[AutoPR- Security] Patch gh for CVE-2026-24117, CVE-2025-58190, CVE-2025-47911 [MEDIUM] (#15937)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: azurelinux-security

SPECS/gh/CVE-2025-47911.patch

@@ -0,0 +1,100 @@
+From efa0c0b048d06c59902b0c9701e1ebd7ecbb98fc Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 29 Sep 2025 16:33:18 -0700
+Subject: [PATCH] html: impose open element stack size limit
+
+The HTML specification contains a number of algorithms which are
+quadratic in complexity by design. Instead of adding complicated
+workarounds to prevent these cases from becoming extremely expensive in
+pathological cases, we impose a limit of 512 to the size of the stack of
+open elements. It is extremely unlikely that non-adversarial HTML
+documents will ever hit this limit (but if we see cases of this, we may
+want to make the limit configurable via a ParseOption).
+
+Thanks to Guido Vranken and Jakub Ciolek for both independently
+reporting this issue.
+
+Fixes CVE-2025-47911
+Fixes golang/go#75682
+
+Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
+Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d.patch
+---
+ vendor/golang.org/x/net/html/escape.go |  2 +-
+ vendor/golang.org/x/net/html/parse.go  | 21 +++++++++++++++++----
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go
+index 04c6bec..12f2273 100644
+--- a/vendor/golang.org/x/net/html/escape.go
++++ b/vendor/golang.org/x/net/html/escape.go
+@@ -299,7 +299,7 @@ func escape(w writer, s string) error {
+ 		case '\r':
+ 			esc = "&#13;"
+ 		default:
+-			panic("unrecognized escape character")
++			panic("html: unrecognized escape character")
+ 		}
+ 		s = s[i+1:]
+ 		if _, err := w.WriteString(esc); err != nil {
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 979ef17..4d12a1c 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
+ 	}
+ 
+ 	if n.Type == ElementNode {
+-		p.oe = append(p.oe, n)
++		p.insertOpenElement(n)
++	}
++}
++
++func (p *parser) insertOpenElement(n *Node) {
++	p.oe = append(p.oe, n)
++	if len(p.oe) > 512 {
++		panic("html: open stack of elements exceeds 512 nodes")
+ 	}
+ }
+ 
+@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
+ 			p.im = inFramesetIM
+ 			return true
+ 		case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
+-			p.oe = append(p.oe, p.head)
++			p.insertOpenElement(p.head)
+ 			defer p.oe.remove(p.head)
+ 			return inHeadIM(p)
+ 		case a.Head:
+@@ -2320,9 +2327,13 @@ func (p *parser) parseCurrentToken() {
+ 	}
+ }
+ 
+-func (p *parser) parse() error {
++func (p *parser) parse() (err error) {
++	defer func() {
++		if panicErr := recover(); panicErr != nil {
++			err = fmt.Errorf("%s", panicErr)
++		}
++	}()
+ 	// Iterate until EOF. Any other error will cause an early return.
+-	var err error
+ 	for err != io.EOF {
+ 		// CDATA sections are allowed only in foreign content.
+ 		n := p.oe.top()
+@@ -2351,6 +2362,8 @@ func (p *parser) parse() error {
+ // <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
+ // with no corresponding node in the resulting tree.
+ //
++// Parse will reject HTML that is nested deeper than 512 elements.
++//
+ // The input is assumed to be UTF-8 encoded.
+ func Parse(r io.Reader) (*Node, error) {
+ 	return ParseWithOptions(r)
+-- 
+2.45.4
+

SPECS/gh/CVE-2025-58190.patch

@@ -0,0 +1,126 @@
+From e2c662dd99d0e7e7160fd88f3c41ccdba657f7f5 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 29 Sep 2025 19:38:24 -0700
+Subject: [PATCH] html: align in row insertion mode with spec
+
+Update inRowIM to match the HTML specification. This fixes an issue
+where a specific HTML document could cause the parser to enter an
+infinite loop when trying to parse a </tbody> and implied </tr> next to
+each other.
+
+Fixes CVE-2025-58190
+Fixes golang/go#70179
+
+Change-Id: Idcb133c87c7d475cc8c7eb1f1550ea21d8bdddea
+Reviewed-on: https://go-review.googlesource.com/c/net/+/709875
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/golang/net/commit/6ec8895aa5f6594da7356da7d341b98133629009.patch
+---
+ vendor/golang.org/x/net/html/parse.go | 36 ++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 5b8374b..979ef17 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s scope, matchTags ...a.Atom) int {
+ 					return -1
+ 				}
+ 			default:
+-				panic("unreachable")
++				panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s))
+ 			}
+ 		}
+ 		switch s {
+@@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s scope) {
+ 				return
+ 			}
+ 		default:
+-			panic("unreachable")
++			panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s))
+ 		}
+ 	}
+ }
+@@ -1674,7 +1674,7 @@ func inTableBodyIM(p *parser) bool {
+ 	return inTableIM(p)
+ }
+ 
+-// Section 12.2.6.4.14.
++// Section 13.2.6.4.14.
+ func inRowIM(p *parser) bool {
+ 	switch p.tok.Type {
+ 	case StartTagToken:
+@@ -1686,7 +1686,9 @@ func inRowIM(p *parser) bool {
+ 			p.im = inCellIM
+ 			return true
+ 		case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr:
+-			if p.popUntil(tableScope, a.Tr) {
++			if p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
+ 				p.im = inTableBodyIM
+ 				return false
+ 			}
+@@ -1696,22 +1698,28 @@ func inRowIM(p *parser) bool {
+ 	case EndTagToken:
+ 		switch p.tok.DataAtom {
+ 		case a.Tr:
+-			if p.popUntil(tableScope, a.Tr) {
++			if p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
+ 				p.im = inTableBodyIM
+ 				return true
+ 			}
+ 			// Ignore the token.
+ 			return true
+ 		case a.Table:
+-			if p.popUntil(tableScope, a.Tr) {
++			if p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
+ 				p.im = inTableBodyIM
+ 				return false
+ 			}
+ 			// Ignore the token.
+ 			return true
+ 		case a.Tbody, a.Tfoot, a.Thead:
+-			if p.elementInScope(tableScope, p.tok.DataAtom) {
+-				p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String())
++			if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
++				p.im = inTableBodyIM
+ 				return false
+ 			}
+ 			// Ignore the token.
+@@ -2218,16 +2226,20 @@ func parseForeignContent(p *parser) bool {
+ 			p.acknowledgeSelfClosingTag()
+ 		}
+ 	case EndTagToken:
++		if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) {
++			p.oe = p.oe[:len(p.oe)-1]
++			return true
++		}
+ 		for i := len(p.oe) - 1; i >= 0; i-- {
+-			if p.oe[i].Namespace == "" {
+-				return p.im(p)
+-			}
+ 			if strings.EqualFold(p.oe[i].Data, p.tok.Data) {
+ 				p.oe = p.oe[:i]
++				return true
++			}
++			if i > 0 && p.oe[i-1].Namespace == "" {
+ 				break
+ 			}
+ 		}
+-		return true
++		return p.im(p)
+ 	default:
+ 		// Ignore the token.
+ 	}
+-- 
+2.45.4
+

SPECS/gh/CVE-2026-24117.patch

@@ -0,0 +1,109 @@
+From c6fd08c83115ce2f69a82923499c60794ebc3908 Mon Sep 17 00:00:00 2001
+From: Hayden <8418760+Hayden-IO@users.noreply.github.com>
+Date: Wed, 21 Jan 2026 16:52:44 -0800
+Subject: [PATCH] Drop support for fetching public keys by URL in the search
+ index (#2731)
+
+This mitigates blind SSRF. Note that this API was marked as experimental
+so while this is a breaking change to the API, we offered no guarantee
+of stability.
+
+Fixes GHSA-4c4x-jm2x-pf9j
+
+Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream Patch reference: https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f.patch
+---
+ .../client/entries/entries_client.go          |  2 +-
+ .../pkg/generated/models/search_index.go      | 20 -------------------
+ .../sigstore/rekor/pkg/util/fetch.go          | 10 +++++++---
+ 3 files changed, 8 insertions(+), 24 deletions(-)
+
+diff --git a/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go b/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go
+index fe2630e..668ec29 100644
+--- a/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go
++++ b/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go
+@@ -58,7 +58,7 @@ type ClientService interface {
+ /*
+ CreateLogEntry creates an entry in the transparency log
+ 
+-Creates an entry in the transparency log for a detached signature, public key, and content. Items can be included in the request or fetched by the server when URLs are specified.
++Creates an entry in the transparency log for a detached signature, public key, and content.
+ */
+ func (a *Client) CreateLogEntry(params *CreateLogEntryParams, opts ...ClientOption) (*CreateLogEntryCreated, error) {
+ 	// TODO: Validate the params before sending
+diff --git a/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go b/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go
+index bb1cccc..e731a3b 100644
+--- a/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go
++++ b/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go
+@@ -229,10 +229,6 @@ type SearchIndexPublicKey struct {
+ 	// Required: true
+ 	// Enum: [pgp x509 minisign ssh tuf]
+ 	Format *string `json:"format"`
+-
+-	// url
+-	// Format: uri
+-	URL strfmt.URI `json:"url,omitempty"`
+ }
+ 
+ // Validate validates this search index public key
+@@ -243,10 +239,6 @@ func (m *SearchIndexPublicKey) Validate(formats strfmt.Registry) error {
+ 		res = append(res, err)
+ 	}
+ 
+-	if err := m.validateURL(formats); err != nil {
+-		res = append(res, err)
+-	}
+-
+ 	if len(res) > 0 {
+ 		return errors.CompositeValidationError(res...)
+ 	}
+@@ -305,18 +297,6 @@ func (m *SearchIndexPublicKey) validateFormat(formats strfmt.Registry) error {
+ 	return nil
+ }
+ 
+-func (m *SearchIndexPublicKey) validateURL(formats strfmt.Registry) error {
+-	if swag.IsZero(m.URL) { // not required
+-		return nil
+-	}
+-
+-	if err := validate.FormatOf("publicKey"+"."+"url", "body", "uri", m.URL.String(), formats); err != nil {
+-		return err
+-	}
+-
+-	return nil
+-}
+-
+ // ContextValidate validates this search index public key based on context it is used
+ func (m *SearchIndexPublicKey) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+ 	return nil
+diff --git a/vendor/github.com/sigstore/rekor/pkg/util/fetch.go b/vendor/github.com/sigstore/rekor/pkg/util/fetch.go
+index 7f8e93f..5c5c464 100644
+--- a/vendor/github.com/sigstore/rekor/pkg/util/fetch.go
++++ b/vendor/github.com/sigstore/rekor/pkg/util/fetch.go
+@@ -21,14 +21,18 @@ import (
+ 	"fmt"
+ 	"io"
+ 	"net/http"
++	"time"
+ )
+ 
+-// FileOrURLReadCloser Note: caller is responsible for closing ReadCloser returned from method!
++// FileOrURLReadCloser reads content either from a URL or a byte slice
++// Note: Caller is responsible for closing the returned ReadCloser
++// Note: This must never be called from any server codepath to prevent SSRF
+ func FileOrURLReadCloser(ctx context.Context, url string, content []byte) (io.ReadCloser, error) {
+ 	var dataReader io.ReadCloser
+ 	if url != "" {
+-		//TODO: set timeout here, SSL settings?
+-		client := &http.Client{}
++		client := &http.Client{
++			Timeout: 30 * time.Second,
++		}
+ 		req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+ 		if err != nil {
+ 			return nil, err
+-- 
+2.45.4
+

SPECS/gh/gh.spec

@@ -1,7 +1,7 @@
 Summary:        GitHub official command line tool
 Name:           gh
 Version:        2.62.0
-Release:        12%{?dist}
+Release:        13%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -27,6 +27,9 @@ Patch11:        CVE-2025-58183.patch
 Patch12:        CVE-2026-23991.patch
 Patch13:        CVE-2026-23992.patch
 Patch14:        CVE-2025-11065.patch
+Patch15:        CVE-2025-47911.patch
+Patch16:        CVE-2025-58190.patch
+Patch17:        CVE-2026-24117.patch
 
 BuildRequires:  golang < 1.24
 BuildRequires:  git
@@ -71,6 +74,9 @@ make test
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
+* Fri Feb 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.62.0-13
+- Patch for CVE-2026-24117, CVE-2025-58190, CVE-2025-47911
+
 * Tue Feb 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.62.0-12
 - Patch for CVE-2025-11065
 
@@ -92,10 +98,10 @@ make test
 * Fri Feb 21 2025 Kshitiz Godara <kgodara@microsoft.com> - 2.62.0-6
 - Patch CVE-2025-25204
 
-* Wed Jan 21 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 2.62.0-5
+* Tue Jan 21 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 2.62.0-5
 - Patch CVE-2024-53859, CVE-2024-53858
 
-* Tue Dec 31 2024 Rohit Rawat <rohitrawat@microsoft.com> - 2.62.0-4
+* Sat Jan 18 2025 Rohit Rawat <rohitrawat@microsoft.com> - 2.62.0-4
 - Add patch for CVE-2024-45338
 
 * Wed Jan 08 2025 Muhammad Falak <mwani@microsoft.com> - 2.62.0-3