import UBI cockpit-344-3.el10_1
This commit is contained in:
AlmaLinux RelEng Bot
parent
3ade607e9d
commit
a44ce00a48
@ -0,0 +1,64 @@
|
||||
From 390bf80b42c2e3dc8c3c6e04f60f8f28bcf4449c Mon Sep 17 00:00:00 2001
|
||||
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
|
||||
Date: Tue, 24 Mar 2026 15:44:15 +0100
|
||||
Subject: [PATCH] ws: be more explicit when handling hostnames on cli
|
||||
|
||||
`cockpit-ws` has never protected hostnames from being interpreted as cli
|
||||
options when passing them to the auth commands (`cockpit-session`,
|
||||
`cockpit-ssh`, `cockpit.beiboot`). There have been a couple of relevant
|
||||
changes over the years:
|
||||
|
||||
- our move to using cockpit-session via unix socket has removed
|
||||
exposure to this problem for `cockpit-session`
|
||||
|
||||
- our move from `cockpit-ssh` (glib argument parser) to
|
||||
`cockpit.beiboot` (Python argparse) has unfortunately exposed us to
|
||||
https://github.com/python/cpython/issues/66623 which means (due to a
|
||||
strange heuristic) that arguments starting with '-' can be
|
||||
interpreted as positionals if they also have spaces in them
|
||||
|
||||
This gives a way to get a hostname starting with a `-` to ssh (where it
|
||||
*will* be interpreted as an option) and the following argument (the
|
||||
python invocation on the remote) will be interpreted as the hostname.
|
||||
Fortunately, new versions of ssh will reject this hostname. In any
|
||||
case, we should firm up the code here and add `--` to ensure that it's
|
||||
definitely interpreted as a hostname by ssh.
|
||||
|
||||
For a similar reason add a `--` to the ssh command in `cockpit-ws`.
|
||||
---
|
||||
src/cockpit/beiboot.py | 4 ++--
|
||||
src/ws/cockpitauth.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/cockpit/beiboot.py b/src/cockpit/beiboot.py
|
||||
index e26f61e315..b0dffcb51a 100644
|
||||
--- a/src/cockpit/beiboot.py
|
||||
+++ b/src/cockpit/beiboot.py
|
||||
@@ -250,9 +250,9 @@ def via_ssh(cmd: Sequence[str], dest: str, ssh_askpass: Path, *ssh_opts: str) ->
|
||||
# strip off [] IPv6 brackets
|
||||
if host.startswith('[') and host.endswith(']'):
|
||||
host = host[1:-1]
|
||||
- destination = ['-p', port, host]
|
||||
+ destination = ['-p', port, '--', host]
|
||||
else:
|
||||
- destination = [dest]
|
||||
+ destination = ['--', dest]
|
||||
|
||||
return (
|
||||
'ssh', *ssh_opts, *destination, shlex.join(cmd)
|
||||
diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
|
||||
index bbde931f9d..7554ee835c 100644
|
||||
--- a/src/ws/cockpitauth.c
|
||||
+++ b/src/ws/cockpitauth.c
|
||||
@@ -36,7 +36,7 @@
|
||||
|
||||
/* we only support beibooting machines with a known/vetted OS, as it's impossible to guarantee
|
||||
* forward compatibility for all pages */
|
||||
-const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m cockpit.beiboot --remote-bridge=supported";
|
||||
+const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m cockpit.beiboot --remote-bridge=supported --";
|
||||
|
||||
/* Some tunables that can be set from tests */
|
||||
const gchar *cockpit_ws_session_program = NULL;
|
||||
--
|
||||
2.53.0
|
||||
|
||||
13
0002-ferny-explicit-hostname-handling.patch
Normal file
13
0002-ferny-explicit-hostname-handling.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Only in cockpit-356.orig: cockpit-356
|
||||
diff -aur cockpit-356.orig/src/cockpit/_vendor/ferny/session.py cockpit-356/src/cockpit/_vendor/ferny/session.py
|
||||
--- cockpit-356.orig/src/cockpit/_vendor/ferny/session.py 2026-03-24 19:32:57.640824773 +0100
|
||||
+++ cockpit-356/src/cockpit/_vendor/ferny/session.py 2026-03-24 19:36:59.515400966 +0100
|
||||
@@ -145,7 +145,7 @@
|
||||
|
||||
# SSH_ASKPASS_REQUIRE is not generally available, so use setsid
|
||||
process = await asyncio.create_subprocess_exec(
|
||||
- *('/usr/bin/ssh', *args, destination), env=env,
|
||||
+ *('/usr/bin/ssh', *args, '--', destination), env=env,
|
||||
start_new_session=True, stdin=asyncio.subprocess.DEVNULL,
|
||||
stdout=asyncio.subprocess.DEVNULL, stderr=agent, # type: ignore
|
||||
preexec_fn=lambda: prctl(PR_SET_PDEATHSIG, signal.SIGKILL))
|
||||
12
cockpit.spec
12
cockpit.spec
@ -58,9 +58,12 @@ License: LGPL-2.1-or-later
|
||||
URL: https://cockpit-project.org/
|
||||
|
||||
Version: 344
|
||||
Release: 1%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Source0: https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz
|
||||
|
||||
Patch001: 0001-ws-be-more-explicit-when-handling-hostnames-on-cli.patch
|
||||
Patch002: 0002-ferny-explicit-hostname-handling.patch
|
||||
|
||||
%if 0%{?fedora} >= 41 || 0%{?rhel}
|
||||
ExcludeArch: %{ix86}
|
||||
%endif
|
||||
@ -146,6 +149,7 @@ BuildRequires: python3-pytest-timeout
|
||||
|
||||
%prep
|
||||
%setup -q -n cockpit-%{version}
|
||||
%autopatch -p1
|
||||
|
||||
%build
|
||||
%configure \
|
||||
@ -647,6 +651,12 @@ via PackageKit.
|
||||
|
||||
# The changelog is automatically generated and merged
|
||||
%changelog
|
||||
* Wed Apr 01 2026 Jelle van der Waa <jvanderw@redhat.com> - 344-3
|
||||
- correctly apply CVE patches (CVE-2026-4631)
|
||||
|
||||
* Wed Mar 25 2026 Jelle van der Waa <jvanderw@redhat.com - 344-3
|
||||
- ws: be more explicit when handling hostnames on cli (CVE-2026-4631)
|
||||
|
||||
* Wed Aug 06 2025 Packit <hello@packit.dev> - 344-1
|
||||
Bug fixes and translation updates
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user