Skip to content

[AutoPR- Security] Patch qemu for CVE-2026-3196 [MEDIUM]#17879

Merged
kgodara912 merged 2 commits into
microsoft:3.0-devfrom
azurelinux-security:azure-autosec/qemu/3.0/1150719
Jul 3, 2026
Merged

[AutoPR- Security] Patch qemu for CVE-2026-3196 [MEDIUM]#17879
kgodara912 merged 2 commits into
microsoft:3.0-devfrom
azurelinux-security:azure-autosec/qemu/3.0/1150719

Conversation

@azurelinux-security

@azurelinux-security azurelinux-security commented Jul 1, 2026

Copy link
Copy Markdown

Auto Patch qemu for CVE-2026-3196.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1150719&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

Change Log
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Jul 1, 2026
@AkarshHCL

Copy link
Copy Markdown
  1. Patch is in sync with upstream patch.
  2. Buddy build is successful with patch getting applied-
image 3. Tried local build by adding some error in the affected file build fails due to introduced error.

@Kanishk-Bansal Kanishk-Bansal marked this pull request as ready for review July 2, 2026 18:05
@Kanishk-Bansal Kanishk-Bansal requested a review from a team as a code owner July 2, 2026 18:05

@mfrw mfrw left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✅ — faithful backport of the upstream fix, spec hygiene clean, and the buddy build is green on both arches including qemu's %check.

Patch fidelity — ✅ matches upstream

SPECS/qemu/CVE-2026-3196.patch is byte-for-byte identical (modulo expected base drift) to upstream qemu d84fbf24 (cherry-picked from 61679d7, by Manos Pitsidianakis, Reviewed-by: mst) — the fix for VIRTIO spec §5.14.6.2 in virtio_snd_handle_pcm_info:

  • both added guards match exactly: the start_id + count > s->snd_conf.streams bounds check, and the g_uint_checked_mul/g_uint_checked_add overflow-guarded buffer-size check;
  • the only deltas vs upstream are the hunk offsets (181/207 vs 156/179) and blob hashes — expected because the base is qemu 9.1.0, not upstream HEAD;
  • the preserved /* TODO: do we need to set DEVICE_NEEDS_RESET? */ context comment exists in the 9.1.0 base and is untouched — benign.

Spec hygiene — ✅ clean

  • Release: 9 → 10
  • Patch33: CVE-2026-3196.patch declared in correct sequential order after Patch32
  • %changelog entry for 9.1.0-10 present and correct (date/author/CVE)
  • No source tarball change → no *.signatures.json update needed

Build / CI — buddy build buildId=1151905 (Run 20260702.3) — 237 succeeded / 10 skipped / 0 failed

Stage AMD64 ARM64
Build qemu-9.1.0-10.azl3 RPMs ✅ succeeded ✅ succeeded
%check (package test) EXIT STATUS 0 → Pass (631s) EXIT STATUS 0 → Pass (445s)
Sodiff check (ABI/.so diff) ✅ succeeded ✅ succeeded
Toolchain build + postBuild ✅ succeeded ✅ succeeded
sdl_sources ✅ succeeded

All GitHub PR checks green; merge checklist ticked in the PR body.

Non-blocking note

tmp is only ever written (as the output arg of the g_uint_checked_* helpers) and never read — its sole purpose is overflow detection via short-circuit, and the final comparison recomputes sizeof(virtio_snd_hdr) + size * count. This is intentional and identical to upstream; no -Wunused-but-set-variable since it's passed by address and the build is warning-clean. Just flagging for completeness.

Signed-Off By: @mfrw

@mfrw mfrw added the ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review label Jul 3, 2026

@kgodara912 kgodara912 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Patch matches with upstream reference. Buddy build is successful. LGTM.

@kgodara912 kgodara912 merged commit 5438c00 into microsoft:3.0-dev Jul 3, 2026
31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3.0-dev PRs Destined for AzureLinux 3.0 AutoPR-Security Packaging ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants