Skip to content

[AutoPR- Security] Patch libtiff for CVE-2026-12912 [HIGH]#17903

Open
azurelinux-security wants to merge 2 commits into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/libtiff/3.0/1152281
Open

[AutoPR- Security] Patch libtiff for CVE-2026-12912 [HIGH]#17903
azurelinux-security wants to merge 2 commits into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/libtiff/3.0/1152281

Conversation

@azurelinux-security

@azurelinux-security azurelinux-security commented Jul 3, 2026

Copy link
Copy Markdown

Auto Patch libtiff for CVE-2026-12912.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1152281&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

Change Log
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging fasttrack/3.0 PRs Destined for Azure Linux 3.0 labels Jul 3, 2026
@Kanishk-Bansal Kanishk-Bansal marked this pull request as ready for review July 3, 2026 10:32
@Kanishk-Bansal Kanishk-Bansal requested a review from a team as a code owner July 3, 2026 10:32
@azurelinux-security

Copy link
Copy Markdown
Author

🔒 CVE Patch Review: CVE-2026-12912

PR #17903 — [AutoPR- Security] Patch libtiff for CVE-2026-12912 [HIGH]
Package: libtiff | Branch: fasttrack/3.0


Spec File Validation

Check Status Detail
Release bump Release bumped 13 → 14
Patch entry Patch entries added: ['CVE-2026-12912.patch'] (covers ['CVE-2026-12912'])
Patch application %autosetup/%autopatch found in full spec — patches applied automatically
Changelog Changelog entry looks good
Signatures No source tarball changes — signatures N/A
Manifests Not a toolchain PR — manifests N/A

Build Verification

  • Build status: ✅ PASSED
  • Artifact downloaded:
  • CVE applied during build:
  • Warnings (9):
    • L199: time="2026-07-03T09:47:55Z" level=debug msg="configure.ac:107: warning: The macro 'AC_PROG_CC_C99' is obsolete."
    • L203: time="2026-07-03T09:47:55Z" level=debug msg="configure.ac:190: warning: The macro 'AC_HEADER_TIME' is obsolete."
    • L705: time="2026-07-03T09:48:01Z" level=debug msg="libtool: warning: relinking 'libtiffxx.la'"
    • L712: time="2026-07-03T09:48:01Z" level=debug msg="libtool: warning: remember to run 'libtool --finish /usr/lib'"
    • L724: time="2026-07-03T09:48:01Z" level=debug msg="libtool: warning: '../libtiff/libtiff.la' has not been installed in '/usr/lib'"
    • L726: time="2026-07-03T09:48:01Z" level=debug msg="libtool: warning: '../libtiff/libtiff.la' has not been installed in '/usr/lib'"
    • L728: time="2026-07-03T09:48:01Z" level=debug msg="libtool: warning: '../libtiff/libtiff.la' has not been installed in '/usr/lib'"
    • L730: time="2026-07-03T09:48:01Z" level=debug msg="libtool: warning: '../libtiff/libtiff.la' has not been installed in '/usr/lib'"
    • L732: time="2026-07-03T09:48:01Z" level=debug msg="libtool: warning: '../libtiff/libtiff.la' has not been installed in '/usr/lib'"

🤖 AI Build Log Analysis

  • Risk: low
  • Summary: The libtiff RPM build completed successfully and produced the expected binary, devel, debuginfo, and source RPM artifacts. The targeted CVE patch for CVE-2026-12912 appears to have been applied during %prep without any visible patch failures, rejected hunks, fuzz, or offset warnings. Compilation, installation, debuginfo extraction, packaging, and file checks all completed cleanly, and the build finished with output RPMs written successfully.
  • AI-detected warnings:
    • The log does not show per-hunk patch output for CVE-2026-12912.patch because patching was run in silent mode (-s), so success is inferred from the absence of failures rather than explicit hunk application details.
    • Autotools regeneration emitted upstream maintenance warnings about obsolete macros AC_PROG_CC_C99 and AC_HEADER_TIME in configure.ac.
    • During documentation install, 'find: './html-prebuilt': No such file or directory' appeared twice; this did not fail the build but suggests optional prebuilt HTML docs were absent.
    • RPM emitted 'Could not canonicalize hostname' warnings, which are environmental and did not affect the build.

🧪 Test Log Analysis

  • Test status: ❌ FAILED
  • Test errors (1):
    • L1072: time="2026-07-03T09:48:20Z" level=debug msg="# ERROR: 0"
  • Test warnings (10):
    • L198: time="2026-07-03T09:48:14Z" level=debug msg="configure.ac:107: warning: The macro 'AC_PROG_CC_C99' is obsolete."
    • L202: time="2026-07-03T09:48:14Z" level=debug msg="configure.ac:190: warning: The macro 'AC_HEADER_TIME' is obsolete."
    • L704: time="2026-07-03T09:48:19Z" level=debug msg="libtool: warning: relinking 'libtiffxx.la'"
    • L711: time="2026-07-03T09:48:19Z" level=debug msg="libtool: warning: remember to run 'libtool --finish /usr/lib'"
    • L723: time="2026-07-03T09:48:19Z" level=debug msg="libtool: warning: '../libtiff/libtiff.la' has not been installed in '/usr/lib'"
    • L725: time="2026-07-03T09:48:19Z" level=debug msg="libtool: warning: '../libtiff/libtiff.la' has not been installed in '/usr/lib'"
    • L727: time="2026-07-03T09:48:19Z" level=debug msg="libtool: warning: '../libtiff/libtiff.la' has not been installed in '/usr/lib'"
    • L729: time="2026-07-03T09:48:19Z" level=debug msg="libtool: warning: '../libtiff/libtiff.la' has not been installed in '/usr/lib'"
    • L731: time="2026-07-03T09:48:19Z" level=debug msg="libtool: warning: '../libtiff/libtiff.la' has not been installed in '/usr/lib'"
    • L993: time="2026-07-03T09:48:19Z" level=debug msg="test_directory.c:761:26: warning: comparison of integer expressions of different signedness: 'tdir_t' {aka 'unsigned int'} and 'int' [-Wsign-compare]"
🤖 AI Test Log Analysis
  • Risk: low
  • Summary: The libtiff test suite completed successfully after applying the CVE-2026-12912 patch and other accumulated security patches. The build, %check phase, and packaging all finished with exit status 0, and the upstream LibTIFF test suite reported 29 total tests with 29 passes, 0 failures, 0 errors, and 0 skips. Based on this log, there is no evidence of a regression introduced by the CVE fix.

Patch Analysis

  • Match type: unknown
  • Risk assessment: unknown
  • Summary: No upstream URL found (not in PR body or patch headers); patch comparison skipped.

Verdict

CHANGES REQUESTED — Please address the issues flagged above.

@akhila-guruju

akhila-guruju commented Jul 3, 2026

Copy link
Copy Markdown

Updated upstream patch reference. Patch matches with upstream patch.
Buddy Build has passed after recent changes

image
  • Buddy Build
  • patch applied during the build (check rpm.log)
  • patch include an upstream reference
  • PR has security tag

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants