[AutoPR- Security] Patch telegraf for CVE-2026-26958 [LOW]

[azurelinux-security]

Auto Patch telegraf for CVE-2026-26958.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1061162&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch telegraf for CVE-2026-26958 (LOW).

Change Log

• CVE-2026-26958

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-26958

Test Methodology

• Pipeline build id: Buddy Build URL

[azurelinux-security]

🔒 CVE Patch Review: CVE-2026-26958

PR #16091 — [AutoPR- Security] Patch telegraf for CVE-2026-26958 [LOW]
Package: telegraf | Branch: 3.0-dev

---

Spec File Validation

Check	Status	Detail
Release bump	✅	Release bumped 15 → 16
Patch entry	✅	Patch entries added: ['CVE-2026-26958.patch'] (covers ['CVE-2026-26958'])
Patch application	✅	%autosetup found in full spec — patches applied automatically
Changelog	✅	Changelog entry looks good
Signatures	✅	No source tarball changes — signatures N/A
Manifests	✅	Not a toolchain PR — manifests N/A

---

Build Verification

• Build status: ❌ FAILED
• Artifact downloaded: ✅
• CVE applied during build: ✅
• Errors (2):
  • L66: time="2026-03-03T07:07:23Z" level=debug msg="Error: Failed to synchronize cache for repo 'Azure Linux Official Base 3.0 x86_64'"
  • L70: time="2026-03-03T07:07:26Z" level=debug msg="Error: Failed to synchronize cache for repo 'Azure Linux Official Base 3.0 x86_64'"

🤖 AI Build Log Analysis

• Risk: low
• Summary: The telegraf 1.31.0-16.azl3 package built successfully with all patches applied, including the CVE-2026-26958 fix. The Go build completed without compilation or linker errors, packaging finished cleanly, and the resulting RPMs (including debuginfo) were produced. Some environment/network issues were observed when attempting to install build dependencies via tdnf, but they did not prevent the build. No tests were run (--nocheck).
• AI-detected issues:
  • tdnf failed to synchronize repo metadata due to DNS resolution issues: 'Error(1207) : Could not resolve hostname' and 'Failed to synchronize cache for repo Azure Linux Official Base 3.0 x86_64' (build deps install step)
• AI-detected warnings:
  • rpmbuild warning: 'Could not canonicalize hostname' (benign in chroot)
  • debugedit message: '/bin/debugedit: ... telegraf: DWARF version 0 unhandled' (typical for Go binaries; debuginfo extraction may be limited but non-fatal)
  • During 'telegraf config' generation: gosnowflake warning about DBUS_SESSION_BUS_ADDRESS not set (environmental, non-fatal)

---

🧪 Test Log Analysis

No test log found (package may not have a %check section).

---

Patch Analysis

• Match type: backport
• Risk assessment: low
• Summary: The PR applies the exact functional fix from upstream by initializing the receiver in Point.MultiScalarMult with v.Set(NewIdentityPoint()) in the vendorized edwards25519 library. It omits only the upstream test additions and the test helper change, which do not affect runtime behavior. Context and code match the upstream change, making this an effective backport of the security fix.
• Missing hunks:
  • Addition to edwards25519_test.go: checkOnCurve now errors if p.z == 0 (degenerate projective point) to catch invalid projective points in tests.
  • New test in extra_test.go: TestMultiScalarMultZeroReceiver to ensure a zero-value receiver produces a valid point and matches ScalarBaseMult.
  • New test in extra_test.go: TestMultiScalarMultReceiverAliasing to ensure aliasing the receiver with an input point yields the correct result.

Detailed analysis

1. Core security-fix equivalence: Upstream inserts a single line in extra.go within (*Point).MultiScalarMult: v.Set(NewIdentityPoint()), immediately after allocating tmp1/tmp2 and before the addition loop. The PR applies the identical insertion at the same location in vendor/filippo.io/edwards25519/extra.go. The index/context (around line 265, after tmp1/tmp2 creation and the comment "Lookup-and-add the appropriate multiple of each input point") matches, confirming the hunk is applied correctly.

2. Differences from upstream: The PR includes only the runtime fix and excludes all test-related changes (the added Z==0 check in edwards25519_test.go and two new tests in extra_test.go). The code paths and line content for the functional change are identical; the only structural difference is the vendor path in Telegraf.

3. Missing hunks justification: The omitted hunks are test additions and do not impact runtime behavior. In packaging contexts, especially for vendorized dependencies, it is common to exclude tests from the patch. Therefore, their absence does not compromise the fix.

4. Completeness and regression risk: The one-line initialization ensures the receiver is set to the identity before accumulation, preventing undefined behavior or incorrect results when the receiver is uninitialized or non-identity. Upstream specifically added tests for zero-value receivers and receiver/input aliasing; while these tests are not included here, the code change itself addresses both scenarios because tables/digits are derived before the accumulation and the receiver is explicitly initialized, so aliasing the receiver with an input point does not affect precomputed tables. No additional logic changes are introduced, minimizing regression risk.

5. Backport context safety: The surrounding context and indices (d152d68f..ab2e44a5) match upstream, suggesting the same codebase version and reducing the likelihood of incompatibilities. Applying the fix in the vendorized path is appropriate for Telegraf.

Conclusion: The PR patch is an effective backport of the upstream security fix, with only test-related hunks omitted. Risk is low.

Raw diff (upstream vs PR)

--- upstream
+++ pr
@@ -1,92 +1,47 @@
-From d1c650afb95fad0742b98d95f2eb2cf031393abb Mon Sep 17 00:00:00 2001
-From: Filippo Valsorda <hi@filippo.io>
-Date: Sun, 15 Feb 2026 22:00:22 +0100
-Subject: [PATCH] extra: initialize receiver in MultiScalarMult
-
-(*Point).MultiScalarMult failed to initialize its receiver.
-
-If the method is called on an initialized point that is not the identity
-point, MultiScalarMult produces an incorrect result.
-
-If the method is called on an uninitialized point, the behavior is
-undefined. In particular, if the receiver is the zero value,
-MultiScalarMult returns an invalid point that compares Equal to every
-point.
-
-This was independently reported by @WeebDataHoarder and @shaharcohen1.
-
-Fixes CVE-2026-26958
-Fixes GHSA-fw7p-63qq-7hpr
----
- edwards25519_test.go |  3 +++
- extra.go             |  1 +
- extra_test.go        | 30 ++++++++++++++++++++++++++++++
- 3 files changed, 34 insertions(+)
-
-diff --git a/edwards25519_test.go b/edwards25519_test.go
-index fe511bd..95b081d 100644
---- a/edwards25519_test.go
-+++ b/edwards25519_test.go
-@@ -18,6 +18,9 @@ var I = NewIdentityPoint()
- func checkOnCurve(t *testing.T, points ...*Point) {
- 	t.Helper()
- 	for i, p := range points {
-+		if p.z.Equal(new(field.Element)) == 1 {
-+			t.Errorf("point %d has Z == 0 (degenerate projective point)", i)
-+		}
- 		var XX, YY, ZZ, ZZZZ field.Element
- 		XX.Square(&p.x)
- 		YY.Square(&p.y)
-diff --git a/extra.go b/extra.go
-index d152d68..ab2e44a 100644
---- a/extra.go
-+++ b/extra.go
-@@ -265,6 +265,7 @@ func (v *Point) MultiScalarMult(scalars []*Scalar, points []*Point) *Point {
- 	tmp1 := &projP1xP1{}
- 	tmp2 := &projP2{}
- 	// Lookup-and-add the appropriate multiple of each input point
-+	v.Set(NewIdentityPoint())
- 	for j := range tables {
- 		tables[j].SelectInto(multiple, digits[j][63])
- 		tmp1.Add(v, multiple) // tmp1 = v + x_(j,63)*Q in P1xP1 coords
-diff --git a/extra_test.go b/extra_test.go
-index 6fb832a..2eaa3f0 100644
---- a/extra_test.go
-+++ b/extra_test.go
-@@ -149,6 +149,36 @@ func TestMultiScalarMultMatchesBaseMult(t *testing.T) {
- 	}
- }
- 
-+func TestMultiScalarMultZeroReceiver(t *testing.T) {
-+	// A zero-value (uninitialized) receiver should be handled correctly,
-+	// producing a valid point on the curve.
-+	var p Point
-+	p.MultiScalarMult([]*Scalar{dalekScalar}, []*Point{B})
+diff --git a/SPECS/telegraf/CVE-2026-26958.patch b/SPECS/telegraf/CVE-2026-26958.patch
+new file mode 100644
+index 00000000000..2149ba52dc8
+--- /dev/null
++++ b/SPECS/telegraf/CVE-2026-26958.patch
+@@ -0,0 +1,41 @@
++From 2a91b328968b2f9d0e39aac8852af38cfdce5b0f Mon Sep 17 00:00:00 2001
++From: Filippo Valsorda <hi@filippo.io>
++Date: Sun, 15 Feb 2026 22:00:22 +0100
++Subject: [PATCH] extra: initialize receiver in MultiScalarMult
 +
-+	var check Point
-+	check.ScalarBaseMult(dalekScalar)
++(*Point).MultiScalarMult failed to initialize its receiver.
 +
-+	checkOnCurve(t, &p, &check)
-+	if p.Equal(&check) != 1 {
-+		t.Error("MultiScalarMult with zero-value receiver did not match ScalarBaseMult")
-+	}
-+}
++If the method is called on an initialized point that is not the identity
++point, MultiScalarMult produces an incorrect result.
 +
-+func TestMultiScalarMultReceiverAliasing(t *testing.T) {
-+	// The receiver v aliasing one of the input points should produce
-+	// the correct result.
-+	p := NewGeneratorPoint()
-+	p.MultiScalarMult([]*Scalar{dalekScalar}, []*Point{p})
++If the method is called on an uninitialized point, the behavior is
++undefined. In particular, if the receiver is the zero value,
++MultiScalarMult returns an invalid point that compares Equal to every
++point.
 +
-+	var check Point
-+	check.ScalarBaseMult(dalekScalar)
++This was independently reported by @WeebDataHoarder and @shaharcohen1.
 +
-+	checkOnCurve(t, p, &check)
-+	if p.Equal(&check) != 1 {
-+		t.Error("MultiScalarMult with aliased receiver did not match ScalarBaseMult")
-+	}
-+}
++Fixes CVE-2026-26958
++Fixes GHSA-fw7p-63qq-7hpr
 +
- func TestVarTimeMultiScalarMultMatchesBaseMult(t *testing.T) {
- 	varTimeMultiScalarMultMatchesBaseMult := func(x, y, z Scalar) bool {
- 		var p, q1, q2, q3, check Point
++Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
++Upstream-reference: https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb
++---
++ vendor/filippo.io/edwards25519/extra.go | 1 +
++ 1 file changed, 1 insertion(+)
++
++diff --git a/vendor/filippo.io/edwards25519/extra.go b/vendor/filippo.io/edwards25519/extra.go
++index d152d68f..ab2e44a5 100644
++--- a/vendor/filippo.io/edwards25519/extra.go
+++++ b/vendor/filippo.io/edwards25519/extra.go
++@@ -265,6 +265,7 @@ func (v *Point) MultiScalarMult(scalars []*Scalar, points []*Point) *Point {
++ 	tmp1 := &projP1xP1{}
++ 	tmp2 := &projP2{}
++ 	// Lookup-and-add the appropriate multiple of each input point
+++	v.Set(NewIdentityPoint())
++ 	for j := range tables {
++ 		tables[j].SelectInto(multiple, digits[j][63])
++ 		tmp1.Add(v, multiple) // tmp1 = v + x_(j,63)*Q in P1xP1 coords
++-- 
++2.45.4
++

---

Verdict

❌ CHANGES REQUESTED — Please address the issues flagged above.

[akhila-guruju]

AI backported patch matches with the upstream patch.
The tests files edwards25519_test.go and extra_test.go are not present in azl source code.

[Kanishk-Bansal]

closing in favour of #16431