Patch moby-engine for CVE-2026-39882

azurelinux-security · azurelinux-security · commit 4f09a1604068 · 2026-04-15T07:37:00.000Z
diff --git a/SPECS/moby-engine/CVE-2026-39882.patch b/SPECS/moby-engine/CVE-2026-39882.patch
@@ -0,0 +1,54 @@
+From 7f1cb3338a73160ce9e13abc7c2ba1324e5e6dd6 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Wed, 15 Apr 2026 07:25:48 +0000
+Subject: [PATCH] vendor(otel): limit response body size for OTLP HTTP exporter
+ (backport of #8108)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/open-telemetry/opentelemetry-go/commit/5e363de517dba6db62736b2f5cdef0e0929b4cd0.patch
+---
+ .../otlp/otlptrace/otlptracehttp/client.go         | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
+index 3a3cfec..05fc139 100644
+--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
++++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
+@@ -18,6 +18,7 @@ import (
+ 	"bytes"
+ 	"compress/gzip"
+ 	"context"
++	"errors"
+ 	"fmt"
+ 	"io"
+ 	"net"
+@@ -40,6 +41,13 @@ import (
+ 
+ const contentTypeProto = "application/x-protobuf"
+ 
++// maxResponseBodySize is the maximum number of bytes to read from a response
++// body. It is set to 4 MiB per the OTLP specification recommendation to
++// mitigate excessive memory usage caused by a misconfigured or malicious
++// server. If exceeded, the response is treated as a not-retryable error.
++// This is a variable to allow tests to override it.
++var maxResponseBodySize int64 = 4 * 1024 * 1024
++
+ var gzPool = sync.Pool{
+ 	New: func() interface{} {
+ 		w := gzip.NewWriter(io.Discard)
+@@ -169,7 +177,11 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc
+ 			// Success, do not retry.
+ 			// Read the partial success message, if any.
+ 			var respData bytes.Buffer
+-			if _, err := io.Copy(&respData, resp.Body); err != nil {
++			if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil {
++				var maxBytesErr *http.MaxBytesError
++				if errors.As(err, &maxBytesErr) {
++					return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit)
++				}
+ 				return err
+ 			}
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec
@@ -3,7 +3,7 @@
 Summary: The open-source application container engine
 Name:    moby-engine
 Version: 25.0.3
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: ASL 2.0
 Group:   Tools/Container
 URL: https://mobyproject.org
@@ -31,6 +31,7 @@ Patch13: CVE-2024-51744.patch
 Patch14: CVE-2025-58183.patch
 #This can be removed when upgraded to v25.0.15
 Patch15: fix-multiarch-image-push-tag.patch
+Patch16: CVE-2026-39882.patch
 
 %{?systemd_requires}
 
@@ -126,6 +127,9 @@ fi
 %{_unitdir}/*
 
 %changelog
+* Wed Apr 15 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 25.0.3-16
+- Patch for CVE-2026-39882
+
 * Wed Jan 21 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 25.0.3-15
 - Fix multiarch image push tag
 
