Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch azurelinux-image-tools for CVE-2026-27141 [HIGH] - branch 3.0-dev" #16188

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 4 people

SPECS/azurelinux-image-tools/CVE-2026-27141.patch

@@ -0,0 +1,46 @@
+From 09313f6d249a0c11eeb3ce16578033bdd6602fcb Mon Sep 17 00:00:00 2001
+From: Konnyaku <beifengxuanxiao@126.com>
+Date: Tue, 17 Feb 2026 21:23:54 +0800
+Subject: [PATCH] http2: fix nil panic in typeFrameParser for unassigned frame
+ types
+
+The addition of FramePriorityUpdate (0x10) in RFC 9218 introduced a gap
+in the frameParsers array indices (0x0a-0x0f). These indices were
+initialized to nil, causing a panic when typeFrameParser accessed them
+for unassigned frame types (e.g., ALTSVC 0x0a).
+
+This change adds a nil check in typeFrameParser to safely fallback to
+parseUnknownFrame for these unassigned types, preventing the crash.
+
+Fixes golang/go#77652
+
+Change-Id: I14d7ad85afc1eafabc46417a9fff10f9e0a22446
+Reviewed-on: https://go-review.googlesource.com/c/net/+/746180
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Auto-Submit: Damien Neil <dneil@google.com>
+Reviewed-by: Mark Freeman <markfreeman@google.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/golang/net/commit/19f580fd686a6bb31d4af15febe789827169bc26.patch
+---
+ vendor/golang.org/x/net/http2/frame.go | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
+index 9a4bd12..6e393e9 100644
+--- a/vendor/golang.org/x/net/http2/frame.go
++++ b/vendor/golang.org/x/net/http2/frame.go
+@@ -139,7 +139,9 @@ var frameParsers = [...]frameParser{
+ 
+ func typeFrameParser(t FrameType) frameParser {
+ 	if int(t) < len(frameParsers) {
+-		return frameParsers[t]
++		if f := frameParsers[t]; f != nil {
++			return f
++		}
+ 	}
+ 	return parseUnknownFrame
+ }
+-- 
+2.45.4
+

SPECS/azurelinux-image-tools/azurelinux-image-tools.spec

@@ -3,7 +3,7 @@
 Summary:        Azure Linux Image Tools
 Name:           azurelinux-image-tools
 Version:        1.2.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 URL:            https://github.com/microsoft/azure-linux-image-tools/
 Group:          Applications/System
@@ -15,6 +15,7 @@ Source0:        https://github.com/microsoft/azure-linux-image-tools/archive/ref
 # Use generate_source_tarball.sh script with the package version to build this tarball.
 #
 Source1:        %{name}-%{version}-vendor.tar.gz
+Patch0:         CVE-2026-27141.patch
 BuildRequires: golang < 1.25
 BuildRequires: systemd-udev
 Requires: %{name}-imagecustomizer = %{version}-%{release}
@@ -68,8 +69,7 @@ Summary: OS Modifier
 The Azure Linux OS Modifier is a tool that can modify an OS.
 
 %prep
-%autosetup -p1 -n azure-linux-image-tools-%{version}
-tar -xf %{SOURCE1} --no-same-owner
+%autosetup -a1 -p1 -n azure-linux-image-tools-%{version}
 
 %build
 export GOPATH=%{our_gopath}
@@ -112,6 +112,9 @@ go test -C toolkit/tools ./...
 %{_bindir}/osmodifier
 
 %changelog
+* Thu Mar 05 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.2.0-2
+- Patch for CVE-2026-27141
+
 * Fri Feb 27 2026 Brian Fjeldstad <bfjelds@microsoft.com> 1.2.0-1
 - Add osmodifier subpackage
 - Upgrade to version 1.2.0