Skip to content

[AutoPR- Security] Patch libsndfile for CVE-2026-37555 [HIGH]#17917

Merged
jslobodzian merged 1 commit into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/libsndfile/3.0/1154094
Jul 8, 2026
Merged

[AutoPR- Security] Patch libsndfile for CVE-2026-37555 [HIGH]#17917
jslobodzian merged 1 commit into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/libsndfile/3.0/1154094

Conversation

@azurelinux-security

@azurelinux-security azurelinux-security commented Jul 6, 2026

Copy link
Copy Markdown

Auto Patch libsndfile for CVE-2026-37555.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1154094&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

Change Log
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging fasttrack/3.0 PRs Destined for Azure Linux 3.0 labels Jul 6, 2026
@Kanishk-Bansal Kanishk-Bansal marked this pull request as ready for review July 6, 2026 13:58
@Kanishk-Bansal Kanishk-Bansal requested a review from a team as a code owner July 6, 2026 13:58
@azurelinux-security

Copy link
Copy Markdown
Author

🔒 CVE Patch Review: CVE-2026-37555

PR #17917 — [AutoPR- Security] Patch libsndfile for CVE-2026-37555 [HIGH]
Package: libsndfile | Branch: fasttrack/3.0


Spec File Validation

Check Status Detail
Release bump Release bumped 4 → 5
Patch entry Patch entries added: ['CVE-2026-37555.patch'] (covers ['CVE-2026-37555'])
Patch application %autosetup/%autopatch found in full spec — patches applied automatically
Changelog Changelog entry looks good
Signatures No source tarball changes — signatures N/A
Manifests Not a toolchain PR — manifests N/A

Build Verification

  • Build status: ❌ FAILED
  • Artifact downloaded:
  • CVE applied during build:
  • Errors (1):
    • L119: time="2026-07-06T13:46:35Z" level=debug msg="error: File /usr/src/azl/SOURCES/CVE-2018-13419.nopatch is smaller than 13 bytes"
  • Warnings (25):
    • L696: time="2026-07-06T13:46:36Z" level=debug msg="aclocal: warning: couldn't open directory 'M4': No such file or directory"
    • L712: time="2026-07-06T13:46:38Z" level=debug msg="aclocal: warning: couldn't open directory 'M4': No such file or directory"
    • L714: time="2026-07-06T13:46:39Z" level=debug msg="configure.ac:39: warning: The macro 'AC_PROG_CC_C99' is obsolete."
    • L718: time="2026-07-06T13:46:39Z" level=debug msg="configure.ac:408: warning: The macro 'AC_TRY_RUN' is obsolete."
    • L944: time="2026-07-06T13:46:44Z" level=debug msg="configure: WARNING: *** One or more of the external libraries (ie libflac, libogg,"
    • L945: time="2026-07-06T13:46:44Z" level=debug msg="configure: WARNING: *** libvorbis and libopus) is either missing (possibly only the development"
    • L946: time="2026-07-06T13:46:44Z" level=debug msg="configure: WARNING: *** headers) or is of an unsupported version."
    • L947: time="2026-07-06T13:46:44Z" level=debug msg="configure: WARNING: ***"
    • L948: time="2026-07-06T13:46:44Z" level=debug msg="configure: WARNING: *** Unfortunately, for ease of maintenance, the external libs"
    • L949: time="2026-07-06T13:46:44Z" level=debug msg="configure: WARNING: *** are an all or nothing affair."
    • … and 15 more

🤖 AI Build Log Analysis

  • Risk: medium
  • Summary: The libsndfile RPM build completed successfully and produced the main, devel, utils, and debuginfo packages. The CVE-2026-37555 patch appears to have been applied during %prep without any visible hunk failures, rejects, fuzz, or offset warnings. Compilation, linking, install, debuginfo extraction, and packaging all finished cleanly, and no test failures occurred because the build was run with --nocheck.
  • AI-detected warnings:
    • A placeholder patch file, /usr/src/azl/SOURCES/CVE-2018-13419.nopatch, triggered the message 'File ... is smaller than 13 bytes' during %prep. The build continued successfully, but this is unusual and should be understood by the maintainer.
    • Builds were performed with --nocheck / -D with_check 0, so no test suite was run; patch correctness is validated only by successful build and packaging, not by runtime tests.
    • RPM emitted 'Could not canonicalize hostname' warnings, which are benign environment issues and did not affect the build outcome.
    • Libtool emitted install-time warnings such as 'src/libsndfile.la has not been installed in /usr/lib' and 'remember to run libtool --finish /usr/lib'; these are common during staged DESTDIR packaging and are not fatal.

🧪 Test Log Analysis

  • Test status: ❌ FAILED
  • Test errors (1):
    • L118: time="2026-07-06T13:46:54Z" level=debug msg="error: File /usr/src/azl/SOURCES/CVE-2018-13419.nopatch is smaller than 13 bytes"
  • Test warnings (28):
    • L695: time="2026-07-06T13:46:55Z" level=debug msg="aclocal: warning: couldn't open directory 'M4': No such file or directory"
    • L711: time="2026-07-06T13:46:57Z" level=debug msg="aclocal: warning: couldn't open directory 'M4': No such file or directory"
    • L713: time="2026-07-06T13:46:58Z" level=debug msg="configure.ac:39: warning: The macro 'AC_PROG_CC_C99' is obsolete."
    • L717: time="2026-07-06T13:46:58Z" level=debug msg="configure.ac:408: warning: The macro 'AC_TRY_RUN' is obsolete."
    • L943: time="2026-07-06T13:47:03Z" level=debug msg="configure: WARNING: *** One or more of the external libraries (ie libflac, libogg,"
    • L944: time="2026-07-06T13:47:03Z" level=debug msg="configure: WARNING: *** libvorbis and libopus) is either missing (possibly only the development"
    • L945: time="2026-07-06T13:47:03Z" level=debug msg="configure: WARNING: *** headers) or is of an unsupported version."
    • L946: time="2026-07-06T13:47:03Z" level=debug msg="configure: WARNING: ***"
    • L947: time="2026-07-06T13:47:03Z" level=debug msg="configure: WARNING: *** Unfortunately, for ease of maintenance, the external libs"
    • L948: time="2026-07-06T13:47:03Z" level=debug msg="configure: WARNING: *** are an all or nothing affair."
🤖 AI Test Log Analysis
  • Risk: low
  • Summary: The libsndfile test suite completed successfully with exit status 0 after applying the CVE-2026-37555 patch. The log shows extensive format and I/O coverage with all executed tests reporting "ok", no test failures, and no evidence of regressions introduced by the patch. Some codec-specific test groups (FLAC, Ogg/Vorbis, Opus, MPEG) were effectively skipped because support for those features was not compiled in, but the build still reported success for the enabled test coverage.

Patch Analysis

  • Match type: minor_differences
  • Risk assessment: low
  • Summary: The PR patch is functionally equivalent to the upstream fix for CVE-2026-37555. It applies the same two code changes in src/ima_adpcm.c, adding an explicit cast to sf_count_t before multiplication in both ima_close() and ima_reader_init(), which is the core security fix. Differences from upstream are limited to patch packaging/metadata for Azure Linux, including a different patch wrapper filename, added Signed-off-by and Upstream-reference lines, different blob indexes/commit hash in the patch header, and the git version footer.
Detailed analysis

Reviewing the actual source hunks, the PR carries both upstream security-relevant changes without alteration: (1) in ima_close(), psf->sf.frames = pima->samplesperblock * pima->blockcount / psf->sf.channels; becomes psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blockcount / psf->sf.channels;; and (2) in ima_reader_init(), psf->sf.frames = pima->samplesperblock * pima->blocks; becomes psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks;. These are the only hunks in the upstream patch, and both are present in the PR. No security-relevant hunk is missing. The remaining differences are non-functional: the PR wraps the upstream patch as a new spec-side patch file under SPECS/libsndfile/CVE-2026-37555.patch, adds Azure Linux patch metadata (Signed-off-by, Upstream-reference), uses different git blob indexes reflecting the target tree state, and includes a mailer footer (2.45.4). This is not really a semantic backport with altered logic; it is the same fix carried as downstream packaging, so minor_differences is the best classification rather than exact. Regression risk is low because the change only widens the type before multiplication, matching existing correct style already used elsewhere, and should preserve intended behavior while eliminating signed integer overflow UB.


Verdict

CHANGES REQUESTED — Please address the issues flagged above.

@Kanishk-Bansal Kanishk-Bansal left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM,
AI analysis for L119: time="2026-07-06T13:46:35Z" level=debug msg="error: File /usr/src/azl/SOURCES/CVE-2018-13419.nopatch is smaller than 13 bytes" can be ignored

@Kanishk-Bansal Kanishk-Bansal added the CVEFixReadyForMaintainerReview When a CVE fix has been reviewed by release manager and is ready for stable maintainer review label Jul 6, 2026
@jslobodzian jslobodzian merged commit 9107186 into microsoft:fasttrack/3.0 Jul 8, 2026
30 checks passed
@CBL-Mariner-Bot

Copy link
Copy Markdown
Collaborator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

AutoPR-Security CVEFixReadyForMaintainerReview When a CVE fix has been reviewed by release manager and is ready for stable maintainer review fasttrack/3.0 PRs Destined for Azure Linux 3.0 Packaging security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants