Fix CVE-2026-10805

Resolves: RHEL-191626
This commit is contained in:
Jan Vaclav 2026-07-02 12:13:42 +02:00
parent a4a2d2998f
commit 2467736ba6
3 changed files with 133 additions and 1 deletions

View File

@ -0,0 +1,73 @@
From ee4421b7250a996911a0c361e5d1fbd4058fa852 Mon Sep 17 00:00:00 2001
From: Jan Vaclav <jvaclav@redhat.com>
Date: Mon, 8 Jun 2026 13:05:33 +0200
Subject: [PATCH] libnm-sd-shared: reject urls containing unexpected characters
_http_url_is_valid() only rejected non-ASCII bytes (>= 0x80), but
accepted control characters, double quotes, and backslashes. These
characters can cause injection issues when the URL is pasted into
configuration files that interpret them as metacharacters (e.g. quoted
strings in dhclient.conf).
Reject control characters (< 0x20), double quotes, and backslashes in
addition to non-ASCII bytes.
(cherry picked from commit 5326760073c06157652b7e0d0865ada2eb0e393b)
---
src/libnm-systemd-shared/nm-sd-utils-shared.c | 23 +++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/src/libnm-systemd-shared/nm-sd-utils-shared.c b/src/libnm-systemd-shared/nm-sd-utils-shared.c
index dad21596cf..b51faebcf8 100644
--- a/src/libnm-systemd-shared/nm-sd-utils-shared.c
+++ b/src/libnm-systemd-shared/nm-sd-utils-shared.c
@@ -53,6 +53,20 @@ nm_sd_dns_name_normalize(const char *s)
/*****************************************************************************/
+static gboolean
+_http_url_is_valid_char(char ch)
+{
+ if (g_ascii_isalnum(ch))
+ return TRUE;
+
+ /* Allow symbols which are allowed by the URL standard, or unlikely
+ * to be problematic in this scenario. */
+ if (strchr(":/%=;&+|^`-._~?#<>{}[]@!$'()*, ", ch) != NULL)
+ return TRUE;
+
+ return FALSE;
+}
+
static gboolean
_http_url_is_valid(const char *url, gboolean only_https)
{
@@ -69,7 +83,7 @@ _http_url_is_valid(const char *url, gboolean only_https)
if (!url[0])
return FALSE;
- return !NM_STRCHAR_ANY(url, ch, (guchar) ch >= 128u);
+ return NM_STRCHAR_ALL(url, ch, _http_url_is_valid_char(ch));
}
gboolean
@@ -82,12 +96,13 @@ nm_sd_http_url_is_valid_https(const char *url)
* assert with http_url_is_valid() that the argument is valid. We thus must make
* sure to only pass URLs that are valid according to http_url_is_valid().
*
- * This is given, because our nm_sd_http_url_is_valid_https() is more strict
- * than http_url_is_valid().
+ * This is given, because our nm_sd_http_url_is_valid_https() is more restrictive
+ * than http_url_is_valid(). The assertion below checks that anything we accept,
+ * systemd must also accept.
*
* We only must make sure that this is also correct in the future, when we
* re-import systemd code. */
- nm_assert(_http_url_is_valid(url, FALSE) == http_url_is_valid(url));
+ nm_assert(!_http_url_is_valid(url, FALSE) || http_url_is_valid(url));
return _http_url_is_valid(url, TRUE);
}
--
2.54.0

View File

@ -0,0 +1,54 @@
From 753f3ae3d16889a933083b4f1c242eaddce17763 Mon Sep 17 00:00:00 2001
From: Jan Vaclav <jvaclav@redhat.com>
Date: Tue, 9 Jun 2026 11:28:15 +0200
Subject: [PATCH] dhcp/dhclient: validate hostname before pasting it into
dhclient config
nm_sd_dns_name_is_valid() accepts double quotes, which could break out
of the quoted string context in dhclient.conf.
Add a check in create_dhclient_config() that rejects hostnames
containing characters unsafe for dhclient.conf.
(cherry picked from commit ca571c6819e01651be2197abff8eafff22ef80ef)
---
src/core/dhcp/nm-dhcp-dhclient.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/core/dhcp/nm-dhcp-dhclient.c b/src/core/dhcp/nm-dhcp-dhclient.c
index 7e00599cd8..99421b35fd 100644
--- a/src/core/dhcp/nm-dhcp-dhclient.c
+++ b/src/core/dhcp/nm-dhcp-dhclient.c
@@ -221,6 +221,16 @@ find_existing_config(NMDhcpDhclient *self, int addr_family, const char *iface, c
return NULL;
}
+static gboolean
+_dhclient_hostname_is_valid(const char *hostname)
+{
+ for (const char *p = hostname; *p; p++) {
+ if (!g_ascii_isalnum(*p) && !NM_IN_SET(*p, '-', '.'))
+ return FALSE;
+ }
+ return TRUE;
+}
+
/* NM provides interface-specific options; thus the same dhclient config
* file cannot be used since DHCP transactions can happen in parallel.
* Since some distros don't have default per-interface dhclient config files,
@@ -251,6 +261,12 @@ create_dhclient_config(NMDhcpDhclient *self,
g_return_val_if_fail(iface != NULL, NULL);
+ if (hostname && !_dhclient_hostname_is_valid(hostname)) {
+ _LOGW("hostname '%s' contains unsafe characters for dhclient config, will be ignored",
+ hostname);
+ hostname = NULL;
+ }
+
new_path = g_strdup_printf(NMSTATEDIR "/dhclient%s-%s.conf",
_addr_family_to_path_part(addr_family),
iface);
--
2.54.0

View File

@ -7,7 +7,7 @@
%global real_version 1.54.4
%global git_tag_version 1.54.4
%global rpm_version %{real_version}
%global release_version 1
%global release_version 2
%global snapshot %{nil}
%global git_sha %{nil}
%global bcond_default_debug 0
@ -191,6 +191,8 @@ Patch0001: 0001-revert-change-default-value-for-ipv4.dad-timeout-from-0-to-200ms
# Bugfixes that are only relevant until next rebase of the package.
# Patch1001: 1001-some.patch
Patch1001: 1001-The-valid-range-of-arp_missed_max-according-to-the-k.patch
Patch1002: 1002-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch
Patch1003: 1003-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch
Requires(post): systemd
Requires(post): systemd-udev
@ -1088,6 +1090,9 @@ fi
%changelog
* Thu Jul 2 2026 Ján Václav <jvaclav@redhat.com> - 1:1.54.4-2
- Fix CVE-2026-10805 (RHEL-191626)
* Thu May 21 2026 Ján Václav <jvaclav@redhat.com> - 1:1.54.4-1
- Update to 1.54.4
- fix handling onlink route flag for ECMP routes (RHEL-157391)