Skip to content

[AutoPR- Security] Patch tmux for CVE-2026-11623 [LOW] #17802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
azurelinux-security wants to merge 2 commits into
base: 3.0-dev
Choose a base branch
from
+140 −1
Open

[AutoPR- Security] Patch tmux for CVE-2026-11623 [LOW] #17802

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4c43f85
Patch tmux for CVE-2026-11623
azurelinux-security Jun 25, 2026
ef98e10
Modified AI Patch
v-swapsahu Jun 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
135 changes: 135 additions & 0 deletions SPECS/tmux/CVE-2026-11623.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
From fc6d94a9f8a593bd8b7031650802084385d4ee03 Mon Sep 17 00:00:00 2001
From: Nicholas Marriott <nicholas.marriott@gmail.com>
Date: Mon, 27 Apr 2026 13:09:07 +0100
Subject: [PATCH] Track which list (images or saved_images) each image is on so
they can be removed from the correct list when the total image count is
reached. Fixes crash reported by xlabai at tencent dot com.

Modified to apply to azurelinux.
Backported saved_images and TAILQ_INIT initialization.
Upstream patch reference: https://github.com/tmux/tmux/commit/fc6d94a9f8a593bd8b7031650802084385d4ee03.patch

---
image.c | 7 +++----
screen.c | 24 ++++++++++++++++++++++--
tmux.h | 5 ++++-
3 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/image.c b/image.c
index 4380878..85da024 100644
--- a/image.c
+++ b/image.c
@@ -29,12 +29,10 @@ static u_int all_images_count;
static void
image_free(struct image *im)
{
- struct screen *s = im->s;
-
TAILQ_REMOVE(&all_images, im, all_entry);
all_images_count--;

- TAILQ_REMOVE(&s->images, im, entry);
+ TAILQ_REMOVE(im->list, im, entry);
sixel_free(im->data);
free(im->fallback);
free(im);
@@ -108,7 +106,8 @@ image_store(struct screen *s, struct sixel_image *si)

image_fallback(&im->fallback, im->sx, im->sy);

- TAILQ_INSERT_TAIL(&s->images, im, entry);
+ im->list = &s->images;
+ TAILQ_INSERT_TAIL(im->list, im, entry);

TAILQ_INSERT_TAIL(&all_images, im, all_entry);
if (++all_images_count == 10/*XXX*/)
diff --git a/screen.c b/screen.c
index f73a850..685292c 100644
--- a/screen.c
+++ b/screen.c
@@ -91,6 +91,7 @@ screen_init(struct screen *s, u_int sx, u_int sy, u_int hlimit)

#ifdef ENABLE_SIXEL
TAILQ_INIT(&s->images);
+ TAILQ_INIT(&s->saved_images);
#endif

s->write_list = NULL;
@@ -611,7 +612,10 @@ screen_reflow(struct screen *s, u_int new_x, u_int *cx, u_int *cy, int cursor)
void
screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
{
- u_int sx, sy;
+ u_int sx, sy;
+#ifdef ENABLE_SIXEL
+ struct image *im;
+#endif

if (s->saved_grid != NULL)
return;
@@ -626,6 +630,12 @@ screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
}
memcpy(&s->saved_cell, gc, sizeof s->saved_cell);

+#ifdef ENABLE_SIXEL
+ TAILQ_CONCAT(&s->saved_images, &s->images, entry);
+ TAILQ_FOREACH(im, &s->saved_images, entry)
+ im->list = &s->saved_images;
+#endif
+
grid_view_clear(s->grid, 0, 0, sx, sy, 8);

s->saved_flags = s->grid->flags;
@@ -636,7 +646,10 @@ screen_alternate_on(struct screen *s, struct grid_cell *gc, int cursor)
void
screen_alternate_off(struct screen *s, struct grid_cell *gc, int cursor)
{
- u_int sx = screen_size_x(s), sy = screen_size_y(s);
+ u_int sx = screen_size_x(s), sy = screen_size_y(s);
+#ifdef ENABLE_SIXEL
+ struct image *im;
+#endif

/*
* If the current size is different, temporarily resize to the old size
@@ -680,6 +693,13 @@ screen_alternate_off(struct screen *s, struct grid_cell *gc, int cursor)
grid_destroy(s->saved_grid);
s->saved_grid = NULL;

+#ifdef ENABLE_SIXEL
+ image_free_all(s);
+ TAILQ_CONCAT(&s->images, &s->saved_images, entry);
+ TAILQ_FOREACH(im, &s->images, entry)
+ im->list = &s->images;
+#endif
+
if (s->cx > screen_size_x(s) - 1)
s->cx = screen_size_x(s) - 1;
if (s->cy > screen_size_y(s) - 1)
diff --git a/tmux.h b/tmux.h
index a50adbf..d1993ad 100644
--- a/tmux.h
+++ b/tmux.h
@@ -858,8 +858,10 @@ struct image {
u_int sx;
u_int sy;

- TAILQ_ENTRY (image) all_entry;
+ struct images *list;
TAILQ_ENTRY (image) entry;
+
+ TAILQ_ENTRY (image) all_entry;
};
TAILQ_HEAD(images, image);
#endif
@@ -907,6 +909,7 @@ struct screen {

#ifdef ENABLE_SIXEL
struct images images;
+ struct images saved_images;
#endif

struct screen_write_cline *write_list;
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/tmux/tmux.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
Summary: Terminal multiplexer
Name: tmux
Version: 3.4
Release: 1%{?dist}
Release: 2%{?dist}
License: ISC and BSD
URL: https://tmux.github.io/
Group: Applications/System
Vendor: Microsoft Corporation
Distribution: Azure Linux
Source0: https://github.com/tmux/tmux/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch0: CVE-2026-11623.patch
Requires: libevent ncurses
BuildRequires: libevent-devel ncurses-devel

Expand Down Expand Up @@ -37,6 +38,9 @@ make %{?_smp_mflags} check
%exclude /usr/src

%changelog
* Thu Jun 25 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4-2
- Patch for CVE-2026-11623

* Fri Feb 23 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.4-1
- Auto-upgrade to 3.4 - Azure Linux 3.0 Upgrades

Expand Down
Loading