[AutoPR- Security] Patch skopeo for CVE-2026-24117 [MEDIUM] (#15895)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>

Author: 3 people

SPECS/skopeo/CVE-2026-24117.patch

@@ -0,0 +1,108 @@
+From 60ef2bceba192c5bf9327d003bceea8bf1f8275f Mon Sep 17 00:00:00 2001
+From: Hayden <8418760+Hayden-IO@users.noreply.github.com>
+Date: Wed, 21 Jan 2026 16:52:44 -0800
+Subject: [PATCH] Drop support for fetching public keys by URL in the search
+ index (#2731)
+
+This mitigates blind SSRF. Note that this API was marked as experimental
+so while this is a breaking change to the API, we offered no guarantee
+of stability.
+
+Fixes GHSA-4c4x-jm2x-pf9j
+
+Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
+
+Upstream Patch reference: https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f.patch
+---
+ .../client/entries/entries_client.go          |  2 +-
+ .../pkg/generated/models/search_index.go      | 20 -------------------
+ .../sigstore/rekor/pkg/util/fetch.go          | 10 +++++++---
+ 3 files changed, 8 insertions(+), 24 deletions(-)
+
+diff --git a/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go b/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go
+index fe2630e..668ec29 100644
+--- a/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go
++++ b/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go
+@@ -58,7 +58,7 @@ type ClientService interface {
+ /*
+ CreateLogEntry creates an entry in the transparency log
+ 
+-Creates an entry in the transparency log for a detached signature, public key, and content. Items can be included in the request or fetched by the server when URLs are specified.
++Creates an entry in the transparency log for a detached signature, public key, and content.
+ */
+ func (a *Client) CreateLogEntry(params *CreateLogEntryParams, opts ...ClientOption) (*CreateLogEntryCreated, error) {
+ 	// TODO: Validate the params before sending
+diff --git a/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go b/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go
+index bb1cccc..e731a3b 100644
+--- a/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go
++++ b/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go
+@@ -229,10 +229,6 @@ type SearchIndexPublicKey struct {
+ 	// Required: true
+ 	// Enum: [pgp x509 minisign ssh tuf]
+ 	Format *string `json:"format"`
+-
+-	// url
+-	// Format: uri
+-	URL strfmt.URI `json:"url,omitempty"`
+ }
+ 
+ // Validate validates this search index public key
+@@ -243,10 +239,6 @@ func (m *SearchIndexPublicKey) Validate(formats strfmt.Registry) error {
+ 		res = append(res, err)
+ 	}
+ 
+-	if err := m.validateURL(formats); err != nil {
+-		res = append(res, err)
+-	}
+-
+ 	if len(res) > 0 {
+ 		return errors.CompositeValidationError(res...)
+ 	}
+@@ -305,18 +297,6 @@ func (m *SearchIndexPublicKey) validateFormat(formats strfmt.Registry) error {
+ 	return nil
+ }
+ 
+-func (m *SearchIndexPublicKey) validateURL(formats strfmt.Registry) error {
+-	if swag.IsZero(m.URL) { // not required
+-		return nil
+-	}
+-
+-	if err := validate.FormatOf("publicKey"+"."+"url", "body", "uri", m.URL.String(), formats); err != nil {
+-		return err
+-	}
+-
+-	return nil
+-}
+-
+ // ContextValidate validates this search index public key based on context it is used
+ func (m *SearchIndexPublicKey) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+ 	return nil
+diff --git a/vendor/github.com/sigstore/rekor/pkg/util/fetch.go b/vendor/github.com/sigstore/rekor/pkg/util/fetch.go
+index 7f8e93f..5c5c464 100644
+--- a/vendor/github.com/sigstore/rekor/pkg/util/fetch.go
++++ b/vendor/github.com/sigstore/rekor/pkg/util/fetch.go
+@@ -21,14 +21,18 @@ import (
+ 	"fmt"
+ 	"io"
+ 	"net/http"
++	"time"
+ )
+ 
+-// FileOrURLReadCloser Note: caller is responsible for closing ReadCloser returned from method!
++// FileOrURLReadCloser reads content either from a URL or a byte slice
++// Note: Caller is responsible for closing the returned ReadCloser
++// Note: This must never be called from any server codepath to prevent SSRF
+ func FileOrURLReadCloser(ctx context.Context, url string, content []byte) (io.ReadCloser, error) {
+ 	var dataReader io.ReadCloser
+ 	if url != "" {
+-		//TODO: set timeout here, SSL settings?
+-		client := &http.Client{}
++		client := &http.Client{
++			Timeout: 30 * time.Second,
++		}
+ 		req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+ 		if err != nil {
+ 			return nil, err
+-- 
+2.43.0
+

SPECS/skopeo/skopeo.spec

@@ -1,7 +1,7 @@
 Summary:        Inspect container images and repositories on registries
 Name:           skopeo
 Version:        1.14.2
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -18,6 +18,7 @@ Patch6:         CVE-2025-27144.patch
 Patch7:         CVE-2025-58058.patch
 Patch8:         CVE-2025-58183.patch
 Patch9:         CVE-2025-11065.patch
+Patch10:        CVE-2026-24117.patch
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
 BuildRequires:  btrfs-progs-devel
@@ -55,13 +56,16 @@ make test-unit-local
 %{_mandir}/man1/%%{name}*
 
 %changelog
+* Wed Feb 18 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.14.2-15
+- Patch for CVE-2026-24117
+
 * Tue Feb 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.14.2-14
 - Patch for CVE-2025-11065
 
 * Sat Nov 15 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.14.2-13
 - Patch for CVE-2025-58183
 
-* Wed Sep 03 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.14.2-12
+* Tue Sep 16 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.14.2-12
 - Patch for CVE-2025-58058
 
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 1.14.2-11
@@ -115,7 +119,7 @@ make test-unit-local
 * Thu Jul 13 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.12.0-2
 - Bump release to rebuild with go 1.19.11
 
-* Wed Apr 05 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.12.0-1
+* Thu Jun 22 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.12.0-1
 - Bump skopeo version to 1.12.0 - upgrade to latest
 
 * Thu Jun 15 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.11.0-5