diff --git a/SPECS/docker-buildx/CVE-2026-39882.patch b/SPECS/docker-buildx/CVE-2026-39882.patch new file mode 100644 index 00000000000..803257cfb5b --- /dev/null +++ b/SPECS/docker-buildx/CVE-2026-39882.patch @@ -0,0 +1,61 @@ +From 73f8654381783347fb91175d4e0b39017dc09011 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 20 Apr 2026 06:06:54 +0000 +Subject: [PATCH] vendor(otel): limit response body size for OTLP HTTP exporter + (backport of #8108) + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://raw.githubusercontent.com/microsoft/azurelinux/refs/heads/3.0-dev/SPECS/moby-engine/CVE-2026-39882.patch +--- + .../otlp/otlptrace/otlptracehttp/client.go | 21 +++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go +index 3b5f383..08f7331 100644 +--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go ++++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go +@@ -41,6 +41,14 @@ import ( + + const contentTypeProto = "application/x-protobuf" + ++// maxResponseBodySize is the maximum number of bytes to read from a response ++// body. It is set to 4 MiB per the OTLP specification recommendation to ++// mitigate excessive memory usage caused by a misconfigured or malicious ++// server. If exceeded, the response is treated as a not-retryable error. ++// This is a variable to allow tests to override it. ++var maxResponseBodySize int64 = 4 * 1024 * 1024 ++ ++ + var gzPool = sync.Pool{ + New: func() interface{} { + w := gzip.NewWriter(io.Discard) +@@ -174,7 +182,11 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc + // Success, do not retry. + // Read the partial success message, if any. + var respData bytes.Buffer +- if _, err := io.Copy(&respData, resp.Body); err != nil { ++ if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil { ++ var maxBytesErr *http.MaxBytesError ++ if errors.As(err, &maxBytesErr) { ++ return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit) ++ } + return err + } + if respData.Len() == 0 { +@@ -203,7 +215,12 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc + sc == http.StatusServiceUnavailable, + sc == http.StatusGatewayTimeout: + // Retry-able failures. Drain the body to reuse the connection. +- if _, err := io.Copy(io.Discard, resp.Body); err != nil { ++ var respData bytes.Buffer ++ if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil { ++ var maxBytesErr *http.MaxBytesError ++ if errors.As(err, &maxBytesErr) { ++ return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit) ++ } + otel.Handle(err) + } + return newResponseError(resp.Header) +-- +2.45.4 + diff --git a/SPECS/docker-buildx/docker-buildx.spec b/SPECS/docker-buildx/docker-buildx.spec index 4ab2f4f10eb..b36a3f0c673 100644 --- a/SPECS/docker-buildx/docker-buildx.spec +++ b/SPECS/docker-buildx/docker-buildx.spec @@ -4,7 +4,7 @@ Summary: A Docker CLI plugin for extended build capabilities with BuildKi Name: docker-buildx # update "commit_hash" above when upgrading version Version: 0.14.0 -Release: 10%{?dist} +Release: 11%{?dist} License: ASL 2.0 Group: Tools/Container Vendor: Microsoft Corporation @@ -20,6 +20,7 @@ Patch5: CVE-2025-47913.patch Patch6: CVE-2025-11065.patch Patch7: CVE-2025-47911.patch Patch8: CVE-2025-58190.patch +Patch9: CVE-2026-39882.patch BuildRequires: bash BuildRequires: golang < 1.25 @@ -53,6 +54,9 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil %{_libexecdir}/docker/cli-plugins/docker-buildx %changelog +* Mon Apr 20 2026 Azure Linux Security Servicing Account - 0.14.0-11 +- Patch for CVE-2026-39882 + * Thu Feb 19 2026 Azure Linux Security Servicing Account - 0.14.0-10 - Patch for CVE-2025-58190, CVE-2025-47911