Fix CVE-2026-10805

Resolves: RHEL-191622
This commit is contained in:
Jan Vaclav 2026-07-02 12:17:43 +02:00
parent 1994fc413b
commit 9e9cb33d9d
3 changed files with 138 additions and 1 deletions

View File

@ -0,0 +1,76 @@
From 61bc3385dc726e4aae84c5f5a2231f065d8dd86d Mon Sep 17 00:00:00 2001
From: Jan Vaclav <jvaclav@redhat.com>
Date: Mon, 8 Jun 2026 13:05:33 +0200
Subject: [PATCH 1/2] libnm-sd-shared: reject urls containing unexpected
characters
_http_url_is_valid() only rejected non-ASCII bytes (>= 0x80), but
accepted control characters, double quotes, and backslashes. These
characters can cause injection issues when the URL is pasted into
configuration files that interpret them as metacharacters (e.g. quoted
strings in dhclient.conf).
Reject control characters (< 0x20), double quotes, and backslashes in
addition to non-ASCII bytes.
(cherry picked from commit 5326760073c06157652b7e0d0865ada2eb0e393b)
(cherry picked from commit ee4421b7250a996911a0c361e5d1fbd4058fa852)
(cherry picked from commit 8d1fac7f656b1854fa10780fece7dbcadf50cc50)
---
src/libnm-systemd-shared/nm-sd-utils-shared.c | 23 +++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/src/libnm-systemd-shared/nm-sd-utils-shared.c b/src/libnm-systemd-shared/nm-sd-utils-shared.c
index dad21596cf..b51faebcf8 100644
--- a/src/libnm-systemd-shared/nm-sd-utils-shared.c
+++ b/src/libnm-systemd-shared/nm-sd-utils-shared.c
@@ -53,6 +53,20 @@ nm_sd_dns_name_normalize(const char *s)
/*****************************************************************************/
+static gboolean
+_http_url_is_valid_char(char ch)
+{
+ if (g_ascii_isalnum(ch))
+ return TRUE;
+
+ /* Allow symbols which are allowed by the URL standard, or unlikely
+ * to be problematic in this scenario. */
+ if (strchr(":/%=;&+|^`-._~?#<>{}[]@!$'()*, ", ch) != NULL)
+ return TRUE;
+
+ return FALSE;
+}
+
static gboolean
_http_url_is_valid(const char *url, gboolean only_https)
{
@@ -69,7 +83,7 @@ _http_url_is_valid(const char *url, gboolean only_https)
if (!url[0])
return FALSE;
- return !NM_STRCHAR_ANY(url, ch, (guchar) ch >= 128u);
+ return NM_STRCHAR_ALL(url, ch, _http_url_is_valid_char(ch));
}
gboolean
@@ -82,12 +96,13 @@ nm_sd_http_url_is_valid_https(const char *url)
* assert with http_url_is_valid() that the argument is valid. We thus must make
* sure to only pass URLs that are valid according to http_url_is_valid().
*
- * This is given, because our nm_sd_http_url_is_valid_https() is more strict
- * than http_url_is_valid().
+ * This is given, because our nm_sd_http_url_is_valid_https() is more restrictive
+ * than http_url_is_valid(). The assertion below checks that anything we accept,
+ * systemd must also accept.
*
* We only must make sure that this is also correct in the future, when we
* re-import systemd code. */
- nm_assert(_http_url_is_valid(url, FALSE) == http_url_is_valid(url));
+ nm_assert(!_http_url_is_valid(url, FALSE) || http_url_is_valid(url));
return _http_url_is_valid(url, TRUE);
}
--
2.54.0

View File

@ -0,0 +1,56 @@
From f5919600b1e949d88c8225b4a86c70a0c34aa506 Mon Sep 17 00:00:00 2001
From: Jan Vaclav <jvaclav@redhat.com>
Date: Tue, 9 Jun 2026 11:28:15 +0200
Subject: [PATCH 2/2] dhcp/dhclient: validate hostname before pasting it into
dhclient config
nm_sd_dns_name_is_valid() accepts double quotes, which could break out
of the quoted string context in dhclient.conf.
Add a check in create_dhclient_config() that rejects hostnames
containing characters unsafe for dhclient.conf.
(cherry picked from commit ca571c6819e01651be2197abff8eafff22ef80ef)
(cherry picked from commit 753f3ae3d16889a933083b4f1c242eaddce17763)
(cherry picked from commit 32a370d177219b96f8059208e5dd1a0ba80d668d)
---
src/core/dhcp/nm-dhcp-dhclient.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/core/dhcp/nm-dhcp-dhclient.c b/src/core/dhcp/nm-dhcp-dhclient.c
index e4f40d7cb0..dba184b758 100644
--- a/src/core/dhcp/nm-dhcp-dhclient.c
+++ b/src/core/dhcp/nm-dhcp-dhclient.c
@@ -271,6 +271,16 @@ find_existing_config(NMDhcpDhclient *self, int addr_family, const char *iface, c
return NULL;
}
+static gboolean
+_dhclient_hostname_is_valid(const char *hostname)
+{
+ for (const char *p = hostname; *p; p++) {
+ if (!g_ascii_isalnum(*p) && !NM_IN_SET(*p, '-', '.'))
+ return FALSE;
+ }
+ return TRUE;
+}
+
/* NM provides interface-specific options; thus the same dhclient config
* file cannot be used since DHCP transactions can happen in parallel.
* Since some distros don't have default per-interface dhclient config files,
@@ -298,6 +308,12 @@ create_dhclient_config(NMDhcpDhclient *self,
g_return_val_if_fail(iface != NULL, NULL);
+ if (hostname && !_dhclient_hostname_is_valid(hostname)) {
+ _LOGW("hostname '%s' contains unsafe characters for dhclient config, will be ignored",
+ hostname);
+ hostname = NULL;
+ }
+
new = g_strdup_printf(NMSTATEDIR "/dhclient%s-%s.conf",
_addr_family_to_path_part(addr_family),
iface);
--
2.54.0

View File

@ -6,7 +6,7 @@
%global epoch_version 1
%global real_version 1.40.16
%global rpm_version %{real_version}
%global release_version 20
%global release_version 21
%global snapshot %{nil}
%global git_sha %{nil}
%global bcond_default_debug 0
@ -215,6 +215,8 @@ Patch1016: 1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhe
Patch1017: 1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch
Patch1018: 1018-cloud-setup-azure-ensure-that-primary-address-is-pla-rhel-69462.patch
Patch1019: 1019-device-dont-disable-IPv6-in-stage3-on-reapply-91479.patch
Patch1020: 1020-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch
Patch1021: 1021-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch
Requires(post): systemd
%if 0%{?fedora} || 0%{?rhel} >= 8
@ -1250,6 +1252,9 @@ fi
%changelog
* Thu Jul 2 2026 Ján Václav <jvaclav@redhat.com> - 1:1.40.16-21
- Fix CVE-2026-10805 (RHEL-191622)
* Fri Aug 15 2025 Vladimír Beneš <vbenes@redhat.com> - 1:1.40.16-20
- device: don't disable IPv6 in stage3 on reapply (RHEL-91479)