[AutoPR- Security] Patch cni-plugins for CVE-2026-42506, CVE-2026-27136, CVE-2026-42502, CVE-2026-25681, CVE-2026-25680 [MEDIUM]

[azurelinux-security]

Auto Patch cni-plugins for CVE-2026-42506, CVE-2026-27136, CVE-2026-42502, CVE-2026-25681, CVE-2026-25680.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1126741&view=results
Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1130196&view=results
Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1127811&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch cni-plugins for CVE-2026-42506 (MEDIUM), CVE-2026-27136 (MEDIUM), CVE-2026-42502 (MEDIUM), CVE-2026-25681 (MEDIUM), CVE-2026-25680 (MEDIUM).

Change Log

• CVE-2026-42506
• CVE-2026-27136
• CVE-2026-42502
• CVE-2026-25681
• CVE-2026-25680

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-42506
• https://nvd.nist.gov/vuln/detail/CVE-2026-27136
• https://nvd.nist.gov/vuln/detail/CVE-2026-42502
• https://nvd.nist.gov/vuln/detail/CVE-2026-25681
• https://nvd.nist.gov/vuln/detail/CVE-2026-25680

Test Methodology

• Pipeline build id: Buddy Build URL
• Pipeline build id: Buddy Build URL
• Pipeline build id: Buddy Build URL

[azurelinux-security]

🔒 CVE Patch Review: CVE-2026-25681, CVE-2026-27136, CVE-2026-42502, CVE-2026-42506

PR #17455 — [AutoPR- Security] Patch cni-plugins for CVE-2026-42506, CVE-2026-27136, CVE-2026-42502, CVE-2026-25681 [MEDIUM]
Package: cni-plugins | Branch: 3.0-dev

---

Spec File Validation

Check	Status	Detail
Release bump	✅	Release bumped 5 → 6
Patch entry	✅	Patch entries added: ['CVE-2026-27136.patch', 'CVE-2026-42506.patch', 'CVE-2026-25681.patch', 'CVE-2026-42502.patch'] (covers ['CVE-2026-25681', 'CVE-2026-27136', 'CVE-2026-42502', 'CVE-2026-42506'])
Patch application	✅	%autosetup/%autopatch found in full spec — patches applied automatically
Changelog	✅	Changelog entry looks good
Signatures	✅	No source tarball changes — signatures N/A
Manifests	✅	Not a toolchain PR — manifests N/A

---

Build Verification

Build log analysis was skipped (no build ID available).

---

Patch Analysis

• Match type: backport
• Risk assessment: low
• Summary: The PR patch applies the same logical changes as the upstream fix to golang.org/x/net/html’s render.go, renaming writeQuoted to writeDoctypeQuoted, updating all DOCTYPE identifier call sites, escaping '>' to '>' within DOCTYPE identifiers, and adding an error when both quote types are present. It also adds the same test data file. Despite path differences (vendor directory and packaging context), the code changes match upstream exactly. | The PR applies the upstream fix to the vendored golang.org/x/net/html tokenizer in cni-plugins, adding a per-tag attribute name map to ignore duplicate attributes case-insensitively. The code changes in token.go match upstream functionally and line-for-line; only the upstream test additions are omitted, which is typical for vendor/backport patches. | The PR applies the upstream fix to golang.org/x/net/html by adding the same foster-parenting/namespace check in childTextNodesAreLiteral within vendor/golang.org/x/net/html/render.go. It omits only the upstream test changes and testdata, which is typical for a vendorized backport. The functional code change matches upstream, so the fix should address CVE-2026-42502 equivalently. | The PR applies the same upstream fix to the vendored golang.org/x/net/html package used by cni-plugins, adding an HTML-namespace check in inBodyEndTagOther and including the corresponding test. Aside from path and context differences due to vendoring, the code change and test addition match upstream.
• Missing hunks:
  • Upstream added two test cases in html/token_test.go for duplicate attributes (including case-insensitive duplicates); these tests are not included in the PR patch.
  • parse_test.go: addition to renderTestBlacklist for the fostering case (<math><mtext><table><mglyph><style><img>) is not included.
  • render_test.go: new TestRenderFosteredForeignContent validating escaping of fostered inside foreign content is not included.
  • html/testdata/go/fostered_foreign_content.dat: new testdata file is not included.

Detailed analysis

Comparison shows the PR changes mirror the upstream patch:

• In render1, all calls writing DOCTYPE PUBLIC/SYSTEM identifiers are switched from writeQuoted(...) to writeDoctypeQuoted(...), exactly as upstream.
• The helper function is renamed from writeQuoted to writeDoctypeQuoted with identical comment updates, logic additions, and behavior:
  • It still selects double or single quotes depending on the presence of '"'.
  • It adds a safety check to return an error if both '"' and ''' are present in s, matching upstream.
  • It replaces all '>' characters in the identifier string with ">" via strings.ReplaceAll, preventing abrupt-doctype-system-identifier parse errors.
• The added test data file html/testdata/go/doctype_named_entity.dat matches upstream content exactly.
• Context line numbers differ slightly (e.g., around childTextNodesAreLiteral), consistent with minor file differences in the vendored tree, but the modified hunks are identical in semantics.
• No additional or missing functional changes are present relative to upstream; import adjustments are not shown in either patch, implying errors and strings were already imported in the file.
  Given these points, the PR is functionally equivalent to upstream and constitutes an exact match, with low risk since changes are localized to DOCTYPE identifier rendering and introduce a targeted escape plus a defensive error in a rare invalid Node construction case.

---

Comparison shows the PR patch introduces the same logic as upstream to ignore duplicate attributes during tokenization, preventing parser misalignment. Specifically: (1) it adds a new field to Tokenizer: attrNames map[string]bool; (2) it clears this map at the start of readTag via clear(z.attrNames); (3) when reading an attribute, it lowercases the attribute key (strings.ToLower on the raw bytes) and only appends the attribute if the key hasn't been seen, marking it seen afterward; (4) it initializes attrNames in NewTokenizerFragment with make(map[string]bool). The line offsets and file paths differ (vendor/golang.org/x/net/html/token.go versus html/token.go), consistent with a backport to a vendored dependency, but the hunks themselves are equivalent. The upstream changes to token tests are not included, which is expected in vendor patches and does not affect runtime behavior. The fix relies on Go's clear builtin for maps; as long as the package is built with a sufficiently recent Go toolchain (as in upstream), behavior will match. Overall, the PR implements the upstream security fix without functional deviations, and the risk of incompleteness or regression due to these changes is low.

Scope and location: The PR patch modifies vendor/golang.org/x/net/html/render.go in the cni-plugins package. It inserts the same 16-line block in childTextNodesAreLiteral as upstream commit a8fb2fe4f7378f816302b9f2f7b8290ce512e5dd, adding a loop that walks ancestors to detect a non-empty namespace and, unless the ancestor is an HTML integration point (htmlIntegrationPoint), treats the node as foster-parented and returns false (i.e., do not render raw text). This mirrors upstream logic exactly: the same tags are checked (iframe, noembed, noframes, noscript, plaintext, script, style, xmp), the same ancestor walk is performed, and the same return behavior is preserved. Context lines and function boundaries match; there are no additional changes. Differences from upstream: The PR does not include any of the upstream tests (parse_test.go change, render_test.go new test, and the new testdata file). These are test-only hunks and their absence does not affect runtime behavior. Risk and compatibility: Since the runtime change is identical to upstream, functional risk is low assuming the vendor'd x/net/html package includes the htmlIntegrationPoint function (as in upstream). The omission of tests is normal in vendorized/packaged environments and does not impact the fix. Overall, this is a straightforward backport of the functional change without tests.

Core fix parity: The upstream patch modifies html/parse.go to ensure that, when handling "any other end tag" in the in-body insertion mode, a matching element is only considered if it is in the HTML namespace. This is implemented by changing the conditional from (p.oe[i].DataAtom == tagAtom) && ((tagAtom != 0) || (p.oe[i].Data == tagName)) to p.oe[i].Namespace == "" && (p.oe[i].DataAtom == tagAtom) && ((tagAtom != 0) || (p.oe[i].Data == tagName)). The PR patch applies the identical conditional change in vendor/golang.org/x/net/html/parse.go, preserving logical behavior. It also removes the same two spec-reference comment lines as upstream.

Tests: Upstream adds html/testdata/go/in_body_end.dat to validate the behavior. The PR adds the same test content at vendor/golang.org/x/net/html/testdata/go/in_body_end.dat, mirroring upstream. While the build may not run tests in this packaging context, inclusion indicates fidelity to upstream.

Context and path differences: Line numbers and the index hashes differ (as expected for a vendored backport), and the file paths are under vendor/ instead of the upstream module path. No functional divergence is introduced by these differences.

Completeness: No upstream hunks are missing; both the code change and test addition are present. There are no extra, unrelated modifications.

Risk: Low. The change tightens matching to HTML-namespace elements, aligning with the HTML parsing spec and upstream fix for CVE-2026-42506. Potential impact is limited to preventing incorrect end-tag matching across foreign namespaces, which is the intended security fix. Regressions are unlikely given upstream review and the minimal, well-scoped condition change.

---

Verdict

✅ APPROVED — All checks passed. Ready to merge.

[Kanishk-Bansal]

Patch Analysis (matches upstream, test files are ommitted.)

• Buddy Build 
• patch applied during the build (check rpm.log)
• patch include an upstream reference
• PR has security tag