[AutoPR- Security] Patch giflib for CVE-2026-23868 [HIGH]

[azurelinux-security]

Auto Patch giflib for CVE-2026-23868.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1067276&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch giflib for CVE-2026-23868 (HIGH).

Change Log

• CVE-2026-23868

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-23868

Test Methodology

• Pipeline build id: Buddy Build URL

[Kanishk-Bansal]

Build

[azurelinux-security]

PR #16164 Review: [AutoPR-Security] Patch giflib for CVE-2026-23868 [HIGH]

PR: #16164
Build: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1067309&view=results
Branch: azure-autosec/giflib/3.0/1067276 → fasttrack/3.0
Labels: AutoPR-Security, fasttrack/3.0, Packaging, security

---

CVE Details

Field	Value
CVE ID	CVE-2026-23868
Package	giflib 5.2.1
Severity	HIGH
Type	Double-free vulnerability
Description	Giflib contains a double-free vulnerability resulting from a shallow copy in GifMakeSavedImage and incorrect error handling. Conditions needed are difficult but possible.
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-23868
Upstream Ref	https://sourceforge.net/p/giflib/code/ci/f5b7267aed3665ef025c13823e454170d031c106/tree/gifalloc.c?diff=5146815377b7395944cb683a08c43eee3f631eb7

---

Review Checklist

1. SPEC File Changes (giflib.spec)

Check	Status	Details
Release bump	✅ PASS	Release: 10%{?dist} → Release: 11%{?dist}
Patch declaration	✅ PASS	Patch6: CVE-2026-23868.patch added (sequential after Patch5)
Patch application	✅ PASS	Uses %autosetup -p1 — patches applied automatically
Changelog entry	✅ PASS	New entry at top: * Wed Mar 11 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 5.2.1-11 with - Patch for CVE-2026-23868
Changelog date	✅ PASS	Wed Mar 11 2026 is correct (today)

Changelog Issue — Day-of-Week Fix for 5.2.1-8

The PR also changes the day-of-week for the 5.2.1-8 changelog entry:

- * Fri Feb 14 2024 Kevin Lockwood <v-klockwood@microsoft.com> - 5.2.1-8
+ * Wed Feb 14 2024 Kevin Lockwood <v-klockwood@microsoft.com> - 5.2.1-8

Feb 14, 2024 was indeed a Wednesday, so this corrects a pre-existing error. However, this causes the %changelog not in descending chronological order warning in both amd64 and arm64 builds (see Build Analysis below). The existing entry for 5.2.1-7 is dated Fri Oct 11 2024, which is after Wed Feb 14 2024 for 5.2.1-8, meaning the changelog was already out of chronological order before this PR. The day-of-week fix is a correct change but doesn't resolve the pre-existing ordering issue.

2. Patch File Verification (CVE-2026-23868.patch)

Upstream Comparison

Check	Status	Details
Upstream reference present	✅ PASS	SourceForge commit f5b7267 referenced in patch header
Core fix matches upstream	✅ PASS	Identical code changes
Line number offset	✅ PASS	@@ -348 (PR) vs @@ -349 (upstream) — 1-line offset, acceptable
No omitted changes	✅ PASS	Single file change, no test/doc files in upstream

Patch content — Nulls out aliased pointers before any allocations in GifMakeSavedImage to prevent double-free if an allocation fails partway through:

+ sp->ImageDesc.ColorMap = NULL;
+ sp->RasterBits = NULL;
+ sp->ExtensionBlocks = NULL;
+ sp->ExtensionBlockCount = 0;

Verdict: Patch matches upstream. The fix is minimal, targeted, and functionally identical to the upstream commit.

3. PR Description

Check	Status	Details
Summary	✅ PASS	CVE description provided
Change Log	✅ PASS	CVE reference linked
Links to CVEs	✅ PASS	NVD link provided
Test Methodology	✅ PASS	Buddy build URL provided
Upstream patch reference	✅ PASS	In patch file header

4. Build Verification (Build ID: 1067309)

AMD64 (x86_64)

Check	Status	Details
Build result	✅ PASS	Built (giflib-5.2.1-11.azl3.src.rpm) -> [giflib, giflib-debuginfo, giflib-devel, giflib-utils]
Patch applied cleanly	✅ PASS	All 7 patches (Patch0-Patch6) applied via %autosetup -p1 with --fuzz=0 --no-backup-if-mismatch
gifalloc.c compiled	✅ PASS	gifalloc.o compiled without errors or warnings
No build failures	✅ PASS	No Bad exit status or FAILED messages

Pre-existing compilation warnings (NOT introduced by this patch):

• giftool.c:66:29: warning: '%s' directive argument is null [-Wformat-overflow=]
• giftext.c:431:30: warning: '__builtin___snprintf_chk' output truncated [-Wformat-truncation=]
• giftext.c:388:34: warning: '__builtin___snprintf_chk' output truncated [-Wformat-truncation=]
• gif2rgb.c:334:13: warning: this 'if' clause does not guard... [-Wmisleading-indentation]

Changelog warning: error: %changelog not in descending chronological order — Pre-existing issue (5.2.1-8 dated Feb 2024 appears before 5.2.1-7 dated Oct 2024).

Produced RPMs:

• giflib-5.2.1-11.azl3.x86_64.rpm
• giflib-debuginfo-5.2.1-11.azl3.x86_64.rpm
• giflib-devel-5.2.1-11.azl3.x86_64.rpm
• giflib-utils-5.2.1-11.azl3.x86_64.rpm

ARM64 (aarch64)

Check	Status	Details
Build result	✅ PASS	Built (giflib-5.2.1-11.azl3.src.rpm) -> [giflib, giflib-debuginfo, giflib-devel, giflib-utils]
Patch applied cleanly	✅ PASS	All patches applied without issues
No build failures	✅ PASS	Clean build

Same pre-existing warnings as AMD64.

Produced RPMs:

• giflib-5.2.1-11.azl3.aarch64.rpm
• giflib-debuginfo-5.2.1-11.azl3.aarch64.rpm
• giflib-devel-5.2.1-11.azl3.aarch64.rpm
• giflib-utils-5.2.1-11.azl3.aarch64.rpm

5. Additional Checks

Check	Status	Details
Signatures file	N/A	Not visible in PR diff — may need verification
Branch targeting	✅ PASS	fasttrack/3.0 is appropriate for HIGH severity CVE
Severity label	✅ PASS	[HIGH] in title, appropriate for this CVE
Dependent package rebuilds	✅ PASS	giflib is a shared library — no static-link dependents requiring release bumps

---

Summary

Category	Result
SPEC file changes	✅ PASS
Patch matches upstream	✅ PASS
PR description	✅ PASS
AMD64 build	✅ PASS
ARM64 build	✅ PASS

Overall: LGTM — Patch matches upstream. Build passed on both architectures. Patch applies cleanly with no fuzz.

Minor note: The changelog date fix (Fri → Wed for 5.2.1-8) is correct but the changelog ordering issue (5.2.1-8 from Feb 2024 listed before 5.2.1-7 from Oct 2024) is pre-existing and not introduced by this PR.

[Kanishk-Bansal]

Patch matches upstream, AI suggestion incorporated for changelog fix.
LGTM