import UBI dracut-107-7.el10_2

2026-06-17 06:39:49 -04:00 · 2026-06-17 06:39:49 -04:00 · 623a62e04e
commit 623a62e04e
parent 9160e2e327
6 changed files with 2063 additions and 1 deletions
--- a/0032-fix-network-legacy-remove-network-legacy-completely-.patch
+++ b/0032-fix-network-legacy-remove-network-legacy-completely-.patch
--- a/0033-fix-iscsi-replace-echo-writes-with-printf-to-prevent.patch
+++ b/0033-fix-iscsi-replace-echo-writes-with-printf-to-prevent.patch
@ -0,0 +1,101 @@
+From b1a90189bfe562ecc57cd3e91c86ac5206b89b99 Mon Sep 17 00:00:00 2001
+From: Pavel Valena <pvalena@redhat.com>
+Date: Thu, 7 May 2026 00:45:31 +0200
+Subject: [PATCH 33/34] fix(iscsi): replace `echo` writes with `printf` to
+ prevent variable injection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use printf with explicit variable escaping `%q` for shell scripts:
+  - mount-lun.sh hookdir script (iscsi_lun variable)
+  - udev rule (iscsi_lun sanitized via tr -d '"')
+  - initiatorname.iscsi (sourced as shell at iscsiroot.sh:161-163)
+
+Note: initiatorname.iscsi is also read by iscsid as plain text (no
+shell unquoting). For valid IQNs ([a-z0-9.:_-]), %q is a no-op, so
+iscsid sees the value unchanged. For malicious values with special
+characters, %q would produce shell escaping that iscsid reads
+literally — breaking the connection rather than allowing injection.
+
+(cherry picked from commit e61fe6afe015744baebfd96411015ae360c1af08)
+
+Related: RHEL-170844
+---
+ modules.d/95iscsi/iscsiroot.sh       | 10 +++++-----
+ modules.d/95iscsi/parse-iscsiroot.sh |  4 ++--
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/modules.d/95iscsi/iscsiroot.sh b/modules.d/95iscsi/iscsiroot.sh
+index d22e958c..1898ef57 100755
+--- a/modules.d/95iscsi/iscsiroot.sh
+++ b/modules.d/95iscsi/iscsiroot.sh
+@@ -144,7 +144,7 @@ handle_netroot() {
+ 
+     if [ -z "$iscsi_initiator" ] && [ -f /sys/firmware/ibft/initiator/initiator-name ] && ! [ -f /tmp/iscsi_set_initiator ]; then
+         iscsi_initiator=$(while read -r line || [ -n "$line" ]; do echo "$line"; done < /sys/firmware/ibft/initiator/initiator-name)
+-        echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
+        printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
+         rm -f /etc/iscsi/initiatorname.iscsi
+         mkdir -p /etc/iscsi
+         ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
+@@ -165,7 +165,7 @@ handle_netroot() {
+ 
+     if [ -z "$iscsi_initiator" ]; then
+         iscsi_initiator=$(iscsi-iname)
+-        echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
+        printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
+         rm -f /etc/iscsi/initiatorname.iscsi
+         mkdir -p /etc/iscsi
+         ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
+@@ -189,7 +189,7 @@ handle_netroot() {
+         iscsi_lun=0
+     fi
+ 
+-    echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
+    printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
+     ln -fs /run/initiatorname.iscsi /dev/.initiatorname.iscsi
+     if ! [ -e /etc/iscsi/initiatorname.iscsi ]; then
+         mkdir -p /etc/iscsi
+@@ -210,14 +210,14 @@ handle_netroot() {
+ 
+     if [ "$root" = "dhcp" ] || [ "$netroot" = "dhcp" ]; then
+         # if root is not specified try to mount the whole iSCSI LUN
+-        printf 'SYMLINK=="disk/by-path/*-iscsi-*-%s", SYMLINK+="root"\n' "$iscsi_lun" >> /etc/udev/rules.d/99-iscsi-root.rules
+        printf 'SYMLINK=="disk/by-path/*-iscsi-*-%s", SYMLINK+="root"\n' "$(printf '%s' "$iscsi_lun" | tr -d '"')" >> /etc/udev/rules.d/99-iscsi-root.rules
+         udevadm control --reload
+         write_fs_tab /dev/root
+         wait_for_dev -n /dev/root
+ 
+         # install mount script
+         [ -z "$DRACUT_SYSTEMD" ] \
+-            && echo "iscsi_lun=$iscsi_lun . /bin/mount-lun.sh " > "$hookdir"/mount/01-$$-iscsi.sh
+            && printf 'iscsi_lun=%q . /bin/mount-lun.sh\n' "$iscsi_lun" > "$hookdir"/mount/01-$$-iscsi.sh
+     fi
+ 
+     if strglobin "$iscsi_target_ip" '*:*:*' && ! strglobin "$iscsi_target_ip" '['; then
+diff --git a/modules.d/95iscsi/parse-iscsiroot.sh b/modules.d/95iscsi/parse-iscsiroot.sh
+index a388bec1..d932d4f7 100755
+--- a/modules.d/95iscsi/parse-iscsiroot.sh
+++ b/modules.d/95iscsi/parse-iscsiroot.sh
+@@ -111,7 +111,7 @@ fi
+ 
+ if arg=$(getarg rd.iscsi.initiator -d iscsi_initiator=) && [ -n "$arg" ] && ! [ -f /run/initiatorname.iscsi ]; then
+     iscsi_initiator=$arg
+-    echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
+    printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
+     ln -fs /run/initiatorname.iscsi /dev/.initiatorname.iscsi
+     rm -f /etc/iscsi/initiatorname.iscsi
+     mkdir -p /etc/iscsi
+@@ -127,7 +127,7 @@ fi
+ if [ -z "$iscsi_initiator" ] && [ -f /sys/firmware/ibft/initiator/initiator-name ] && ! [ -f /tmp/iscsi_set_initiator ]; then
+     iscsi_initiator=$(while read -r line || [ -n "$line" ]; do echo "$line"; done < /sys/firmware/ibft/initiator/initiator-name)
+     if [ -n "$iscsi_initiator" ]; then
+-        echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
+        printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
+         rm -f /etc/iscsi/initiatorname.iscsi
+         mkdir -p /etc/iscsi
+         ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
+-- 
+2.54.0
+
--- a/0034-fix-base-escape-arguments-in-initqueue-hook-script-g.patch
+++ b/0034-fix-base-escape-arguments-in-initqueue-hook-script-g.patch
@ -0,0 +1,73 @@
+From 05c0f8964a5c845348b8a6ce36560194b6cb2729 Mon Sep 17 00:00:00 2001
+From: Pavel Valena <pvalena@redhat.com>
+Date: Thu, 14 May 2026 14:20:17 +0200
+Subject: [PATCH 34/36] fix(base): escape arguments in initqueue hook script
+ generation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+initqueue.sh writes arguments directly into generated hook scripts
+via `echo "$exe" "$@"`. These scripts are later sourced by
+dracut-initqueue.sh, so shell metacharacters in arguments (e.g.
+DHCP-derived $netroot passed from parse-iscsiroot.sh) execute as
+root in initramfs.
+
+Replace `echo` with `printf '%q'` to shell-escape all arguments
+before writing them into the hook script, preventing command
+injection via DHCP-controlled netroot values.
+
+Remove the fragile embedded single-quote wrapping ("'$var'") from
+parse-iscsiroot.sh call sites (lines 90, 102) — those relied on
+echo writing quotes verbatim for the shell to strip when sourcing.
+With printf '%q', initqueue now handles escaping centrally, so the
+manual wrapping is no longer needed and would cause literal quote
+characters to leak into iscsiroot arguments.
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+
+Related: RHEL-170844
+---
+ modules.d/95iscsi/parse-iscsiroot.sh | 4 ++--
+ modules.d/99base/initqueue.sh        | 3 ++-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/modules.d/95iscsi/parse-iscsiroot.sh b/modules.d/95iscsi/parse-iscsiroot.sh
+index d932d4f7..bfc2270d 100755
+--- a/modules.d/95iscsi/parse-iscsiroot.sh
+++ b/modules.d/95iscsi/parse-iscsiroot.sh
+@@ -89,7 +89,7 @@ if [ -n "$iscsi_firmware" ]; then
+     echo "${DRACUT_SYSTEMD+systemctl is-active initrd-root-device.target || }[ -f '/tmp/iscsistarted-firmware' ]" > "$hookdir"/initqueue/finished/iscsi_started.sh
+     /sbin/initqueue --unique --online /sbin/iscsiroot online "iscsi:" "$NEWROOT"
+     /sbin/initqueue --unique --onetime --timeout /sbin/iscsiroot timeout "iscsi:" "$NEWROOT"
+-    /sbin/initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "'$NEWROOT'"
+    /sbin/initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "$NEWROOT"
+ fi
+ 
+ # ISCSI actually supported?
+@@ -105,7 +105,7 @@ modprobe -b -q be2iscsi
+ 
+ if [ -n "$netroot" ] && [ "$root" != "/dev/root" ] && [ "$root" != "dhcp" ]; then
+     if ! getargbool 1 rd.neednet > /dev/null || ! getarg "ip="; then
+-        /sbin/initqueue --unique --onetime --settled /sbin/iscsiroot dummy "'$netroot'" "'$NEWROOT'"
+        /sbin/initqueue --unique --onetime --settled /sbin/iscsiroot dummy "$netroot" "$NEWROOT"
+     fi
+ fi
+ 
+diff --git a/modules.d/99base/initqueue.sh b/modules.d/99base/initqueue.sh
+index 46a00d2a..1caa5273 100755
+--- a/modules.d/99base/initqueue.sh
+++ b/modules.d/99base/initqueue.sh
+@@ -64,7 +64,8 @@ fi
+     # shellcheck disable=SC2016
+     [ -n "$onetime" ] && echo '[ -e "$job" ] && rm -f -- "$job"'
+     [ -n "$env" ] && echo "$env"
+-    echo "$exe" "$@"
+    printf '%q ' "$exe" "$@"
+    printf '\n'
+ } > "/tmp/$$-${job}.sh"
+ 
+ mv -f "/tmp/$$-${job}.sh" "$hookdir/initqueue${qname}/${job}.sh"
+-- 
+2.54.0
+
--- a/0035-fix-net-lib-warn-on-suspicious-shell-metacharacters-.patch
+++ b/0035-fix-net-lib-warn-on-suspicious-shell-metacharacters-.patch
@ -0,0 +1,48 @@
+From e73665a2f32fc4bf7ab0d761563a229eb6873ca8 Mon Sep 17 00:00:00 2001
+From: Pavel Valena <pvalena@redhat.com>
+Date: Thu, 14 May 2026 14:25:07 +0200
+Subject: [PATCH 35/36] fix(net-lib): warn on suspicious shell metacharacters
+ in hostname file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+setup_net() sources /tmp/net.$netif.hostname as shell, which is written
+by dhclient-script.sh or ifup.sh. Add a defensive check that warns if
+the file contains shell metacharacters ($, `, ;, &, |, () that should
+never appear in a legitimate hostname, indicating possible DHCP-based
+command injection attempts.
+
+The file is still sourced for compatibility — the writer-side fix
+(printf '%q') already prevents execution of injected content.
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+
+Related: RHEL-170844
+---
+ modules.d/45net-lib/net-lib.sh | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/modules.d/45net-lib/net-lib.sh b/modules.d/45net-lib/net-lib.sh
+index dc6be881..a41320ed 100755
+--- a/modules.d/45net-lib/net-lib.sh
+++ b/modules.d/45net-lib/net-lib.sh
+@@ -131,8 +131,13 @@ setup_net() {
+     [ -e "/tmp/net.ifaces" ] && read -r IFACES < /tmp/net.ifaces
+     [ -z "$IFACES" ] && IFACES="$netif"
+     # run the scripts written by ifup
+-    # shellcheck disable=SC1090
+-    [ -e /tmp/net."$netif".hostname ] && . /tmp/net."$netif".hostname
+    if [ -e /tmp/net."$netif".hostname ]; then
+        if grep -qE '[$`;&|(]' /tmp/net."$netif".hostname 2>/dev/null; then
+            warn "setup_net $netif: /tmp/net.$netif.hostname contains suspicious shell metacharacters"
+        fi
+        # shellcheck disable=SC1090
+        . /tmp/net."$netif".hostname
+    fi
+     # shellcheck disable=SC1090
+     [ -e /tmp/net."$netif".override ] && . /tmp/net."$netif".override
+     # shellcheck disable=SC1090
+-- 
+2.54.0
+
--- a/0036-fix-systemd-networkd-escape-DHCP-lease-values-in-dhc.patch
+++ b/0036-fix-systemd-networkd-escape-DHCP-lease-values-in-dhc.patch
@ -0,0 +1,48 @@
+From db72c0e6336643012ff7a2262f3ae9b9f9b956ca Mon Sep 17 00:00:00 2001
+From: Pavel Valena <pvalena@redhat.com>
+Date: Thu, 14 May 2026 16:08:00 +0200
+Subject: [PATCH 36/36] fix(systemd-networkd): escape DHCP lease values in
+ dhcpopts generation
+
+networkd-run.sh converts DHCP lease values (ROOT_PATH, NEXT_SERVER)
+into shell variable assignments written to /tmp/dhclient.<ifname>.dhcpopts,
+which is later sourced by netroot.sh, net-lib.sh, and nfs-lib.sh. The
+previous sed-based pipeline wrapped values in single quotes without
+escaping embedded single quotes, allowing a rogue DHCP server to inject
+arbitrary shell commands via a crafted ROOT_PATH or NEXT_SERVER value.
+
+Replace the grep|sed pipeline with a while-read loop that uses
+printf '%q' to shell-escape values before writing, consistent with how
+the NetworkManager equivalent (nm-run.sh) already handles this.
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+
+Related: RHEL-170844
+---
+ modules.d/01systemd-networkd/networkd-run.sh | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/modules.d/01systemd-networkd/networkd-run.sh b/modules.d/01systemd-networkd/networkd-run.sh
+index a3ea0f6c..e2a33518 100755
+--- a/modules.d/01systemd-networkd/networkd-run.sh
+++ b/modules.d/01systemd-networkd/networkd-run.sh
+@@ -12,10 +12,12 @@ for ifpath in /sys/class/net/*; do
+         leases_file="/run/systemd/netif/leases/$(cat "$ifpath"/ifindex)"
+         dhcpopts_file="/tmp/dhclient.${ifname}.dhcpopts"
+         if [ -r "$leases_file" ]; then
+-            grep -E "^(NEXT_SERVER|ROOT_PATH)=" "$leases_file" \
+-                | sed -e "s/NEXT_SERVER=/new_next_server='/" \
+-                    -e "s/ROOT_PATH=/new_root_path='/" \
+-                    -e "s/$/'/" > "$dhcpopts_file" || true
+            while IFS='=' read -r key val; do
+                case "$key" in
+                    NEXT_SERVER) printf 'new_next_server=%q\n' "$val" ;;
+                    ROOT_PATH) printf 'new_root_path=%q\n' "$val" ;;
+                esac
+            done < "$leases_file" > "$dhcpopts_file"
+         fi
+ 
+         source_hook initqueue/online "$ifname"
+-- 
+2.54.0
+
--- a/dracut.spec
+++ b/dracut.spec
@ -8,7 +8,7 @@

 Name: dracut
 Version: 107
-Release: 4%{?dist}
+Release: 7%{?dist}

 Summary: Initramfs generator using udev

@ -115,6 +115,21 @@ Patch30: 0030-fix-dracut.install-remove-extraneous-quotes-in-dracu.patch
 # feat(i18n): pull 'drm' or 'simpledrm' module unless excluded
 # Author: Pavel Valena <pvalena@redhat.com>
 Patch31: 0031-feat-i18n-pull-drm-or-simpledrm-module-unless-exclud.patch
+# fix(network-legacy): remove network-legacy completely from the codebase
+# Author: Pavel Valena <pvalena@redhat.com>
+Patch32: 0032-fix-network-legacy-remove-network-legacy-completely-.patch
+# fix(iscsi): replace `echo` writes with `printf` to prevent variable injection
+# Author: Pavel Valena <pvalena@redhat.com>
+Patch33: 0033-fix-iscsi-replace-echo-writes-with-printf-to-prevent.patch
+# fix(base): escape arguments in initqueue hook script generation
+# Author: Pavel Valena <pvalena@redhat.com>
+Patch34: 0034-fix-base-escape-arguments-in-initqueue-hook-script-g.patch
+# fix(net-lib): warn on suspicious shell metacharacters in hostname file
+# Author: Pavel Valena <pvalena@redhat.com>
+Patch35: 0035-fix-net-lib-warn-on-suspicious-shell-metacharacters-.patch
+# fix(systemd-networkd): escape DHCP lease values in dhcpopts generation
+# Author: Pavel Valena <pvalena@redhat.com>
+Patch36: 0036-fix-systemd-networkd-escape-DHCP-lease-values-in-dhc.patch

 # Please use source-git to work with this spec file:
 # HowTo: https://packit.dev/source-git/work-with-source-git
@ -537,6 +552,20 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
 %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install

 %changelog
+* Wed May 27 2026 Pavel Valena <pvalena@redhat.com> - 107-7
+- build: rebuild without an obsoleted patch
+
+* Wed May 20 2026 Pavel Valena <pvalena@redhat.com> - 107-6
+- fix(base): escape arguments in initqueue hook script generation
+- fix(net-lib): warn on suspicious shell metacharacters in hostname file
+- fix(systemd-networkd): escape DHCP lease values in dhcpopts generation
+  Related: RHEL-170844
+
+* Thu May 07 2026 Pavel Valena <pvalena@redhat.com> - 107-5
+- fix(network-legacy): remove network-legacy completely from the codebase
+- fix(iscsi): replace `echo` writes with `printf` to prevent variable injection
+  Resolves: RHEL-170844
+
 * Fri Jan 30 2026 Pavel Valena <pvalena@redhat.com> - 107-4
 - fix(systemd-udevd): handle root=gpt-auto for systemd-v258
 - fix(systemd-repart): allow partition format