Skip to content

[AutoPR- Security] Patch moby-containerd-cc for CVE-2026-53488 [HIGH]#17918

Merged
jslobodzian merged 2 commits into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/moby-containerd-cc/3.0/1154116
Jul 8, 2026
Merged

[AutoPR- Security] Patch moby-containerd-cc for CVE-2026-53488 [HIGH]#17918
jslobodzian merged 2 commits into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/moby-containerd-cc/3.0/1154116

Conversation

@azurelinux-security

@azurelinux-security azurelinux-security commented Jul 6, 2026

Copy link
Copy Markdown

Auto Patch moby-containerd-cc for CVE-2026-53488.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1154116&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

Change Log
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging fasttrack/3.0 PRs Destined for Azure Linux 3.0 labels Jul 6, 2026
@Kanishk-Bansal Kanishk-Bansal marked this pull request as ready for review July 6, 2026 14:17
@Kanishk-Bansal Kanishk-Bansal requested a review from a team as a code owner July 6, 2026 14:17
@azurelinux-security

Copy link
Copy Markdown
Author

🔒 CVE Patch Review: CVE-2026-53488

PR #17918 — [AutoPR- Security] Patch moby-containerd-cc for CVE-2026-53488 [HIGH]
Package: moby-containerd-cc | Branch: fasttrack/3.0


Spec File Validation

Check Status Detail
Release bump Release bumped 13 → 14
Patch entry Patch entries added: ['CVE-2026-53488.patch'] (covers ['CVE-2026-53488'])
Patch application %autosetup/%autopatch found in full spec — patches applied automatically
Changelog Changelog entry looks good
Signatures No source tarball changes — signatures N/A
Manifests Not a toolchain PR — manifests N/A

Build Verification

  • Build status: ✅ PASSED
  • Artifact downloaded:
  • CVE applied during build:

🤖 AI Build Log Analysis

  • Risk: medium
  • Summary: The RPM build for moby-containerd-cc completed successfully and produced the expected x86_64 RPM. The CVE-2026-53488 patch appears to have been applied during %prep without any visible patch failures, rejected hunks, fuzz, or offset warnings. Compilation, install, packaging, and RPM generation all finished cleanly, with no test phase executed because the build used --nocheck.
  • AI-detected warnings:
    • Tests were not run because the package was rebuilt with --nocheck / with_check 0, so the CVE backport was not validated by the package test suite in this build.
    • RPM emitted warnings about missing build-id in /usr/bin/containerd-shim, /usr/bin/containerd-shim-runc-v1, and /usr/bin/containerd-shim-runc-v2.
    • RPM warned that it could not canonicalize the hostname during build; this did not stop the build.
    • go-md2man reported 'does not handle node type HTMLBlock' while generating man pages; documentation output may be imperfect, but the build continued successfully.

🧪 Test Log Analysis

  • Test status: ❌ FAILED
  • Test warnings (1):
    • L319: time="2026-07-06T14:30:46Z" level=debug msg="? \tgithub.com/containerd/containerd/contrib/fuzz\t[no test files]"
🤖 AI Test Log Analysis
  • Risk: medium
  • Summary: The package built successfully and the %check phase ran a substantial Go test suite, with many containerd packages reporting "ok" and many others reporting "[no test files]". However, the overall test run failed because make test exited with Error 1, and the log ends with a top-level FAIL in the Go test output. The specific failing test case or package is not visible in the provided truncated log, so the suite must be treated as failed, with an unresolved test regression or pre-existing failure that cannot be directly tied to the CVE-2026-53488 patch from the available evidence.
  • AI-detected test issues:
    • The %check phase failed: Go test output ended with a top-level FAIL.
    • make test failed with make: *** [Makefile:207: test] Error 1.
    • The exact failing test/package is not present in the provided truncated log, so the root cause cannot be determined from this log alone.

Patch Analysis

  • Match type: minor_differences
  • Risk assessment: low
  • Summary: The PR patch is functionally equivalent to the upstream fix for CVE-2026-53488. It applies the same security-relevant code changes: introducing reserved-label namespace constants and an IsReserved helper, filtering reserved labels from image config labels in both WithImageConfigLabels and the CRI buildLabels paths, logging warnings when such labels are skipped, and updating tests accordingly. The only substantive differences versus the authoritative patch are packaging metadata/wrapping as a spec patch file, abbreviated blob indexes, and harmless context-line drift in a few file indices/line numbers that are typical of a downstream backport application.
Detailed analysis

All core security-fix hunks are present and semantically match upstream. In container_opts.go, the PR adds the same imports (containerd/labels and containerd/log), the same documentation note on reserved namespaces, and the same post-assignment filtering loop over c.Labels using labels.IsReserved(k), with identical warning text and deletion behavior. In labels/labels.go and labels/validate.go, the PR introduces the same ReservedPrefix and CRIContainerdPrefix constants and the same IsReserved implementation based on strings.HasPrefix. In pkg/cri/labels/labels.go, it centralizes the CRI prefix constant exactly as upstream by referencing clabels.CRIContainerdPrefix. In the CRI helper paths (pkg/cri/sbserver/helpers.go, pkg/cri/sbserver/podsandbox/helpers.go, and pkg/cri/server/helpers.go), the PR adds the same reserved-label filtering before Validate(), with the same warning and continue behavior, preserving the intended distinction that only image-config labels are filtered while request-supplied labels are still allowed. The related tests are also carried over: container_opts_test.go validates filtered image labels for ctr-style use; labels/validate_test.go checks IsReserved behavior; and the three buildLabels tests are updated to verify reserved labels from image configs are dropped while explicitly supplied reserved labels remain. Differences from upstream are non-functional: the PR is stored as SPECS/moby-containerd-cc/CVE-2026-53488.patch, includes downstream sign-off and Upstream-reference metadata, and uses different abbreviated preimage blob IDs/context offsets reflecting the Azure Linux source tree. No upstream hunks appear to be omitted. The context changes in helper files (different index hashes/line positions) look like safe backport drift rather than altered logic. One notable cosmetic issue is a stray extra ')' visible in the patch text after the require import in container_opts_test.go; if literal, that would break test compilation, but it does not affect the runtime security fix itself and may be an artifact of patch rendering. Aside from that possible typo, the patch appears complete and low risk, with no indication that the fix is incomplete or that regressions were introduced beyond the intended label filtering behavior.


Verdict

CHANGES REQUESTED — Please address the issues flagged above.

@Kanishk-Bansal Kanishk-Bansal left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, AI flagged issue can be ignored

@Kanishk-Bansal Kanishk-Bansal added the CVEFixReadyForMaintainerReview When a CVE fix has been reviewed by release manager and is ready for stable maintainer review label Jul 6, 2026
@jykanase

jykanase commented Jul 8, 2026

Copy link
Copy Markdown

Buddy Build has passed after recent changes.

@jslobodzian jslobodzian merged commit c543f0e into microsoft:fasttrack/3.0 Jul 8, 2026
16 checks passed
@CBL-Mariner-Bot

Copy link
Copy Markdown
Collaborator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CVEFixReadyForMaintainerReview When a CVE fix has been reviewed by release manager and is ready for stable maintainer review fasttrack/3.0 PRs Destined for Azure Linux 3.0 Packaging security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants