[AutoPR- Security] Patch moby-containerd-cc for CVE-2026-53488 [HIGH]#17918
Conversation
🔒 CVE Patch Review: CVE-2026-53488PR #17918 — [AutoPR- Security] Patch moby-containerd-cc for CVE-2026-53488 [HIGH] Spec File Validation
Build Verification
🤖 AI Build Log Analysis
🧪 Test Log Analysis
🤖 AI Test Log Analysis
Patch Analysis
Detailed analysisAll core security-fix hunks are present and semantically match upstream. In container_opts.go, the PR adds the same imports (containerd/labels and containerd/log), the same documentation note on reserved namespaces, and the same post-assignment filtering loop over c.Labels using labels.IsReserved(k), with identical warning text and deletion behavior. In labels/labels.go and labels/validate.go, the PR introduces the same ReservedPrefix and CRIContainerdPrefix constants and the same IsReserved implementation based on strings.HasPrefix. In pkg/cri/labels/labels.go, it centralizes the CRI prefix constant exactly as upstream by referencing clabels.CRIContainerdPrefix. In the CRI helper paths (pkg/cri/sbserver/helpers.go, pkg/cri/sbserver/podsandbox/helpers.go, and pkg/cri/server/helpers.go), the PR adds the same reserved-label filtering before Validate(), with the same warning and continue behavior, preserving the intended distinction that only image-config labels are filtered while request-supplied labels are still allowed. The related tests are also carried over: container_opts_test.go validates filtered image labels for ctr-style use; labels/validate_test.go checks IsReserved behavior; and the three buildLabels tests are updated to verify reserved labels from image configs are dropped while explicitly supplied reserved labels remain. Differences from upstream are non-functional: the PR is stored as SPECS/moby-containerd-cc/CVE-2026-53488.patch, includes downstream sign-off and Upstream-reference metadata, and uses different abbreviated preimage blob IDs/context offsets reflecting the Azure Linux source tree. No upstream hunks appear to be omitted. The context changes in helper files (different index hashes/line positions) look like safe backport drift rather than altered logic. One notable cosmetic issue is a stray extra ')' visible in the patch text after the require import in container_opts_test.go; if literal, that would break test compilation, but it does not affect the runtime security fix itself and may be an artifact of patch rendering. Aside from that possible typo, the patch appears complete and low risk, with no indication that the fix is incomplete or that regressions were introduced beyond the intended label filtering behavior. Verdict❌ CHANGES REQUESTED — Please address the issues flagged above. |
Kanishk-Bansal
left a comment
There was a problem hiding this comment.
LGTM, AI flagged issue can be ignored
|
Buddy Build has passed after recent changes. |
|
Auto cherry-pick results:
Auto cherry-pick pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1155755&view=results |
Auto Patch moby-containerd-cc for CVE-2026-53488.
Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1154116&view=results
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology