From 2467736ba6103c4206cff41987644ee8d7945bf5 Mon Sep 17 00:00:00 2001 From: Jan Vaclav Date: Thu, 2 Jul 2026 12:13:42 +0200 Subject: [PATCH] Fix CVE-2026-10805 Resolves: RHEL-191626 --- ...reject-urls-containing-unexpected-ch.patch | 73 +++++++++++++++++++ ...lidate-hostname-before-pasting-it-in.patch | 54 ++++++++++++++ NetworkManager.spec | 7 +- 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 1002-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch create mode 100644 1003-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch diff --git a/1002-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch b/1002-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch new file mode 100644 index 0000000..54f0292 --- /dev/null +++ b/1002-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch @@ -0,0 +1,73 @@ +From ee4421b7250a996911a0c361e5d1fbd4058fa852 Mon Sep 17 00:00:00 2001 +From: Jan Vaclav +Date: Mon, 8 Jun 2026 13:05:33 +0200 +Subject: [PATCH] libnm-sd-shared: reject urls containing unexpected characters + +_http_url_is_valid() only rejected non-ASCII bytes (>= 0x80), but +accepted control characters, double quotes, and backslashes. These +characters can cause injection issues when the URL is pasted into +configuration files that interpret them as metacharacters (e.g. quoted +strings in dhclient.conf). + +Reject control characters (< 0x20), double quotes, and backslashes in +addition to non-ASCII bytes. + +(cherry picked from commit 5326760073c06157652b7e0d0865ada2eb0e393b) +--- + src/libnm-systemd-shared/nm-sd-utils-shared.c | 23 +++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/libnm-systemd-shared/nm-sd-utils-shared.c b/src/libnm-systemd-shared/nm-sd-utils-shared.c +index dad21596cf..b51faebcf8 100644 +--- a/src/libnm-systemd-shared/nm-sd-utils-shared.c ++++ b/src/libnm-systemd-shared/nm-sd-utils-shared.c +@@ -53,6 +53,20 @@ nm_sd_dns_name_normalize(const char *s) + + /*****************************************************************************/ + ++static gboolean ++_http_url_is_valid_char(char ch) ++{ ++ if (g_ascii_isalnum(ch)) ++ return TRUE; ++ ++ /* Allow symbols which are allowed by the URL standard, or unlikely ++ * to be problematic in this scenario. */ ++ if (strchr(":/%=;&+|^`-._~?#<>{}[]@!$'()*, ", ch) != NULL) ++ return TRUE; ++ ++ return FALSE; ++} ++ + static gboolean + _http_url_is_valid(const char *url, gboolean only_https) + { +@@ -69,7 +83,7 @@ _http_url_is_valid(const char *url, gboolean only_https) + if (!url[0]) + return FALSE; + +- return !NM_STRCHAR_ANY(url, ch, (guchar) ch >= 128u); ++ return NM_STRCHAR_ALL(url, ch, _http_url_is_valid_char(ch)); + } + + gboolean +@@ -82,12 +96,13 @@ nm_sd_http_url_is_valid_https(const char *url) + * assert with http_url_is_valid() that the argument is valid. We thus must make + * sure to only pass URLs that are valid according to http_url_is_valid(). + * +- * This is given, because our nm_sd_http_url_is_valid_https() is more strict +- * than http_url_is_valid(). ++ * This is given, because our nm_sd_http_url_is_valid_https() is more restrictive ++ * than http_url_is_valid(). The assertion below checks that anything we accept, ++ * systemd must also accept. + * + * We only must make sure that this is also correct in the future, when we + * re-import systemd code. */ +- nm_assert(_http_url_is_valid(url, FALSE) == http_url_is_valid(url)); ++ nm_assert(!_http_url_is_valid(url, FALSE) || http_url_is_valid(url)); + return _http_url_is_valid(url, TRUE); + } + +-- +2.54.0 + diff --git a/1003-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch b/1003-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch new file mode 100644 index 0000000..7bb10d8 --- /dev/null +++ b/1003-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch @@ -0,0 +1,54 @@ +From 753f3ae3d16889a933083b4f1c242eaddce17763 Mon Sep 17 00:00:00 2001 +From: Jan Vaclav +Date: Tue, 9 Jun 2026 11:28:15 +0200 +Subject: [PATCH] dhcp/dhclient: validate hostname before pasting it into + dhclient config + +nm_sd_dns_name_is_valid() accepts double quotes, which could break out +of the quoted string context in dhclient.conf. + +Add a check in create_dhclient_config() that rejects hostnames +containing characters unsafe for dhclient.conf. + +(cherry picked from commit ca571c6819e01651be2197abff8eafff22ef80ef) +--- + src/core/dhcp/nm-dhcp-dhclient.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/core/dhcp/nm-dhcp-dhclient.c b/src/core/dhcp/nm-dhcp-dhclient.c +index 7e00599cd8..99421b35fd 100644 +--- a/src/core/dhcp/nm-dhcp-dhclient.c ++++ b/src/core/dhcp/nm-dhcp-dhclient.c +@@ -221,6 +221,16 @@ find_existing_config(NMDhcpDhclient *self, int addr_family, const char *iface, c + return NULL; + } + ++static gboolean ++_dhclient_hostname_is_valid(const char *hostname) ++{ ++ for (const char *p = hostname; *p; p++) { ++ if (!g_ascii_isalnum(*p) && !NM_IN_SET(*p, '-', '.')) ++ return FALSE; ++ } ++ return TRUE; ++} ++ + /* NM provides interface-specific options; thus the same dhclient config + * file cannot be used since DHCP transactions can happen in parallel. + * Since some distros don't have default per-interface dhclient config files, +@@ -251,6 +261,12 @@ create_dhclient_config(NMDhcpDhclient *self, + + g_return_val_if_fail(iface != NULL, NULL); + ++ if (hostname && !_dhclient_hostname_is_valid(hostname)) { ++ _LOGW("hostname '%s' contains unsafe characters for dhclient config, will be ignored", ++ hostname); ++ hostname = NULL; ++ } ++ + new_path = g_strdup_printf(NMSTATEDIR "/dhclient%s-%s.conf", + _addr_family_to_path_part(addr_family), + iface); +-- +2.54.0 + diff --git a/NetworkManager.spec b/NetworkManager.spec index 91383a3..b4fe735 100644 --- a/NetworkManager.spec +++ b/NetworkManager.spec @@ -7,7 +7,7 @@ %global real_version 1.54.4 %global git_tag_version 1.54.4 %global rpm_version %{real_version} -%global release_version 1 +%global release_version 2 %global snapshot %{nil} %global git_sha %{nil} %global bcond_default_debug 0 @@ -191,6 +191,8 @@ Patch0001: 0001-revert-change-default-value-for-ipv4.dad-timeout-from-0-to-200ms # Bugfixes that are only relevant until next rebase of the package. # Patch1001: 1001-some.patch Patch1001: 1001-The-valid-range-of-arp_missed_max-according-to-the-k.patch +Patch1002: 1002-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch +Patch1003: 1003-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch Requires(post): systemd Requires(post): systemd-udev @@ -1088,6 +1090,9 @@ fi %changelog +* Thu Jul 2 2026 Ján Václav - 1:1.54.4-2 +- Fix CVE-2026-10805 (RHEL-191626) + * Thu May 21 2026 Ján Václav - 1:1.54.4-1 - Update to 1.54.4 - fix handling onlink route flag for ECMP routes (RHEL-157391)