diff --git a/RHEL-157189-fix-bundled-pyasn1-CVE-2026-30922.patch b/RHEL-157189-fix-bundled-pyasn1-CVE-2026-30922.patch new file mode 100644 index 0000000..2531ddd --- /dev/null +++ b/RHEL-157189-fix-bundled-pyasn1-CVE-2026-30922.patch @@ -0,0 +1,40 @@ +From 25ad481c19fdb006e20485ef3fc2e5b3eff30ef0 Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Mon, 16 Mar 2026 17:23:11 -0700 +Subject: [PATCH] Merge commit from fork + +--- + pyasn1/codec/ber/decoder.py | 10 +++ + tests/codec/ber/test_decoder.py | 116 ++++++++++++++++++++++++++++++++ + tests/codec/cer/test_decoder.py | 24 +++++++ + tests/codec/der/test_decoder.py | 42 ++++++++++++ + 4 files changed, 192 insertions(+) + +diff --git a/kubevirt/pyasn1/codec/ber/decoder.py b/kubevirt/pyasn1/codec/ber/decoder.py +index 50b14e98..2ea0be13 100644 +--- a/kubevirt/pyasn1/codec/ber/decoder.py ++++ b/kubevirt/pyasn1/codec/ber/decoder.py +@@ -36,6 +36,7 @@ + # Maximum number of continuation octets (high-bit set) allowed per OID arc. + # 20 octets allows up to 140-bit integers, supporting UUID-based OIDs + MAX_OID_ARC_CONTINUATION_OCTETS = 20 ++MAX_NESTING_DEPTH = 100 + + # Maximum number of bytes in a BER length field (8 bytes = up to 2^64-1) + MAX_LENGTH_OCTETS = 8 +@@ -1568,6 +1569,15 @@ def __call__(self, substrate, asn1Spec=None, + decodeFun=None, substrateFun=None, + **options): + ++ _nestingLevel = options.get('_nestingLevel', 0) ++ ++ if _nestingLevel > MAX_NESTING_DEPTH: ++ raise error.PyAsn1Error( ++ 'ASN.1 structure nesting depth exceeds limit (%d)' % MAX_NESTING_DEPTH ++ ) ++ ++ options['_nestingLevel'] = _nestingLevel + 1 ++ + allowEoo = options.pop('allowEoo', False) + + if LOG: diff --git a/fence-agents.spec b/fence-agents.spec index 26b5ad8..c87cad6 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -87,7 +87,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.2.1 -Release: 129%{?alphatag:.%{alphatag}}%{?dist}.24 +Release: 129%{?alphatag:.%{alphatag}}%{?dist}.25 License: GPLv2+ and LGPLv2+ Group: System Environment/Base URL: https://github.com/ClusterLabs/fence-agents @@ -336,6 +336,7 @@ Patch1006: RHEL-148156-kubevirt-1-fix-bundled-urllib3-CVE-2025-66418.patch Patch1007: RHEL-148156-kubevirt-2-fix-bundled-urllib3-CVE-2025-66471.patch Patch1008: RHEL-148156-kubevirt-3-RHEL-146288-fix-bundled-urllib3-CVE-2026-21441.patch Patch1009: RHEL-148156-kubevirt-4-RHEL-142447-fix-bundled-pyasn1-CVE-2026-23490.patch +Patch1010: RHEL-157189-fix-bundled-pyasn1-CVE-2026-30922.patch # cloud (x86_64 only) Patch2000: bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch Patch2001: RHEL-43568-2-aws-fix-bundled-urllib3-CVE-2024-37891.patch @@ -410,7 +411,7 @@ BuildRequires: libxslt BuildRequires: gnutls-utils ## Python dependencies BuildRequires: python3-devel python3-pycparser libffi-devel openssl-devel -BuildRequires: python3-pexpect python3-pycurl python3-requests +BuildRequires: python3-cryptography python3-jwt python3-pexpect python3-pycurl python3-requests BuildRequires: python3-suds openwsman-python3 python3-boto3 BuildRequires: python3-google-api-client python3-pip python3-wheel python3-jinja2 @@ -688,6 +689,9 @@ rm -rf %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt/rsa* %{__python3} -m pip install --user --upgrade --no-index --find-links %{_sourcedir} pip setuptools %{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/azure --no-index --find-links %{_sourcedir} -r %{_sourcedir}/requirements-azure.txt +# We're unable to `pip install` without cryptography and PyJWT, +# so we delete them and replace them with depencies instead +rm -rf %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/azure/{cryptography*,jwt,PyJWT-*} %endif # regular patch doesnt work in build-section @@ -702,6 +706,7 @@ pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1007} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1008} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1009} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1010} %ifarch x86_64 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000} @@ -899,6 +904,7 @@ License: GPLv2+ and LGPLv2+ and MIT and MPL-2.0 and Apache-2.0 and BSD and PSF-2 Group: System Environment/Base Summary: Fence agent for Azure Resource Manager Requires: fence-agents-common >= %{version}-%{release} +Requires: python3-cryptography python3-jwt # azure Provides: bundled(python3-adal) = 1.2.7 Provides: bundled(python3-azure-common) = 1.1.28 @@ -910,7 +916,6 @@ Provides: bundled(python3-azure-mgmt-network) = 20.0.0 Provides: bundled(python3-certifi) = 2023.7.22 Provides: bundled(python3-cffi) = 1.15.1 Provides: bundled(python3-charset-normalizer) = 2.0.7 -Provides: bundled(python3-cryptography) = 3.3.2 Provides: bundled(python3-%{dateutil}) = %{dateutil_version} Provides: bundled(python3-%{idna}) = %{idna_version} Provides: bundled(python3-isodate) = 0.6.1 @@ -921,7 +926,6 @@ Provides: bundled(python3-msrestazure) = 0.6.4 Provides: bundled(python3-oauthlib) = 3.2.2 Provides: bundled(python3-portalocker) = 2.7.0 Provides: bundled(python3-pycparser) = 2.20 -Provides: bundled(python3-PyJWT) = 2.4.0 Provides: bundled(python3-requests) = 2.27.1 Provides: bundled(python3-requests-oauthlib) = 2.0.0 Provides: bundled(python3-six) = 1.16.0 @@ -1644,6 +1648,12 @@ Fence agent for IBM z/VM over IP. %endif %changelog +* Mon Apr 27 2026 Oyvind Albrigtsen - 4.2.1-129.25 +- bundled cryptography: replace with dependency to fix CVE-2026-26007 +- bundled PyJWT: replace with dependency to fix CVE-2026-32597 +- bundled pyasn1: fix CVE-2026-30922 + Resolves: RHEL-148431, RHEL-155670, RHEL-157189 + * Wed Feb 11 2026 Oyvind Albrigtsen - 4.2.1-129.24 - bundled urllib3: fix CVE-2025-66418, CVE-2025-66471, CVE-2026-21441, and pyasn1 CVE-2026-23490 on all archs