Fix CVE-2026-10805
Resolves: RHEL-191622
This commit is contained in:
parent
1994fc413b
commit
9e9cb33d9d
@ -0,0 +1,76 @@
|
||||
From 61bc3385dc726e4aae84c5f5a2231f065d8dd86d Mon Sep 17 00:00:00 2001
|
||||
From: Jan Vaclav <jvaclav@redhat.com>
|
||||
Date: Mon, 8 Jun 2026 13:05:33 +0200
|
||||
Subject: [PATCH 1/2] libnm-sd-shared: reject urls containing unexpected
|
||||
characters
|
||||
|
||||
_http_url_is_valid() only rejected non-ASCII bytes (>= 0x80), but
|
||||
accepted control characters, double quotes, and backslashes. These
|
||||
characters can cause injection issues when the URL is pasted into
|
||||
configuration files that interpret them as metacharacters (e.g. quoted
|
||||
strings in dhclient.conf).
|
||||
|
||||
Reject control characters (< 0x20), double quotes, and backslashes in
|
||||
addition to non-ASCII bytes.
|
||||
|
||||
(cherry picked from commit 5326760073c06157652b7e0d0865ada2eb0e393b)
|
||||
(cherry picked from commit ee4421b7250a996911a0c361e5d1fbd4058fa852)
|
||||
(cherry picked from commit 8d1fac7f656b1854fa10780fece7dbcadf50cc50)
|
||||
---
|
||||
src/libnm-systemd-shared/nm-sd-utils-shared.c | 23 +++++++++++++++----
|
||||
1 file changed, 19 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/libnm-systemd-shared/nm-sd-utils-shared.c b/src/libnm-systemd-shared/nm-sd-utils-shared.c
|
||||
index dad21596cf..b51faebcf8 100644
|
||||
--- a/src/libnm-systemd-shared/nm-sd-utils-shared.c
|
||||
+++ b/src/libnm-systemd-shared/nm-sd-utils-shared.c
|
||||
@@ -53,6 +53,20 @@ nm_sd_dns_name_normalize(const char *s)
|
||||
|
||||
/*****************************************************************************/
|
||||
|
||||
+static gboolean
|
||||
+_http_url_is_valid_char(char ch)
|
||||
+{
|
||||
+ if (g_ascii_isalnum(ch))
|
||||
+ return TRUE;
|
||||
+
|
||||
+ /* Allow symbols which are allowed by the URL standard, or unlikely
|
||||
+ * to be problematic in this scenario. */
|
||||
+ if (strchr(":/%=;&+|^`-._~?#<>{}[]@!$'()*, ", ch) != NULL)
|
||||
+ return TRUE;
|
||||
+
|
||||
+ return FALSE;
|
||||
+}
|
||||
+
|
||||
static gboolean
|
||||
_http_url_is_valid(const char *url, gboolean only_https)
|
||||
{
|
||||
@@ -69,7 +83,7 @@ _http_url_is_valid(const char *url, gboolean only_https)
|
||||
if (!url[0])
|
||||
return FALSE;
|
||||
|
||||
- return !NM_STRCHAR_ANY(url, ch, (guchar) ch >= 128u);
|
||||
+ return NM_STRCHAR_ALL(url, ch, _http_url_is_valid_char(ch));
|
||||
}
|
||||
|
||||
gboolean
|
||||
@@ -82,12 +96,13 @@ nm_sd_http_url_is_valid_https(const char *url)
|
||||
* assert with http_url_is_valid() that the argument is valid. We thus must make
|
||||
* sure to only pass URLs that are valid according to http_url_is_valid().
|
||||
*
|
||||
- * This is given, because our nm_sd_http_url_is_valid_https() is more strict
|
||||
- * than http_url_is_valid().
|
||||
+ * This is given, because our nm_sd_http_url_is_valid_https() is more restrictive
|
||||
+ * than http_url_is_valid(). The assertion below checks that anything we accept,
|
||||
+ * systemd must also accept.
|
||||
*
|
||||
* We only must make sure that this is also correct in the future, when we
|
||||
* re-import systemd code. */
|
||||
- nm_assert(_http_url_is_valid(url, FALSE) == http_url_is_valid(url));
|
||||
+ nm_assert(!_http_url_is_valid(url, FALSE) || http_url_is_valid(url));
|
||||
return _http_url_is_valid(url, TRUE);
|
||||
}
|
||||
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -0,0 +1,56 @@
|
||||
From f5919600b1e949d88c8225b4a86c70a0c34aa506 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Vaclav <jvaclav@redhat.com>
|
||||
Date: Tue, 9 Jun 2026 11:28:15 +0200
|
||||
Subject: [PATCH 2/2] dhcp/dhclient: validate hostname before pasting it into
|
||||
dhclient config
|
||||
|
||||
nm_sd_dns_name_is_valid() accepts double quotes, which could break out
|
||||
of the quoted string context in dhclient.conf.
|
||||
|
||||
Add a check in create_dhclient_config() that rejects hostnames
|
||||
containing characters unsafe for dhclient.conf.
|
||||
|
||||
(cherry picked from commit ca571c6819e01651be2197abff8eafff22ef80ef)
|
||||
(cherry picked from commit 753f3ae3d16889a933083b4f1c242eaddce17763)
|
||||
(cherry picked from commit 32a370d177219b96f8059208e5dd1a0ba80d668d)
|
||||
---
|
||||
src/core/dhcp/nm-dhcp-dhclient.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/src/core/dhcp/nm-dhcp-dhclient.c b/src/core/dhcp/nm-dhcp-dhclient.c
|
||||
index e4f40d7cb0..dba184b758 100644
|
||||
--- a/src/core/dhcp/nm-dhcp-dhclient.c
|
||||
+++ b/src/core/dhcp/nm-dhcp-dhclient.c
|
||||
@@ -271,6 +271,16 @@ find_existing_config(NMDhcpDhclient *self, int addr_family, const char *iface, c
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+static gboolean
|
||||
+_dhclient_hostname_is_valid(const char *hostname)
|
||||
+{
|
||||
+ for (const char *p = hostname; *p; p++) {
|
||||
+ if (!g_ascii_isalnum(*p) && !NM_IN_SET(*p, '-', '.'))
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
/* NM provides interface-specific options; thus the same dhclient config
|
||||
* file cannot be used since DHCP transactions can happen in parallel.
|
||||
* Since some distros don't have default per-interface dhclient config files,
|
||||
@@ -298,6 +308,12 @@ create_dhclient_config(NMDhcpDhclient *self,
|
||||
|
||||
g_return_val_if_fail(iface != NULL, NULL);
|
||||
|
||||
+ if (hostname && !_dhclient_hostname_is_valid(hostname)) {
|
||||
+ _LOGW("hostname '%s' contains unsafe characters for dhclient config, will be ignored",
|
||||
+ hostname);
|
||||
+ hostname = NULL;
|
||||
+ }
|
||||
+
|
||||
new = g_strdup_printf(NMSTATEDIR "/dhclient%s-%s.conf",
|
||||
_addr_family_to_path_part(addr_family),
|
||||
iface);
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
%global epoch_version 1
|
||||
%global real_version 1.40.16
|
||||
%global rpm_version %{real_version}
|
||||
%global release_version 20
|
||||
%global release_version 21
|
||||
%global snapshot %{nil}
|
||||
%global git_sha %{nil}
|
||||
%global bcond_default_debug 0
|
||||
@ -215,6 +215,8 @@ Patch1016: 1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhe
|
||||
Patch1017: 1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch
|
||||
Patch1018: 1018-cloud-setup-azure-ensure-that-primary-address-is-pla-rhel-69462.patch
|
||||
Patch1019: 1019-device-dont-disable-IPv6-in-stage3-on-reapply-91479.patch
|
||||
Patch1020: 1020-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch
|
||||
Patch1021: 1021-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch
|
||||
|
||||
Requires(post): systemd
|
||||
%if 0%{?fedora} || 0%{?rhel} >= 8
|
||||
@ -1250,6 +1252,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Jul 2 2026 Ján Václav <jvaclav@redhat.com> - 1:1.40.16-21
|
||||
- Fix CVE-2026-10805 (RHEL-191622)
|
||||
|
||||
* Fri Aug 15 2025 Vladimír Beneš <vbenes@redhat.com> - 1:1.40.16-20
|
||||
- device: don't disable IPv6 in stage3 on reapply (RHEL-91479)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user