From 4c43f85f97f697e247cc07ba6cd8b2467f2911a0 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Thu, 25 Jun 2026 09:14:37 +0000
Subject: [PATCH 1/2] Patch tmux for CVE-2026-11623

---
 SPECS/tmux/CVE-2026-11623.patch | 116 ++++++++++++++++++++++++++++++++
 SPECS/tmux/tmux.spec            |   6 +-
 2 files changed, 121 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/tmux/CVE-2026-11623.patch

diff --git a/SPECS/tmux/CVE-2026-11623.patch b/SPECS/tmux/CVE-2026-11623.patch
new file mode 100644
index 00000000000..d8ddfdd03c5
--- /dev/null
+++ b/SPECS/tmux/CVE-2026-11623.patch
@@ -0,0 +1,116 @@
+From c4aa0f7d7e53e82660573a8258a65451b3d907b4 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 25 Jun 2026 09:08:44 +0000
+Subject: [PATCH] Track image list for correct removal when image limit is
+ reached
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/tmux/tmux/commit/fc6d94a9f8a593bd8b7031650802084385d4ee03.patch
+---
+ image.c  |  7 +++----
+ screen.c | 23 +++++++++++++++++++++--
+ tmux.h   |  4 +++-
+ 3 files changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/image.c b/image.c
+index 4380878..85da024 100644
+--- a/image.c
++++ b/image.c
+@@ -29,12 +29,10 @@ static u_int		all_images_count;
+ static void
+ image_free(struct image *im)
+ {
+-	struct screen	*s = im->s;
+-
+ 	TAILQ_REMOVE(&all_images, im, all_entry);
+ 	all_images_count--;
+ 
+-	TAILQ_REMOVE(&s->images, im, entry);
++	TAILQ_REMOVE(im->list, im, entry);
+ 	sixel_free(im->data);
+ 	free(im->fallback);
+ 	free(im);
+@@ -108,7 +106,8 @@ image_store(struct screen *s, struct sixel_image *si)
+ 
+ 	image_fallback(&im->fallback, im->sx, im->sy);
+ 
+-	TAILQ_INSERT_TAIL(&s->images, im, entry);
++	im->list = &s->images;
++	TAILQ_INSERT_TAIL(im->list, im, entry);
+ 
+ 	TAILQ_INSERT_TAIL(&all_images, im, all_entry);
+ 	if (++all_images_count == 10/*XXX*/)
+diff --git a/screen.c b/screen.c
+index f73a850..8e72c46 100644
+--- a/screen.c
++++ b/screen.c
+@@ -611,7 +611,10 @@ screen_reflow(struct screen *s, u_int new_x, u_int *cx, u_int *cy, int cursor)
+ void
+ screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
+ {
+-	u_int	sx, sy;
++	u_int		 sx, sy;
++#ifdef ENABLE_SIXEL
++	struct image	*im;
++#endif
+ 
+ 	if (s->saved_grid != NULL)
+ 		return;
+@@ -626,6 +629,12 @@ screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
+ 	}
+ 	memcpy(&s->saved_cell, gc, sizeof s->saved_cell);
+ 
++#ifdef ENABLE_SIXEL
++	TAILQ_CONCAT(&s->saved_images, &s->images, entry);
++	TAILQ_FOREACH(im, &s->saved_images, entry)
++	    im->list = &s->saved_images;
++#endif
++
+ 	grid_view_clear(s->grid, 0, 0, sx, sy, 8);
+ 
+ 	s->saved_flags = s->grid->flags;
+@@ -636,7 +645,10 @@ screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
+ void
+ screen_alternate_off(struct screen *s, struct grid_cell *gc, int cursor)
+ {
+-	u_int	sx = screen_size_x(s), sy = screen_size_y(s);
++	u_int		 sx = screen_size_x(s), sy = screen_size_y(s);
++#ifdef ENABLE_SIXEL
++	struct image	*im;
++#endif
+ 
+ 	/*
+ 	 * If the current size is different, temporarily resize to the old size
+@@ -680,6 +692,13 @@ screen_alternate_off(struct screen *s, struct grid_cell *gc, int cursor)
+ 	grid_destroy(s->saved_grid);
+ 	s->saved_grid = NULL;
+ 
++#ifdef ENABLE_SIXEL
++	image_free_all(s);
++	TAILQ_CONCAT(&s->images, &s->saved_images, entry);
++	TAILQ_FOREACH(im, &s->images, entry)
++	    im->list = &s->images;
++#endif
++
+ 	if (s->cx > screen_size_x(s) - 1)
+ 		s->cx = screen_size_x(s) - 1;
+ 	if (s->cy > screen_size_y(s) - 1)
+diff --git a/tmux.h b/tmux.h
+index a50adbf..e2f55cd 100644
+--- a/tmux.h
++++ b/tmux.h
+@@ -858,8 +858,10 @@ struct image {
+ 	u_int			 sx;
+ 	u_int			 sy;
+ 
+-	TAILQ_ENTRY (image)	 all_entry;
++	struct images		*list;
+ 	TAILQ_ENTRY (image)	 entry;
++
++	TAILQ_ENTRY (image)	 all_entry;
+ };
+ TAILQ_HEAD(images, image);
+ #endif
+-- 
+2.45.4
+
diff --git a/SPECS/tmux/tmux.spec b/SPECS/tmux/tmux.spec
index 958e88c4aeb..62ddd563fab 100644
--- a/SPECS/tmux/tmux.spec
+++ b/SPECS/tmux/tmux.spec
@@ -1,13 +1,14 @@
 Summary:        Terminal multiplexer
 Name:           tmux
 Version:        3.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ISC and BSD
 URL:            https://tmux.github.io/
 Group:          Applications/System
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://github.com/tmux/tmux/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch0:         CVE-2026-11623.patch
 Requires:       libevent ncurses
 BuildRequires:  libevent-devel ncurses-devel
 
@@ -37,6 +38,9 @@ make  %{?_smp_mflags} check
 %exclude /usr/src
 
 %changelog
+* Thu Jun 25 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4-2
+- Patch for CVE-2026-11623
+
 * Fri Feb 23 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.4-1
 - Auto-upgrade to 3.4 - Azure Linux 3.0 Upgrades
 

From ef98e1069a3e8d59430a2e615a5bb4ec878daf80 Mon Sep 17 00:00:00 2001
From: Swapnil Sahu <v-swapsahu@microsoft.com>
Date: Sun, 28 Jun 2026 22:40:38 +0000
Subject: [PATCH 2/2] Modified AI Patch

---
 SPECS/tmux/CVE-2026-11623.patch | 51 ++++++++++++++++++++++-----------
 1 file changed, 35 insertions(+), 16 deletions(-)

diff --git a/SPECS/tmux/CVE-2026-11623.patch b/SPECS/tmux/CVE-2026-11623.patch
index d8ddfdd03c5..bc9b38e4b65 100644
--- a/SPECS/tmux/CVE-2026-11623.patch
+++ b/SPECS/tmux/CVE-2026-11623.patch
@@ -1,16 +1,19 @@
-From c4aa0f7d7e53e82660573a8258a65451b3d907b4 Mon Sep 17 00:00:00 2001
-From: AllSpark <allspark@microsoft.com>
-Date: Thu, 25 Jun 2026 09:08:44 +0000
-Subject: [PATCH] Track image list for correct removal when image limit is
- reached
+From fc6d94a9f8a593bd8b7031650802084385d4ee03 Mon Sep 17 00:00:00 2001
+From: Nicholas Marriott <nicholas.marriott@gmail.com>
+Date: Mon, 27 Apr 2026 13:09:07 +0100
+Subject: [PATCH] Track which list (images or saved_images) each image is on so
+ they can be removed from the correct list when the total image count is
+ reached. Fixes crash reported by xlabai at tencent dot com.
+
+Modified to apply to azurelinux.
+Backported saved_images and TAILQ_INIT initialization.
+Upstream patch reference: https://github.com/tmux/tmux/commit/fc6d94a9f8a593bd8b7031650802084385d4ee03.patch
 
-Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
-Upstream-reference: AI Backport of https://github.com/tmux/tmux/commit/fc6d94a9f8a593bd8b7031650802084385d4ee03.patch
 ---
  image.c  |  7 +++----
- screen.c | 23 +++++++++++++++++++++--
- tmux.h   |  4 +++-
- 3 files changed, 27 insertions(+), 7 deletions(-)
+ screen.c | 24 ++++++++++++++++++++++--
+ tmux.h   |  5 ++++-
+ 3 files changed, 29 insertions(+), 7 deletions(-)
 
 diff --git a/image.c b/image.c
 index 4380878..85da024 100644
@@ -41,10 +44,18 @@ index 4380878..85da024 100644
  	TAILQ_INSERT_TAIL(&all_images, im, all_entry);
  	if (++all_images_count == 10/*XXX*/)
 diff --git a/screen.c b/screen.c
-index f73a850..8e72c46 100644
+index f73a850..685292c 100644
 --- a/screen.c
 +++ b/screen.c
-@@ -611,7 +611,10 @@ screen_reflow(struct screen *s, u_int new_x, u_int *cx, u_int *cy, int cursor)
+@@ -91,6 +91,7 @@ screen_init(struct screen *s, u_int sx, u_int sy, u_int hlimit)
+ 
+ #ifdef ENABLE_SIXEL
+ 	TAILQ_INIT(&s->images);
++	TAILQ_INIT(&s->saved_images);
+ #endif
+ 
+ 	s->write_list = NULL;
+@@ -611,7 +612,10 @@ screen_reflow(struct screen *s, u_int new_x, u_int *cx, u_int *cy, int cursor)
  void
  screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
  {
@@ -56,7 +67,7 @@ index f73a850..8e72c46 100644
  
  	if (s->saved_grid != NULL)
  		return;
-@@ -626,6 +629,12 @@ screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
+@@ -626,6 +630,12 @@ screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
  	}
  	memcpy(&s->saved_cell, gc, sizeof s->saved_cell);
  
@@ -69,7 +80,7 @@ index f73a850..8e72c46 100644
  	grid_view_clear(s->grid, 0, 0, sx, sy, 8);
  
  	s->saved_flags = s->grid->flags;
-@@ -636,7 +645,10 @@ screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
+@@ -636,7 +646,10 @@ screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
  void
  screen_alternate_off(struct screen *s, struct grid_cell *gc, int cursor)
  {
@@ -81,7 +92,7 @@ index f73a850..8e72c46 100644
  
  	/*
  	 * If the current size is different, temporarily resize to the old size
-@@ -680,6 +692,13 @@ screen_alternate_off(struct screen *s, struct grid_cell *gc, int cursor)
+@@ -680,6 +693,13 @@ screen_alternate_off(struct screen *s, struct grid_cell *gc, int cursor)
  	grid_destroy(s->saved_grid);
  	s->saved_grid = NULL;
  
@@ -96,7 +107,7 @@ index f73a850..8e72c46 100644
  		s->cx = screen_size_x(s) - 1;
  	if (s->cy > screen_size_y(s) - 1)
 diff --git a/tmux.h b/tmux.h
-index a50adbf..e2f55cd 100644
+index a50adbf..d1993ad 100644
 --- a/tmux.h
 +++ b/tmux.h
 @@ -858,8 +858,10 @@ struct image {
@@ -111,6 +122,14 @@ index a50adbf..e2f55cd 100644
  };
  TAILQ_HEAD(images, image);
  #endif
+@@ -907,6 +909,7 @@ struct screen {
+ 
+ #ifdef ENABLE_SIXEL
+ 	struct images			 images;
++	struct images                    saved_images;
+ #endif
+ 
+ 	struct screen_write_cline	*write_list;
 -- 
 2.45.4