Skip to content

[AutoPR- Security] Patch telegraf for CVE-2026-42151, CVE-2026-41889 [MEDIUM] #17221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
azurelinux-security wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
Draft

[AutoPR- Security] Patch telegraf for CVE-2026-42151, CVE-2026-41889 [MEDIUM] #17221

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
161 changes: 161 additions & 0 deletions SPECS/telegraf/CVE-2026-41889.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
From e8de87de7ca4e83e2b0e8625d3e8fba685d939b3 Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Thu, 14 May 2026 09:04:47 +0000
Subject: [PATCH] vendor/pgx: Fix SQL sanitizer bugs with dollar-quoted strings
and placeholder overflow

- Recognize PostgreSQL dollar-quoted strings (58...58 and $...$)
and preserve their contents verbatim to avoid substituting placeholders
inside literal text.
- Clamp placeholder numbers at MaxInt32 to prevent silent int overflow
and potential aliasing to valid argument indices.

Backported from upstream patch.

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da.patch
---
.../pgx/v4/internal/sanitize/sanitize.go | 106 ++++++++++++++++--
1 file changed, 98 insertions(+), 8 deletions(-)

diff --git a/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go b/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go
index 4c345d50..6253c440 100644
--- a/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go
+++ b/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go
@@ -4,6 +4,7 @@ import (
"bytes"
"encoding/hex"
"fmt"
+ "math"
"strconv"
"strings"
"time"
@@ -100,12 +101,13 @@ func QuoteBytes(buf []byte) string {
}

type sqlLexer struct {
- src string
- start int
- pos int
- nested int // multiline comment nesting level.
- stateFn stateFn
- parts []Part
+ src string
+ start int
+ pos int
+ nested int // multiline comment nesting level.
+ dollarTag string // active tag while inside a dollar-quoted string (may be empty for $$).
+ stateFn stateFn
+ parts []Part
}

type stateFn func(*sqlLexer) stateFn
@@ -135,6 +137,15 @@ func rawState(l *sqlLexer) stateFn {
l.start = l.pos
return placeholderState
}
+ // PostgreSQL dollar-quoted string: $[tag]$...$[tag]$. The $ was
+ // just consumed; try to match the rest of the opening tag.
+ // Without this, placeholders embedded inside dollar-quoted
+ // literals would be incorrectly substituted.
+ if tagLen, ok := scanDollarQuoteTag(l.src[l.pos:]); ok {
+ l.dollarTag = l.src[l.pos : l.pos+tagLen]
+ l.pos += tagLen + 1 // advance past tag and closing '$'
+ return dollarQuoteState
+ }
case '-':
nextRune, width := utf8.DecodeRuneInString(l.src[l.pos:])
if nextRune == '-' {
@@ -217,8 +228,87 @@ func placeholderState(l *sqlLexer) stateFn {
l.pos += width

if '0' <= r && r <= '9' {
- num *= 10
- num += int(r - '0')
+ // Clamp rather than silently wrap on pathological input like
+ // "$92233720368547758070" which would otherwise overflow int and
+ // could land on a valid args index. Any value above MaxInt32 far
+ // exceeds any plausible args length, so Sanitize will correctly
+ // return "insufficient arguments".
+ if num > (math.MaxInt32-9)/10 {
+ num = math.MaxInt32
+ } else {
+ num = num*10 + int(r-'0')
+ }
+ } else {
+ l.parts = append(l.parts, num)
+ l.pos -= width
+ l.start = l.pos
+ return rawState
+ }
+ }
+}
+
+// dollarQuoteState consumes the body of a PostgreSQL dollar-quoted string
+// ($[tag]$...$[tag]$). The opening tag (including its terminating '$') has
+// already been consumed.
+func dollarQuoteState(l *sqlLexer) stateFn {
+ closer := "$" + l.dollarTag + "$"
+ idx := strings.Index(l.src[l.pos:], closer)
+ if idx < 0 {
+ // Unterminated — mirror the behavior of other quoted-string states by
+ // consuming the remaining input into the current part and stopping.
+ if len(l.src)-l.start > 0 {
+ l.parts = append(l.parts, l.src[l.start:])
+ l.start = len(l.src)
+ }
+ l.pos = len(l.src)
+ return nil
+ }
+ l.pos += idx + len(closer)
+ l.dollarTag = ""
+ return rawState
+}
+
+// scanDollarQuoteTag checks whether src begins with an optional dollar-quoted
+// string tag followed by a closing '$'. src must point just past the opening
+// '$'. Returns the byte length of the tag (zero for an anonymous $$) and
+// whether a valid tag was found.
+//
+// Tag grammar matches the PostgreSQL lexer (scan.l):
+//
+// dolq_start: [A-Za-z_\x80-\xff]
+// dolq_cont: [A-Za-z0-9_\x80-\xff]
+func scanDollarQuoteTag(src string) (int, bool) {
+ first := true
+ for i := 0; i < len(src); {
+ r, w := utf8.DecodeRuneInString(src[i:])
+ if r == '$' {
+ return i, true
+ }
+ if !isDollarTagRune(r, first) {
+ return 0, false
+ }
+ first = false
+ i += w
+ }
+ return 0, false
+}
+
+func isDollarTagRune(r rune, first bool) bool {
+ switch {
+ case r == '_':
+ return true
+ case 'a' <= r && r <= 'z':
+ return true
+ case 'A' <= r && r <= 'Z':
+ return true
+ case !first && '0' <= r && r <= '9':
+ return true
+ case r >= 0x80 && r != utf8.RuneError:
+ return true
+ }
+ return false
+}
+
} else {
l.parts = append(l.parts, num)
l.pos -= width
--
2.45.4

57 changes: 57 additions & 0 deletions SPECS/telegraf/CVE-2026-42151.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
From d81192741a05f393d508b9f0b63ff54614b14139 Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Thu, 14 May 2026 08:55:17 +0000
Subject: [PATCH] remote/azuread: use Secret type for OAuth client_secret

The ClientSecret field in OAuthConfig was typed as plain string,
causing it to be exposed in plaintext via the /-/config HTTP endpoint.
Change it to config_util.Secret so Prometheus redacts it as <secret>.

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://github.com/prometheus/prometheus/pull/18587.patch
---
.../prometheus/storage/remote/azuread/azuread.go | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/vendor/github.com/prometheus/prometheus/storage/remote/azuread/azuread.go b/vendor/github.com/prometheus/prometheus/storage/remote/azuread/azuread.go
index cb4587b0..616c278c 100644
--- a/vendor/github.com/prometheus/prometheus/storage/remote/azuread/azuread.go
+++ b/vendor/github.com/prometheus/prometheus/storage/remote/azuread/azuread.go
@@ -23,6 +23,7 @@ import (
"time"

"github.com/grafana/regexp"
+ config_util "github.com/prometheus/common/config"

"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
@@ -55,7 +56,7 @@ type OAuthConfig struct {
ClientID string `yaml:"client_id,omitempty"`

// ClientSecret is the clientSecret of the azure active directory application that is being used to authenticate.
- ClientSecret string `yaml:"client_secret,omitempty"`
+ ClientSecret config_util.Secret `yaml:"client_secret,omitempty"`

// TenantID is the tenantId of the azure active directory application that is being used to authenticate.
TenantID string `yaml:"tenant_id,omitempty"`
@@ -125,7 +126,7 @@ func (c *AzureADConfig) Validate() error {
if c.OAuth.ClientID == "" {
return fmt.Errorf("must provide an Azure OAuth client_id in the Azure AD config")
}
- if c.OAuth.ClientSecret == "" {
+ if string(c.OAuth.ClientSecret) == "" {
return fmt.Errorf("must provide an Azure OAuth client_secret in the Azure AD config")
}
if c.OAuth.TenantID == "" {
@@ -238,7 +239,7 @@ func newManagedIdentityTokenCredential(clientOpts *azcore.ClientOptions, managed
// newOAuthTokenCredential returns new OAuth token credential
func newOAuthTokenCredential(clientOpts *azcore.ClientOptions, oAuthConfig *OAuthConfig) (azcore.TokenCredential, error) {
opts := &azidentity.ClientSecretCredentialOptions{ClientOptions: *clientOpts}
- return azidentity.NewClientSecretCredential(oAuthConfig.TenantID, oAuthConfig.ClientID, oAuthConfig.ClientSecret, opts)
+ return azidentity.NewClientSecretCredential(oAuthConfig.TenantID, oAuthConfig.ClientID, string(oAuthConfig.ClientSecret), opts)
}

// newTokenProvider helps to fetch accessToken for different types of credential. This also takes care of
--
2.45.4

7 changes: 6 additions & 1 deletion SPECS/telegraf/telegraf.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: agent for collecting, processing, aggregating, and writing metrics.
Name: telegraf
Version: 1.31.0
Release: 19%{?dist}
Release: 20%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand Down Expand Up @@ -38,6 +38,8 @@ Patch21: cisco_telegraf_bug61041768.patch
Patch22: CVE-2026-29785.patch
Patch23: CVE-2026-33216.patch
Patch24: CVE-2026-5160.patch
Patch25: CVE-2026-41889.patch
Patch26: CVE-2026-42151.patch

BuildRequires: golang
BuildRequires: systemd-devel
Expand Down Expand Up @@ -102,6 +104,9 @@ fi
%dir %{_sysconfdir}/%{name}/telegraf.d

%changelog
* Thu May 14 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-20
- Patch for CVE-2026-42151, CVE-2026-41889

* Mon Apr 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.31.0-19
- Patch for CVE-2026-5160

Expand Down
Loading