Fix CVE-2026-10805
Resolves: RHEL-191626
This commit is contained in:
parent
a4a2d2998f
commit
2467736ba6
@ -0,0 +1,73 @@
|
||||
From ee4421b7250a996911a0c361e5d1fbd4058fa852 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Vaclav <jvaclav@redhat.com>
|
||||
Date: Mon, 8 Jun 2026 13:05:33 +0200
|
||||
Subject: [PATCH] libnm-sd-shared: reject urls containing unexpected characters
|
||||
|
||||
_http_url_is_valid() only rejected non-ASCII bytes (>= 0x80), but
|
||||
accepted control characters, double quotes, and backslashes. These
|
||||
characters can cause injection issues when the URL is pasted into
|
||||
configuration files that interpret them as metacharacters (e.g. quoted
|
||||
strings in dhclient.conf).
|
||||
|
||||
Reject control characters (< 0x20), double quotes, and backslashes in
|
||||
addition to non-ASCII bytes.
|
||||
|
||||
(cherry picked from commit 5326760073c06157652b7e0d0865ada2eb0e393b)
|
||||
---
|
||||
src/libnm-systemd-shared/nm-sd-utils-shared.c | 23 +++++++++++++++----
|
||||
1 file changed, 19 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/libnm-systemd-shared/nm-sd-utils-shared.c b/src/libnm-systemd-shared/nm-sd-utils-shared.c
|
||||
index dad21596cf..b51faebcf8 100644
|
||||
--- a/src/libnm-systemd-shared/nm-sd-utils-shared.c
|
||||
+++ b/src/libnm-systemd-shared/nm-sd-utils-shared.c
|
||||
@@ -53,6 +53,20 @@ nm_sd_dns_name_normalize(const char *s)
|
||||
|
||||
/*****************************************************************************/
|
||||
|
||||
+static gboolean
|
||||
+_http_url_is_valid_char(char ch)
|
||||
+{
|
||||
+ if (g_ascii_isalnum(ch))
|
||||
+ return TRUE;
|
||||
+
|
||||
+ /* Allow symbols which are allowed by the URL standard, or unlikely
|
||||
+ * to be problematic in this scenario. */
|
||||
+ if (strchr(":/%=;&+|^`-._~?#<>{}[]@!$'()*, ", ch) != NULL)
|
||||
+ return TRUE;
|
||||
+
|
||||
+ return FALSE;
|
||||
+}
|
||||
+
|
||||
static gboolean
|
||||
_http_url_is_valid(const char *url, gboolean only_https)
|
||||
{
|
||||
@@ -69,7 +83,7 @@ _http_url_is_valid(const char *url, gboolean only_https)
|
||||
if (!url[0])
|
||||
return FALSE;
|
||||
|
||||
- return !NM_STRCHAR_ANY(url, ch, (guchar) ch >= 128u);
|
||||
+ return NM_STRCHAR_ALL(url, ch, _http_url_is_valid_char(ch));
|
||||
}
|
||||
|
||||
gboolean
|
||||
@@ -82,12 +96,13 @@ nm_sd_http_url_is_valid_https(const char *url)
|
||||
* assert with http_url_is_valid() that the argument is valid. We thus must make
|
||||
* sure to only pass URLs that are valid according to http_url_is_valid().
|
||||
*
|
||||
- * This is given, because our nm_sd_http_url_is_valid_https() is more strict
|
||||
- * than http_url_is_valid().
|
||||
+ * This is given, because our nm_sd_http_url_is_valid_https() is more restrictive
|
||||
+ * than http_url_is_valid(). The assertion below checks that anything we accept,
|
||||
+ * systemd must also accept.
|
||||
*
|
||||
* We only must make sure that this is also correct in the future, when we
|
||||
* re-import systemd code. */
|
||||
- nm_assert(_http_url_is_valid(url, FALSE) == http_url_is_valid(url));
|
||||
+ nm_assert(!_http_url_is_valid(url, FALSE) || http_url_is_valid(url));
|
||||
return _http_url_is_valid(url, TRUE);
|
||||
}
|
||||
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -0,0 +1,54 @@
|
||||
From 753f3ae3d16889a933083b4f1c242eaddce17763 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Vaclav <jvaclav@redhat.com>
|
||||
Date: Tue, 9 Jun 2026 11:28:15 +0200
|
||||
Subject: [PATCH] dhcp/dhclient: validate hostname before pasting it into
|
||||
dhclient config
|
||||
|
||||
nm_sd_dns_name_is_valid() accepts double quotes, which could break out
|
||||
of the quoted string context in dhclient.conf.
|
||||
|
||||
Add a check in create_dhclient_config() that rejects hostnames
|
||||
containing characters unsafe for dhclient.conf.
|
||||
|
||||
(cherry picked from commit ca571c6819e01651be2197abff8eafff22ef80ef)
|
||||
---
|
||||
src/core/dhcp/nm-dhcp-dhclient.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/src/core/dhcp/nm-dhcp-dhclient.c b/src/core/dhcp/nm-dhcp-dhclient.c
|
||||
index 7e00599cd8..99421b35fd 100644
|
||||
--- a/src/core/dhcp/nm-dhcp-dhclient.c
|
||||
+++ b/src/core/dhcp/nm-dhcp-dhclient.c
|
||||
@@ -221,6 +221,16 @@ find_existing_config(NMDhcpDhclient *self, int addr_family, const char *iface, c
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+static gboolean
|
||||
+_dhclient_hostname_is_valid(const char *hostname)
|
||||
+{
|
||||
+ for (const char *p = hostname; *p; p++) {
|
||||
+ if (!g_ascii_isalnum(*p) && !NM_IN_SET(*p, '-', '.'))
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
/* NM provides interface-specific options; thus the same dhclient config
|
||||
* file cannot be used since DHCP transactions can happen in parallel.
|
||||
* Since some distros don't have default per-interface dhclient config files,
|
||||
@@ -251,6 +261,12 @@ create_dhclient_config(NMDhcpDhclient *self,
|
||||
|
||||
g_return_val_if_fail(iface != NULL, NULL);
|
||||
|
||||
+ if (hostname && !_dhclient_hostname_is_valid(hostname)) {
|
||||
+ _LOGW("hostname '%s' contains unsafe characters for dhclient config, will be ignored",
|
||||
+ hostname);
|
||||
+ hostname = NULL;
|
||||
+ }
|
||||
+
|
||||
new_path = g_strdup_printf(NMSTATEDIR "/dhclient%s-%s.conf",
|
||||
_addr_family_to_path_part(addr_family),
|
||||
iface);
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
%global real_version 1.54.4
|
||||
%global git_tag_version 1.54.4
|
||||
%global rpm_version %{real_version}
|
||||
%global release_version 1
|
||||
%global release_version 2
|
||||
%global snapshot %{nil}
|
||||
%global git_sha %{nil}
|
||||
%global bcond_default_debug 0
|
||||
@ -191,6 +191,8 @@ Patch0001: 0001-revert-change-default-value-for-ipv4.dad-timeout-from-0-to-200ms
|
||||
# Bugfixes that are only relevant until next rebase of the package.
|
||||
# Patch1001: 1001-some.patch
|
||||
Patch1001: 1001-The-valid-range-of-arp_missed_max-according-to-the-k.patch
|
||||
Patch1002: 1002-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch
|
||||
Patch1003: 1003-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch
|
||||
|
||||
Requires(post): systemd
|
||||
Requires(post): systemd-udev
|
||||
@ -1088,6 +1090,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Jul 2 2026 Ján Václav <jvaclav@redhat.com> - 1:1.54.4-2
|
||||
- Fix CVE-2026-10805 (RHEL-191626)
|
||||
|
||||
* Thu May 21 2026 Ján Václav <jvaclav@redhat.com> - 1:1.54.4-1
|
||||
- Update to 1.54.4
|
||||
- fix handling onlink route flag for ECMP routes (RHEL-157391)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user