From 53bfd45bb4af4b178ff2086196048cebc6cc30a0 Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Mon, 16 Feb 2026 15:51:56 +0100 Subject: [PATCH] - bundled pyasn1: fix CVE-2026-23490 Resolves: RHEL-142445 --- ...rt-fix-bundled-pyasn1-CVE-2026-23490.patch | 29 ------------------- ...le-fix-bundled-pyasn1-CVE-2026-23490.patch | 28 ++++++++++++++++++ fence-agents.spec | 19 +++++++----- 3 files changed, 39 insertions(+), 37 deletions(-) rename RHEL-142445-fix-bundled-pyasn1-CVE-2026-23490.patch => RHEL-142445-1-kubevirt-fix-bundled-pyasn1-CVE-2026-23490.patch (50%) create mode 100644 RHEL-142445-2-google-fix-bundled-pyasn1-CVE-2026-23490.patch diff --git a/RHEL-142445-fix-bundled-pyasn1-CVE-2026-23490.patch b/RHEL-142445-1-kubevirt-fix-bundled-pyasn1-CVE-2026-23490.patch similarity index 50% rename from RHEL-142445-fix-bundled-pyasn1-CVE-2026-23490.patch rename to RHEL-142445-1-kubevirt-fix-bundled-pyasn1-CVE-2026-23490.patch index 2162639..8bbe037 100644 --- a/RHEL-142445-fix-bundled-pyasn1-CVE-2026-23490.patch +++ b/RHEL-142445-1-kubevirt-fix-bundled-pyasn1-CVE-2026-23490.patch @@ -1,32 +1,3 @@ ---- a/google/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py 2019-10-17 07:00:19.000000000 +0200 -+++ b/google/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py 2026-01-27 10:43:12.757563432 +0100 -@@ -22,6 +22,10 @@ - - noValue = base.noValue - -+# Maximum number of continuation octets (high-bit set) allowed per OID arc. -+# 20 octets allows up to 140-bit integers, supporting UUID-based OIDs -+MAX_OID_ARC_CONTINUATION_OCTETS = 20 -+ - - class AbstractDecoder(object): - protoComponent = None -@@ -342,7 +346,14 @@ - # Construct subid from a number of octets - nextSubId = subId - subId = 0 -+ continuationOctetCount = 0 - while nextSubId >= 128: -+ continuationOctetCount += 1 -+ if continuationOctetCount > MAX_OID_ARC_CONTINUATION_OCTETS: -+ raise error.PyAsn1Error( -+ 'OID arc exceeds maximum continuation octets limit (%d) ' -+ 'at position %d' % (MAX_OID_ARC_CONTINUATION_OCTETS, index) -+ ) - subId = (subId << 7) + (nextSubId & 0x7F) - if index >= substrateLen: - raise error.SubstrateUnderrunError( - --- a/kubevirt/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py 2019-10-17 07:00:19.000000000 +0200 +++ b/kubevirt/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py 2026-01-27 10:43:12.757563432 +0100 @@ -22,6 +22,10 @@ diff --git a/RHEL-142445-2-google-fix-bundled-pyasn1-CVE-2026-23490.patch b/RHEL-142445-2-google-fix-bundled-pyasn1-CVE-2026-23490.patch new file mode 100644 index 0000000..cb6adac --- /dev/null +++ b/RHEL-142445-2-google-fix-bundled-pyasn1-CVE-2026-23490.patch @@ -0,0 +1,28 @@ +--- a/google/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py 2019-10-17 07:00:19.000000000 +0200 ++++ b/google/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py 2026-01-27 10:43:12.757563432 +0100 +@@ -22,6 +22,10 @@ + + noValue = base.noValue + ++# Maximum number of continuation octets (high-bit set) allowed per OID arc. ++# 20 octets allows up to 140-bit integers, supporting UUID-based OIDs ++MAX_OID_ARC_CONTINUATION_OCTETS = 20 ++ + + class AbstractDecoder(object): + protoComponent = None +@@ -342,7 +346,14 @@ + # Construct subid from a number of octets + nextSubId = subId + subId = 0 ++ continuationOctetCount = 0 + while nextSubId >= 128: ++ continuationOctetCount += 1 ++ if continuationOctetCount > MAX_OID_ARC_CONTINUATION_OCTETS: ++ raise error.PyAsn1Error( ++ 'OID arc exceeds maximum continuation octets limit (%d) ' ++ 'at position %d' % (MAX_OID_ARC_CONTINUATION_OCTETS, index) ++ ) + subId = (subId << 7) + (nextSubId & 0x7F) + if index >= substrateLen: + raise error.SubstrateUnderrunError( diff --git a/fence-agents.spec b/fence-agents.spec index 4b4f772..091b226 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -13,7 +13,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.16.0 -Release: 20%{?alphatag:.%{alphatag}}%{?dist} +Release: 21%{?alphatag:.%{alphatag}}%{?dist} License: GPL-2.0-or-later AND LGPL-2.0-or-later URL: https://github.com/ClusterLabs/fence-agents Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz @@ -120,8 +120,10 @@ Patch19: RHEL-125959-fence_virt-print-errors-to-stderr.patch Patch20: RHEL-145086-fence_ibm_vpc-fix-missing-statuses.patch ### HA support libs/utils ### +# all archs +Patch1000: RHEL-142445-1-kubevirt-fix-bundled-pyasn1-CVE-2026-23490.patch # cloud (x86_64 only) -Patch1000: RHEL-142445-fix-bundled-pyasn1-CVE-2026-23490.patch +Patch2000: RHEL-142445-2-google-fix-bundled-pyasn1-CVE-2026-23490.patch %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs drac5 eaton_snmp emerson eps hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath nutanix_ahv redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti %ifarch x86_64 @@ -305,10 +307,11 @@ done sed -i -e "s/#PYTHON3_VERSION#/%{python3_version}/" lib/*.py agents/*/*.py # regular patch doesnt work in build-section -sed -i -e "s/#PYTHON3_VERSION#/%{python3_version}/" %{PATCH1000} +sed -i -e "s/#PYTHON3_VERSION#/%{python3_version}/" %{PATCH1000} %{PATCH2000} pushd support -%ifarch x86_64 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1000} +%ifarch x86_64 +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2000} %endif popd @@ -1231,14 +1234,14 @@ are located on corosync cluster nodes. %endif %changelog +* Mon Feb 16 2026 Oyvind Albrigtsen - 4.16.0-21 +- bundled pyasn1: fix CVE-2026-23490 + Resolves: RHEL-142445 + * Thu Jan 29 2026 Oyvind Albrigtsen - 4.16.0-20 - fence_ibm_vpc: fix missing statuses Resolves: RHEL-145086 -* Tue Jan 27 2026 Oyvind Albrigtsen - 4.16.0-19 -- bundled pyasn1: fix CVE-2026-23490 - Resolves: RHEL-142445 - * Wed Nov 26 2025 Oyvind Albrigtsen - 4.16.0-18 - fence_virt: print error messages to sderr Resolves: RHEL-125959