25680.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1130143&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch docker-buildx for CVE-2026-46598 (MEDIUM), CVE-2026-42502 (MEDIUM), CVE-2026-39835 (MEDIUM), CVE-2026-39827 (MEDIUM), CVE-2026-25681 (MEDIUM), CVE-2026-25680 (MEDIUM).

Change Log

• CVE-2026-46598
• CVE-2026-42502
• CVE-2026-39835
• CVE-2026-39827
• CVE-2026-25681
• CVE-2026-25680

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-46598
• https://nvd.nist.gov/vuln/detail/CVE-2026-42502
• https://nvd.nist.gov/vuln/detail/CVE-2026-39835
• https://nvd.nist.gov/vuln/detail/CVE-2026-39827
• https://nvd.nist.gov/vuln/detail/CVE-2026-25681
• https://nvd.nist.gov/vuln/detail/CVE-2026-25680

Test Methodology

• Pipeline build id: Buddy Build URL

[azurelinux-security]

🔒 CVE Patch Review: CVE-2026-25680, CVE-2026-25681, CVE-2026-39827, CVE-2026-39835, CVE-2026-42502, CVE-2026-46598

PR #17577 — [AutoPR- Security] Patch docker-buildx for CVE-2026-46598, CVE-2026-42502, CVE-2026-39835, CVE-2026-39827, CVE-2026-25681, CVE-2026-25680 [MEDIUM]
Package: docker-buildx | Branch: 3.0-dev

---

Spec File Validation

Check	Status	Detail
Release bump	✅	Release bumped 13 → 14
Patch entry	✅	Patch entries added: ['CVE-2026-25680.patch', 'CVE-2026-25681.patch', 'CVE-2026-39827.patch', 'CVE-2026-39835.patch', 'CVE-2026-42502.patch', 'CVE-2026-46598.patch'] (covers ['CVE-2026-25680', 'CVE-2026-25681', 'CVE-2026-39827', 'CVE-2026-39835', 'CVE-2026-42502', 'CVE-2026-46598'])
Patch application	✅	%autosetup/%autopatch found in full spec — patches applied automatically
Changelog	✅	Changelog entry looks good
Signatures	✅	No source tarball changes — signatures N/A
Manifests	✅	Not a toolchain PR — manifests N/A

---

Build Verification

Build log analysis was skipped (no build ID available).

---

Patch Analysis

• Match type: backport
• Risk assessment: low
• Summary: The PR applies the upstream fix verbatim to the vendored golang.org/x/net/html parser in docker-buildx: it introduces attrCompare, imports cmp and slices, sorts attributes for the new element and existing stack elements, and replaces the cubic attribute comparison with slices.Equal. Aside from path/context differences (vendor path, different blob indices) and packaging metadata, the functional hunks match upstream with no missing pieces. | The PR applies the upstream fix to the vendored golang.org/x/net/html in docker-buildx, renaming writeQuoted to writeDoctypeQuoted and escaping '>' as > within DOCTYPE PUBLIC/SYSTEM identifiers. It mirrors upstream behavior and adds the same test data file, with only contextual line-number differences due to version/layout, indicating a clean backport. | The PR applies the same functional change as upstream to the vendored golang.org/x/crypto SSH channel implementation in docker-buildx: after sending the channel rejection message, it removes the channel from the mux's chanList to prevent a memory leak. The code hunk matches upstream behavior; tests added upstream are not included here, and the file path reflects vendored code. This is a straightforward backport of the fix. | The PR applies the same nil-callback safety checks from the upstream golang.org/x/crypto ssh/certs.go patch to the vendored copy within docker-buildx. It adds identical guards for CertChecker.IsHostAuthority and CertChecker.IsUserAuthority before invocation, returning clear errors instead of panicking. Aside from file path and line number differences due to vendoring, the code changes match upstream with no missing hunks. | The PR applies the upstream functional fix to vendor/golang.org/x/net/html/render.go, adding logic in childTextNodesAreLiteral to detect foster-parented nodes in foreign content and escape text accordingly. The code change matches upstream verbatim, while upstream's test additions and a test blacklist update are omitted, which is typical for a packaged backport. | The PR patch cleanly backports the upstream fix by adding ed25519 private key length checks to parseEd25519Key and parseEd25519Cert in the vendored golang.org/x/crypto/ssh/agent/server.go within docker-buildx. The functional changes match upstream exactly; only the accompanying upstream test addition is omitted, which is typical for vendor/package patches.
• Missing hunks:
  • The upstream patch adds a new test TestMuxChannelRejectRemovesFromMux in ssh/mux_test.go to verify removal from chanList; the PR does not include this test.
  • html/parse_test.go: addition of a renderTestBlacklist entry for the input <math><mtext><table><mglyph><style><img>
  • html/render_test.go: new TestRenderFosteredForeignContent validating escaped rendering under fostered foreign content
  • html/testdata/go/fostered_foreign_content.dat: new testdata file describing the expected parse tree
  • The upstream addition of TestParseEd25519KeyShortPanic in ssh/agent/server_test.go (32 lines) is not included. This test ensures the agent does not panic and rejects short ED25519 keys.

Detailed analysis

Core change parity: The PR patch mirrors the upstream modifications to html/parse.go within vendor/golang.org/x/net/html/parse.go. It adds imports for "cmp" and "slices"; defines attrCompare(a, b Attribute) int using cmp.Or on Namespace, Key, and Val; sorts the incoming attribute slice (attr) with slices.SortFunc(attr, attrCompare) before the search; replaces the previous cubic attribute comparison block with a single if !slices.Equal(n.Attr, attr) check; and sorts the top node's attributes (top.Attr) before appending it to the active formatting elements (p.afe). These are the exact functional changes upstream introduced to implement a linearithmic, equality-based check for the Noah's Ark clause.

Context and file path: The PR targets a vendored copy under vendor/golang.org/x/net/html/parse.go rather than html/parse.go, with different index hashes, and includes packaging lines (Signed-off-by, Upstream-reference). None of these alter functionality. The surrounding code context lines in the PR match the upstream function locations (addFormattingElement and related helpers), indicating correct placement.

Completeness: No upstream hunks are missing. The import additions, helper function, two attribute sorting sites, and the replacement of the cubic comparison loop are all present. Comments are also preserved.

Behavioral notes and risks: The change sorts attribute slices for nodes stored in the active formatting elements and for the new element, making slices.Equal reliable and eliminating the prior O(n^3) behavior, addressing CVE-2026-25680 (potential DoS via pathological attribute comparisons). This will also result in normalized (sorted) attribute order in the parse tree for these elements, which is consistent with upstream and typically acceptable since HTML attribute order is not semantically significant. Build/toolchain consideration: the use of standard library packages cmp and slices requires Go 1.21+. If the package is built with an older Go toolchain, it would fail to compile; however, this is identical to upstream requirements. Overall, the risk of regressions is low and the fix is complete and equivalent.

Comparison shows the PR patch makes the same functional changes as upstream, but in the vendored path vendor/golang.org/x/net/html/render.go used by docker-buildx. Specifically: (1) In render1, calls to writeQuoted for PUBLIC and SYSTEM identifiers are changed to writeDoctypeQuoted in all three places, matching upstream. (2) The helper function is renamed from writeQuoted to writeDoctypeQuoted, its comment is updated to note escaping, it adds a safety check that errors if both quote types appear in the identifier, and it replaces all '>' characters with ">" via strings.ReplaceAll before writing. These match the upstream logic exactly. (3) The test file html/testdata/go/doctype_named_entity.dat is added under the vendor path with identical contents to upstream. Context line numbers (e.g., 251 vs 267) differ slightly, as expected for a backport against a slightly different baseline, but there are no substantive divergences. No upstream hunks are missing: all modified call sites and the helper function changes are present, and the test data file is included. The patch does not alter imports, consistent with upstream (errors and strings are already used/imported in the file in typical versions). Given the minimal, localized nature of the changes and parity with upstream, the risk of incompleteness or regression is low.

Core fix comparison:

• Upstream modifies ssh/channel.go Reject to: set err := ch.sendMessage(reject); then call ch.mux.chanList.remove(ch.localId); then return err, with an explanatory comment about avoiding ch.close() to prevent races. This removes rejected channels from the mux, fixing the leak.
• The PR applies the identical change to vendor/golang.org/x/crypto/ssh/channel.go in the docker-buildx source tree. The hunk content (introducing err, calling chanList.remove, returning err, and the full comment) matches upstream. The only contextual difference is the line offset (536 vs 530) due to codebase differences in the vendored version, which is normal for a backport.

Omissions and differences:

• The upstream patch also adds a test (ssh/mux_test.go: TestMuxChannelRejectRemovesFromMux). This test is not included in the PR patch, which is common for packaging/vendor patches where tests may not be carried or run.
• Paths differ (vendor/golang.org/x/crypto/ssh/... vs ssh/...), reflecting the vendored dependency in docker-buildx.
• The PR includes packaging metadata (Signed-off-by, Upstream-reference) and has a slight discrepancy in the filename referencing a different CVE suffix (CVE-2026-39827) while the commit message references CVE-2026-3982; this does not affect code equivalence.

Assessment:

• Functionally, the PR implements the exact same fix as upstream. The absence of the test does not change runtime behavior. The risk of regression is low because the change is localized and matches upstream's reviewed approach, and it avoids introducing racy channel closes as documented.

---

Comparison shows the PR patch adds two checks in vendor/golang.org/x/crypto/ssh/certs.go that are functionally identical to upstream:

• In CertChecker.CheckHostKey, after verifying cert.CertType == HostCert, it checks if c.IsHostAuthority == nil and returns errors.New("ssh: cannot verify certificate, IsHostAuthority not set"), then proceeds to the existing authority check.
• In CertChecker.Authenticate, after verifying cert.CertType == UserCert, it checks if c.IsUserAuthority == nil and returns errors.New("ssh: cannot verify certificate, IsUserAuthority not set"), then proceeds to the existing authority check.
  The error strings match upstream exactly, and the checks are inserted immediately before calling the callbacks, preventing nil dereference panics. The only differences are:
• The PR places the patch in SPECS/docker-buildx/CVE-2026-39835.patch and targets the vendored path vendor/golang.org/x/crypto/ssh/certs.go instead of upstream ssh/certs.go.
• Line numbers differ slightly due to context in the vendored file. No additional code changes are introduced, and no upstream hunks are missing. The import of the errors package is not modified in either patch, which is consistent with upstream where errors is already imported in certs.go. Risk is low since the change is additive and only affects the behavior when the callbacks are nil, converting a panic into a controlled error as intended.

---

Functional comparison: Upstream modifies html/render.go in childTextNodesAreLiteral to handle foster-parented elements placed under a non-HTML namespace. Specifically, inside the case for tags [iframe, noembed, noframes, noscript, plaintext, script, style, xmp], it walks up the ancestor chain to find the first node with a non-empty namespace and, if that ancestor is not an HTML integration point, returns false so that text is escaped rather than emitted raw. The PR patch introduces the identical logic and comment at the same point in vendor/golang.org/x/net/html/render.go. The surrounding context (early return when n.Namespace != "", the switch on n.Data, and return paths) matches, and the semantics are unchanged. Differences: The PR does not include upstream's test updates (parse_test.go blacklist entry, a new render test, and a new testdata file), which are non-functional and commonly excluded in distribution patches. The PR also applies to a vendored path within docker-buildx, reflecting packaging layout rather than a source-tree difference. No additional deviations from upstream were found in the functional change. Risk: The change narrows literal-text rendering to exclude fostered nodes under foreign content unless behind an HTML integration point, aligning with the HTML parsing/rendering spec and mitigating the CVE. The code is localized and guarded by specific tag checks, so regression risk is low; upstream has reviewed and accepted the change.

Comparison of the core changes shows the PR inserts identical guards to upstream in two locations: prior to casting k.Priv to ed25519.PrivateKey in parseEd25519Key and parseEd25519Cert, it now checks len(k.Priv) != ed25519.PrivateKeySize and returns fmt.Errorf("agent: bad ED25519 key size: %d", len(k.Priv)) on mismatch. These insertions are byte-for-byte equivalent to upstream. The line numbers and file paths differ (vendor/golang.org/x/crypto/ssh/agent/server.go at offsets ~267 and ~333 vs upstream ssh/agent/server.go at ~270 and ~336), reflecting vendor context and minor upstream drift, but the surrounding context (ssh.Unmarshal(req, &k), and the subsequent ed25519.PrivateKey(k.Priv) cast) is consistent, indicating a correct application. No other logic is altered. The PR does not include the upstream test addition (server_test.go) which is common for distribution patches that only modify vendored source code; this does not affect runtime behavior. The file already uses ed25519 and fmt elsewhere in the agent server, so no import adjustments are needed. Functionally, the fix prevents a panic caused by short ED25519 private key payloads (priv[32:] in Public()), returning an error instead, aligning with the upstream CVE fix. Given the exact equivalence of the security-relevant hunks and the minimal scope, the risk of regression is low, and the fix appears complete for the targeted issue.

---

Verdict

✅ APPROVED — All checks passed. Ready to merge.