[AutoPR- Security] Patch gh for CVE-2026-5160 [MEDIUM] (#16756)

azurelinux-security · web-flow · commit 1e18b57319e8 · 2026-04-22T09:54:04.000+05:30
diff --git a/SPECS/gh/CVE-2026-5160.patch b/SPECS/gh/CVE-2026-5160.patch
@@ -0,0 +1,60 @@
+From d4695cce7a4de71d63de06829674fffb6551142c Mon Sep 17 00:00:00 2001
+From: yuin <yuin@inforno.net>
+Date: Thu, 19 Mar 2026 15:21:23 +0900
+Subject: [PATCH] fix: prevent XSS by escaping dangerous URLs in links and
+ images
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9.patch
+---
+ .../yuin/goldmark/renderer/html/html.go          | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/vendor/github.com/yuin/goldmark/renderer/html/html.go b/vendor/github.com/yuin/goldmark/renderer/html/html.go
+index 7bf2ab8..616b005 100644
+--- a/vendor/github.com/yuin/goldmark/renderer/html/html.go
++++ b/vendor/github.com/yuin/goldmark/renderer/html/html.go
+@@ -479,12 +479,14 @@ func (r *Renderer) renderAutoLink(w util.BufWriter, source []byte, node ast.Node
+ 		return ast.WalkContinue, nil
+ 	}
+ 	_, _ = w.WriteString(`<a href="`)
+-	url := n.URL(source)
++	url := util.URLEscape(n.URL(source), false)
+ 	label := n.Label(source)
+ 	if n.AutoLinkType == ast.AutoLinkEmail && !bytes.HasPrefix(bytes.ToLower(url), []byte("mailto:")) {
+ 		_, _ = w.WriteString("mailto:")
+ 	}
+-	_, _ = w.Write(util.EscapeHTML(util.URLEscape(url, false)))
++	if r.Unsafe || !IsDangerousURL(url) {
++		_, _ = w.Write(util.EscapeHTML(url))
++	}
+ 	if n.Attributes() != nil {
+ 		_ = w.WriteByte('"')
+ 		RenderAttributes(w, n, LinkAttributeFilter)
+@@ -553,8 +555,9 @@ func (r *Renderer) renderLink(w util.BufWriter, source []byte, node ast.Node, en
+ 	n := node.(*ast.Link)
+ 	if entering {
+ 		_, _ = w.WriteString("<a href=\"")
+-		if r.Unsafe || !IsDangerousURL(n.Destination) {
+-			_, _ = w.Write(util.EscapeHTML(util.URLEscape(n.Destination, true)))
++		dest := util.URLEscape(n.Destination, true)
++		if r.Unsafe || !IsDangerousURL(dest) {
++			_, _ = w.Write(util.EscapeHTML(dest))
+ 		}
+ 		_ = w.WriteByte('"')
+ 		if n.Title != nil {
+@@ -596,8 +599,9 @@ func (r *Renderer) renderImage(w util.BufWriter, source []byte, node ast.Node, e
+ 	}
+ 	n := node.(*ast.Image)
+ 	_, _ = w.WriteString("<img src=\"")
+-	if r.Unsafe || !IsDangerousURL(n.Destination) {
+-		_, _ = w.Write(util.EscapeHTML(util.URLEscape(n.Destination, true)))
++	dest := util.URLEscape(n.Destination, true)
++	if r.Unsafe || !IsDangerousURL(dest) {
++		_, _ = w.Write(util.EscapeHTML(dest))
+ 	}
+ 	_, _ = w.WriteString(`" alt="`)
+ 	_, _ = w.Write(nodeToHTMLText(n, source))
+-- 
+2.45.4
+
diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec
@@ -1,7 +1,7 @@
 Summary:        GitHub official command line tool
 Name:           gh
 Version:        2.62.0
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -31,6 +31,7 @@ Patch15:        CVE-2025-47911.patch
 Patch16:        CVE-2025-58190.patch
 Patch17:        CVE-2026-24117.patch
 Patch18:        CVE-2026-32288.patch
+Patch19:        CVE-2026-5160.patch
 
 BuildRequires:  golang < 1.24
 BuildRequires:  git
@@ -75,6 +76,9 @@ make test
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
+* Mon Apr 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.62.0-15
+- Patch for CVE-2026-5160
+
 * Wed Apr 15 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.62.0-14
 - Patch for CVE-2026-32288
 
