From a44ce00a48984a91cf952eef9ded1dcb40ef0e12 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Fri, 10 Apr 2026 12:02:59 -0400 Subject: [PATCH] import UBI cockpit-344-3.el10_1 --- ...licit-when-handling-hostnames-on-cli.patch | 64 +++++++++++++++++++ 0002-ferny-explicit-hostname-handling.patch | 13 ++++ cockpit.spec | 12 +++- 3 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 0001-ws-be-more-explicit-when-handling-hostnames-on-cli.patch create mode 100644 0002-ferny-explicit-hostname-handling.patch diff --git a/0001-ws-be-more-explicit-when-handling-hostnames-on-cli.patch b/0001-ws-be-more-explicit-when-handling-hostnames-on-cli.patch new file mode 100644 index 0000000..2381310 --- /dev/null +++ b/0001-ws-be-more-explicit-when-handling-hostnames-on-cli.patch @@ -0,0 +1,64 @@ +From 390bf80b42c2e3dc8c3c6e04f60f8f28bcf4449c Mon Sep 17 00:00:00 2001 +From: Allison Karlitskaya +Date: Tue, 24 Mar 2026 15:44:15 +0100 +Subject: [PATCH] ws: be more explicit when handling hostnames on cli + +`cockpit-ws` has never protected hostnames from being interpreted as cli +options when passing them to the auth commands (`cockpit-session`, +`cockpit-ssh`, `cockpit.beiboot`). There have been a couple of relevant +changes over the years: + + - our move to using cockpit-session via unix socket has removed + exposure to this problem for `cockpit-session` + + - our move from `cockpit-ssh` (glib argument parser) to + `cockpit.beiboot` (Python argparse) has unfortunately exposed us to + https://github.com/python/cpython/issues/66623 which means (due to a + strange heuristic) that arguments starting with '-' can be + interpreted as positionals if they also have spaces in them + +This gives a way to get a hostname starting with a `-` to ssh (where it +*will* be interpreted as an option) and the following argument (the +python invocation on the remote) will be interpreted as the hostname. +Fortunately, new versions of ssh will reject this hostname. In any +case, we should firm up the code here and add `--` to ensure that it's +definitely interpreted as a hostname by ssh. + +For a similar reason add a `--` to the ssh command in `cockpit-ws`. +--- + src/cockpit/beiboot.py | 4 ++-- + src/ws/cockpitauth.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/cockpit/beiboot.py b/src/cockpit/beiboot.py +index e26f61e315..b0dffcb51a 100644 +--- a/src/cockpit/beiboot.py ++++ b/src/cockpit/beiboot.py +@@ -250,9 +250,9 @@ def via_ssh(cmd: Sequence[str], dest: str, ssh_askpass: Path, *ssh_opts: str) -> + # strip off [] IPv6 brackets + if host.startswith('[') and host.endswith(']'): + host = host[1:-1] +- destination = ['-p', port, host] ++ destination = ['-p', port, '--', host] + else: +- destination = [dest] ++ destination = ['--', dest] + + return ( + 'ssh', *ssh_opts, *destination, shlex.join(cmd) +diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c +index bbde931f9d..7554ee835c 100644 +--- a/src/ws/cockpitauth.c ++++ b/src/ws/cockpitauth.c +@@ -36,7 +36,7 @@ + + /* we only support beibooting machines with a known/vetted OS, as it's impossible to guarantee + * forward compatibility for all pages */ +-const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m cockpit.beiboot --remote-bridge=supported"; ++const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m cockpit.beiboot --remote-bridge=supported --"; + + /* Some tunables that can be set from tests */ + const gchar *cockpit_ws_session_program = NULL; +-- +2.53.0 + diff --git a/0002-ferny-explicit-hostname-handling.patch b/0002-ferny-explicit-hostname-handling.patch new file mode 100644 index 0000000..001e146 --- /dev/null +++ b/0002-ferny-explicit-hostname-handling.patch @@ -0,0 +1,13 @@ +Only in cockpit-356.orig: cockpit-356 +diff -aur cockpit-356.orig/src/cockpit/_vendor/ferny/session.py cockpit-356/src/cockpit/_vendor/ferny/session.py +--- cockpit-356.orig/src/cockpit/_vendor/ferny/session.py 2026-03-24 19:32:57.640824773 +0100 ++++ cockpit-356/src/cockpit/_vendor/ferny/session.py 2026-03-24 19:36:59.515400966 +0100 +@@ -145,7 +145,7 @@ + + # SSH_ASKPASS_REQUIRE is not generally available, so use setsid + process = await asyncio.create_subprocess_exec( +- *('/usr/bin/ssh', *args, destination), env=env, ++ *('/usr/bin/ssh', *args, '--', destination), env=env, + start_new_session=True, stdin=asyncio.subprocess.DEVNULL, + stdout=asyncio.subprocess.DEVNULL, stderr=agent, # type: ignore + preexec_fn=lambda: prctl(PR_SET_PDEATHSIG, signal.SIGKILL)) diff --git a/cockpit.spec b/cockpit.spec index 75df991..d51850d 100644 --- a/cockpit.spec +++ b/cockpit.spec @@ -58,9 +58,12 @@ License: LGPL-2.1-or-later URL: https://cockpit-project.org/ Version: 344 -Release: 1%{?dist} +Release: 3%{?dist} Source0: https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz +Patch001: 0001-ws-be-more-explicit-when-handling-hostnames-on-cli.patch +Patch002: 0002-ferny-explicit-hostname-handling.patch + %if 0%{?fedora} >= 41 || 0%{?rhel} ExcludeArch: %{ix86} %endif @@ -146,6 +149,7 @@ BuildRequires: python3-pytest-timeout %prep %setup -q -n cockpit-%{version} +%autopatch -p1 %build %configure \ @@ -647,6 +651,12 @@ via PackageKit. # The changelog is automatically generated and merged %changelog +* Wed Apr 01 2026 Jelle van der Waa - 344-3 +- correctly apply CVE patches (CVE-2026-4631) + +* Wed Mar 25 2026 Jelle van der Waa - 344-1 Bug fixes and translation updates