Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package alloy for openSUSE:Factory checked 
in at 2026-07-01 17:10:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/alloy (Old)
 and      /work/SRC/openSUSE:Factory/.alloy.new.11887 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "alloy"

Wed Jul  1 17:10:23 2026 rev:38 rq:1362973 version:1.17.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/alloy/alloy.changes      2026-06-18 
18:44:19.102288823 +0200
+++ /work/SRC/openSUSE:Factory/.alloy.new.11887/alloy.changes   2026-07-01 
17:10:34.771457934 +0200
@@ -1,0 +2,12 @@
+Mon Jun 29 10:34:54 UTC 2026 - Witek Bedyk <[email protected]>
+
+- CVE-2026-10722: Fix manipulated argument offset leading to
+  integer overflow (bsc#1267811)
+  * Add 0001-Fix-CVE-2026-10722.patch
+
+- Update to version 1.17.1:
+  * Bug fix
+    Back off usage reporting on persistent failure instead of
+      retrying every minute
+
+-------------------------------------------------------------------

Old:
----
  alloy-1.17.0.tar.gz
  ui-1.17.0.tar.gz

New:
----
  0001-Fix-CVE-2026-10722.patch
  alloy-1.17.1.tar.gz
  ui-1.17.1.tar.gz

----------(New B)----------
  New:  integer overflow (bsc#1267811)
  * Add 0001-Fix-CVE-2026-10722.patch
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ alloy.spec ++++++
--- /var/tmp/diff_new_pack.tpQZYY/_old  2026-07-01 17:10:39.403617715 +0200
+++ /var/tmp/diff_new_pack.tpQZYY/_new  2026-07-01 17:10:39.403617715 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           alloy
-Version:        1.17.0
+Version:        1.17.1
 Release:        0
 Summary:        OpenTelemetry Collector distribution with programmable 
pipelines
 License:        Apache-2.0
@@ -29,6 +29,7 @@
 Source4:        Makefile
 Source5:        prepare_webassets_and_vendor_go_modules.sh
 Source6:        alloy.tmpfiles
+Patch1:         0001-Fix-CVE-2026-10722.patch
 BuildRequires:  go1.26 >= 1.26.4
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  user(alloy)
@@ -70,9 +71,10 @@
   pipelines.
 
 %prep
-%autosetup -p1 -a 2
+%setup -a 2
 cd collector/
 tar zxf %{SOURCE1}
+%patch -P 1 -p1 -d vendor/github.com/cilium/ebpf
 
 %build
 # hash will be shortended by COMMIT_HASH:0:8 later

++++++ 0001-Fix-CVE-2026-10722.patch ++++++
>From 533dfc82fd228bfadf42ea7180c39de7d9af47fa Mon Sep 17 00:00:00 2001
From: Dylan Reimerink <[email protected]>
Date: Wed, 27 May 2026 14:05:06 +0200
Subject: [PATCH] btf: Fixed integer overflow in length checking

Fuzzing revealed that a bad ELF file could cause an integer overflow
when doing a bounds check. Fixed this by casting two uint32 values to
uint64 before adding them together.

Signed-off-by: Dylan Reimerink <[email protected]>
---
 btf/btf.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/btf/btf.go b/btf/btf.go
index cdc95425f..a9160c678 100644
--- a/btf/btf.go
+++ b/btf/btf.go
@@ -214,7 +214,7 @@ func loadRawSpec(btf []byte, base *Spec) (*Spec, error) {
        }
        btf = btf[header.HdrLen:]
 
-       if int(header.StringOff+header.StringLen) > len(btf) {
+       if uint64(header.StringOff)+uint64(header.StringLen) > uint64(len(btf)) 
{
                return nil, fmt.Errorf("string table is out of bounds")
        }
        stringsSection := btf[header.StringOff : 
header.StringOff+header.StringLen]
@@ -224,7 +224,7 @@ func loadRawSpec(btf []byte, base *Spec) (*Spec, error) {
                return nil, fmt.Errorf("read string section: %w", err)
        }
 
-       if int(header.TypeOff+header.TypeLen) > len(btf) {
+       if uint64(header.TypeOff)+uint64(header.TypeLen) > uint64(len(btf)) {
                return nil, fmt.Errorf("types section is out of bounds")
        }
        typesSection := btf[header.TypeOff : header.TypeOff+header.TypeLen]

++++++ alloy-1.17.0.tar.gz -> alloy-1.17.1.tar.gz ++++++
/work/SRC/openSUSE:Factory/alloy/alloy-1.17.0.tar.gz 
/work/SRC/openSUSE:Factory/.alloy.new.11887/alloy-1.17.1.tar.gz differ: char 
28, line 2

++++++ ui-1.17.0.tar.gz -> ui-1.17.1.tar.gz ++++++

++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/alloy/vendor.tar.gz 
/work/SRC/openSUSE:Factory/.alloy.new.11887/vendor.tar.gz differ: char 16, line 
1

Reply via email to