diff --git a/1020-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch b/1020-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch new file mode 100644 index 0000000..29c5c2a --- /dev/null +++ b/1020-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch @@ -0,0 +1,76 @@ +From 61bc3385dc726e4aae84c5f5a2231f065d8dd86d Mon Sep 17 00:00:00 2001 +From: Jan Vaclav +Date: Mon, 8 Jun 2026 13:05:33 +0200 +Subject: [PATCH 1/2] libnm-sd-shared: reject urls containing unexpected + characters + +_http_url_is_valid() only rejected non-ASCII bytes (>= 0x80), but +accepted control characters, double quotes, and backslashes. These +characters can cause injection issues when the URL is pasted into +configuration files that interpret them as metacharacters (e.g. quoted +strings in dhclient.conf). + +Reject control characters (< 0x20), double quotes, and backslashes in +addition to non-ASCII bytes. + +(cherry picked from commit 5326760073c06157652b7e0d0865ada2eb0e393b) +(cherry picked from commit ee4421b7250a996911a0c361e5d1fbd4058fa852) +(cherry picked from commit 8d1fac7f656b1854fa10780fece7dbcadf50cc50) +--- + src/libnm-systemd-shared/nm-sd-utils-shared.c | 23 +++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/libnm-systemd-shared/nm-sd-utils-shared.c b/src/libnm-systemd-shared/nm-sd-utils-shared.c +index dad21596cf..b51faebcf8 100644 +--- a/src/libnm-systemd-shared/nm-sd-utils-shared.c ++++ b/src/libnm-systemd-shared/nm-sd-utils-shared.c +@@ -53,6 +53,20 @@ nm_sd_dns_name_normalize(const char *s) + + /*****************************************************************************/ + ++static gboolean ++_http_url_is_valid_char(char ch) ++{ ++ if (g_ascii_isalnum(ch)) ++ return TRUE; ++ ++ /* Allow symbols which are allowed by the URL standard, or unlikely ++ * to be problematic in this scenario. */ ++ if (strchr(":/%=;&+|^`-._~?#<>{}[]@!$'()*, ", ch) != NULL) ++ return TRUE; ++ ++ return FALSE; ++} ++ + static gboolean + _http_url_is_valid(const char *url, gboolean only_https) + { +@@ -69,7 +83,7 @@ _http_url_is_valid(const char *url, gboolean only_https) + if (!url[0]) + return FALSE; + +- return !NM_STRCHAR_ANY(url, ch, (guchar) ch >= 128u); ++ return NM_STRCHAR_ALL(url, ch, _http_url_is_valid_char(ch)); + } + + gboolean +@@ -82,12 +96,13 @@ nm_sd_http_url_is_valid_https(const char *url) + * assert with http_url_is_valid() that the argument is valid. We thus must make + * sure to only pass URLs that are valid according to http_url_is_valid(). + * +- * This is given, because our nm_sd_http_url_is_valid_https() is more strict +- * than http_url_is_valid(). ++ * This is given, because our nm_sd_http_url_is_valid_https() is more restrictive ++ * than http_url_is_valid(). The assertion below checks that anything we accept, ++ * systemd must also accept. + * + * We only must make sure that this is also correct in the future, when we + * re-import systemd code. */ +- nm_assert(_http_url_is_valid(url, FALSE) == http_url_is_valid(url)); ++ nm_assert(!_http_url_is_valid(url, FALSE) || http_url_is_valid(url)); + return _http_url_is_valid(url, TRUE); + } + +-- +2.54.0 + diff --git a/1021-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch b/1021-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch new file mode 100644 index 0000000..233c170 --- /dev/null +++ b/1021-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch @@ -0,0 +1,56 @@ +From f5919600b1e949d88c8225b4a86c70a0c34aa506 Mon Sep 17 00:00:00 2001 +From: Jan Vaclav +Date: Tue, 9 Jun 2026 11:28:15 +0200 +Subject: [PATCH 2/2] dhcp/dhclient: validate hostname before pasting it into + dhclient config + +nm_sd_dns_name_is_valid() accepts double quotes, which could break out +of the quoted string context in dhclient.conf. + +Add a check in create_dhclient_config() that rejects hostnames +containing characters unsafe for dhclient.conf. + +(cherry picked from commit ca571c6819e01651be2197abff8eafff22ef80ef) +(cherry picked from commit 753f3ae3d16889a933083b4f1c242eaddce17763) +(cherry picked from commit 32a370d177219b96f8059208e5dd1a0ba80d668d) +--- + src/core/dhcp/nm-dhcp-dhclient.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/core/dhcp/nm-dhcp-dhclient.c b/src/core/dhcp/nm-dhcp-dhclient.c +index e4f40d7cb0..dba184b758 100644 +--- a/src/core/dhcp/nm-dhcp-dhclient.c ++++ b/src/core/dhcp/nm-dhcp-dhclient.c +@@ -271,6 +271,16 @@ find_existing_config(NMDhcpDhclient *self, int addr_family, const char *iface, c + return NULL; + } + ++static gboolean ++_dhclient_hostname_is_valid(const char *hostname) ++{ ++ for (const char *p = hostname; *p; p++) { ++ if (!g_ascii_isalnum(*p) && !NM_IN_SET(*p, '-', '.')) ++ return FALSE; ++ } ++ return TRUE; ++} ++ + /* NM provides interface-specific options; thus the same dhclient config + * file cannot be used since DHCP transactions can happen in parallel. + * Since some distros don't have default per-interface dhclient config files, +@@ -298,6 +308,12 @@ create_dhclient_config(NMDhcpDhclient *self, + + g_return_val_if_fail(iface != NULL, NULL); + ++ if (hostname && !_dhclient_hostname_is_valid(hostname)) { ++ _LOGW("hostname '%s' contains unsafe characters for dhclient config, will be ignored", ++ hostname); ++ hostname = NULL; ++ } ++ + new = g_strdup_printf(NMSTATEDIR "/dhclient%s-%s.conf", + _addr_family_to_path_part(addr_family), + iface); +-- +2.54.0 + diff --git a/NetworkManager.spec b/NetworkManager.spec index 966fdb6..eab526a 100644 --- a/NetworkManager.spec +++ b/NetworkManager.spec @@ -6,7 +6,7 @@ %global epoch_version 1 %global real_version 1.40.16 %global rpm_version %{real_version} -%global release_version 20 +%global release_version 21 %global snapshot %{nil} %global git_sha %{nil} %global bcond_default_debug 0 @@ -215,6 +215,8 @@ Patch1016: 1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhe Patch1017: 1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch Patch1018: 1018-cloud-setup-azure-ensure-that-primary-address-is-pla-rhel-69462.patch Patch1019: 1019-device-dont-disable-IPv6-in-stage3-on-reapply-91479.patch +Patch1020: 1020-libnm-sd-shared-reject-urls-containing-unexpected-ch.patch +Patch1021: 1021-dhcp-dhclient-validate-hostname-before-pasting-it-in.patch Requires(post): systemd %if 0%{?fedora} || 0%{?rhel} >= 8 @@ -1250,6 +1252,9 @@ fi %changelog +* Thu Jul 2 2026 Ján Václav - 1:1.40.16-21 +- Fix CVE-2026-10805 (RHEL-191622) + * Fri Aug 15 2025 Vladimír Beneš - 1:1.40.16-20 - device: don't disable IPv6 in stage3 on reapply (RHEL-91479)