From 875a9058d7a28971f2d0091f28eede0b140e46ac Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Wed, 29 Apr 2026 15:35:40 +0200
Subject: [PATCH] - bundled pyasn1: fix CVE-2026-30922   Resolves: RHEL-157203

---
 ...rt-fix-bundled-pyasn1-CVE-2026-30922.patch | 40 +++++++++++++++++++
 ...le-fix-bundled-pyasn1-CVE-2026-30922.patch | 40 +++++++++++++++++++
 fence-agents.spec                             | 32 +++++++++------
 3 files changed, 99 insertions(+), 13 deletions(-)
 create mode 100644 RHEL-157203-1-kubevirt-fix-bundled-pyasn1-CVE-2026-30922.patch
 create mode 100644 RHEL-157203-2-google-fix-bundled-pyasn1-CVE-2026-30922.patch

diff --git a/RHEL-157203-1-kubevirt-fix-bundled-pyasn1-CVE-2026-30922.patch b/RHEL-157203-1-kubevirt-fix-bundled-pyasn1-CVE-2026-30922.patch
new file mode 100644
index 0000000..a58762e
--- /dev/null
+++ b/RHEL-157203-1-kubevirt-fix-bundled-pyasn1-CVE-2026-30922.patch
@@ -0,0 +1,40 @@
+From 25ad481c19fdb006e20485ef3fc2e5b3eff30ef0 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <simon.pichugin@gmail.com>
+Date: Mon, 16 Mar 2026 17:23:11 -0700
+Subject: [PATCH] Merge commit from fork
+
+---
+ pyasn1/codec/ber/decoder.py     |  10 +++
+ tests/codec/ber/test_decoder.py | 116 ++++++++++++++++++++++++++++++++
+ tests/codec/cer/test_decoder.py |  24 +++++++
+ tests/codec/der/test_decoder.py |  42 ++++++++++++
+ 4 files changed, 192 insertions(+)
+
+diff --git a/kubevirt/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py b/kubevirt/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py
+index 50b14e98..2ea0be13 100644
+--- a/kubevirt/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py
++++ b/kubevirt/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py
+@@ -36,6 +36,7 @@
+ # Maximum number of continuation octets (high-bit set) allowed per OID arc.
+ # 20 octets allows up to 140-bit integers, supporting UUID-based OIDs
+ MAX_OID_ARC_CONTINUATION_OCTETS = 20
++MAX_NESTING_DEPTH = 100
+ 
+ # Maximum number of bytes in a BER length field (8 bytes = up to 2^64-1)
+ MAX_LENGTH_OCTETS = 8
+@@ -1568,6 +1569,15 @@ def __call__(self, substrate, asn1Spec=None,
+                  decodeFun=None, substrateFun=None,
+                  **options):
+ 
++        _nestingLevel = options.get('_nestingLevel', 0)
++
++        if _nestingLevel > MAX_NESTING_DEPTH:
++            raise error.PyAsn1Error(
++                'ASN.1 structure nesting depth exceeds limit (%d)' % MAX_NESTING_DEPTH
++            )
++
++        options['_nestingLevel'] = _nestingLevel + 1
++
+         allowEoo = options.pop('allowEoo', False)
+ 
+         if LOG:
diff --git a/RHEL-157203-2-google-fix-bundled-pyasn1-CVE-2026-30922.patch b/RHEL-157203-2-google-fix-bundled-pyasn1-CVE-2026-30922.patch
new file mode 100644
index 0000000..57fc83d
--- /dev/null
+++ b/RHEL-157203-2-google-fix-bundled-pyasn1-CVE-2026-30922.patch
@@ -0,0 +1,40 @@
+From 25ad481c19fdb006e20485ef3fc2e5b3eff30ef0 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <simon.pichugin@gmail.com>
+Date: Mon, 16 Mar 2026 17:23:11 -0700
+Subject: [PATCH] Merge commit from fork
+
+---
+ pyasn1/codec/ber/decoder.py     |  10 +++
+ tests/codec/ber/test_decoder.py | 116 ++++++++++++++++++++++++++++++++
+ tests/codec/cer/test_decoder.py |  24 +++++++
+ tests/codec/der/test_decoder.py |  42 ++++++++++++
+ 4 files changed, 192 insertions(+)
+
+diff --git a/google/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py b/google/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py
+index 50b14e98..2ea0be13 100644
+--- a/google/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py
++++ b/google/lib/python#PYTHON3_VERSION#/site-packages/pyasn1/codec/ber/decoder.py
+@@ -36,6 +36,7 @@
+ # Maximum number of continuation octets (high-bit set) allowed per OID arc.
+ # 20 octets allows up to 140-bit integers, supporting UUID-based OIDs
+ MAX_OID_ARC_CONTINUATION_OCTETS = 20
++MAX_NESTING_DEPTH = 100
+ 
+ # Maximum number of bytes in a BER length field (8 bytes = up to 2^64-1)
+ MAX_LENGTH_OCTETS = 8
+@@ -1568,6 +1569,15 @@ def __call__(self, substrate, asn1Spec=None,
+                  decodeFun=None, substrateFun=None,
+                  **options):
+ 
++        _nestingLevel = options.get('_nestingLevel', 0)
++
++        if _nestingLevel > MAX_NESTING_DEPTH:
++            raise error.PyAsn1Error(
++                'ASN.1 structure nesting depth exceeds limit (%d)' % MAX_NESTING_DEPTH
++            )
++
++        options['_nestingLevel'] = _nestingLevel + 1
++
+         allowEoo = options.pop('allowEoo', False)
+ 
+         if LOG:
diff --git a/fence-agents.spec b/fence-agents.spec
index 0e05fa3..c16bf13 100644
--- a/fence-agents.spec
+++ b/fence-agents.spec
@@ -23,10 +23,10 @@
 %global googleauth_version	2.3.0
 %global cachetools		cachetools
 %global cachetools_version	4.2.4
-%global pyasn1modules		pyasn1-modules
-%global pyasn1modules_version	0.2.8
 %global pyasn1			pyasn1
 %global pyasn1_version		0.4.8
+%global pyasn1modules		pyasn1-modules
+%global pyasn1modules_version	0.2.8
 %global dateutil		dateutil
 %global dateutil_version	2.8.1
 %global pyyaml			PyYAML
@@ -47,7 +47,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 111%{?alphatag:.%{alphatag}}%{?dist}
+Release: 112%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@@ -110,12 +110,10 @@ Source1504: google_auth-1.32.0-py2.py3-none-any.whl
 Source1505: google_auth_httplib2-0.1.0-py2.py3-none-any.whl
 Source1506: httplib2-0.19.1-py3-none-any.whl
 Source1507: protobuf-3.17.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
-Source1508: pyasn1-0.4.8-py2.py3-none-any.whl
-Source1509: pyasn1_modules-0.2.8-py2.py3-none-any.whl
-Source1510: pyroute2-0.7.12.tar.gz
-Source1511: pytz-2021.1-py2.py3-none-any.whl
-Source1512: rsa-4.7.2-py3-none-any.whl
-Source1513: uritemplate-3.0.1-py2.py3-none-any.whl
+Source1508: pyroute2-0.7.12.tar.gz
+Source1509: pytz-2021.1-py2.py3-none-any.whl
+Source1510: rsa-4.7.2-py3-none-any.whl
+Source1511: uritemplate-3.0.1-py2.py3-none-any.whl
 # kubevirt
 ## pip download --no-binary :all: openshift "ruamel.yaml.clib>=0.1.2"
 Source1600: %{openshift}-%{openshift_version}.tar.gz
@@ -123,8 +121,8 @@ Source1601: %{ruamelyamlclib}-%{ruamelyamlclib_version}.tar.gz
 Source1602: %{kubernetes}-%{kubernetes_version}.tar.gz
 Source1603: %{certifi}-%{certifi_version}.tar.gz
 Source1604: %{googleauth}-%{googleauth_version}.tar.gz
-Source1605: %{pyasn1modules}-%{pyasn1modules_version}.tar.gz
-Source1606: %{pyasn1}-%{pyasn1_version}.tar.gz
+Source1605: %{pyasn1}-%{pyasn1_version}.tar.gz
+Source1606: %{pyasn1modules}-%{pyasn1modules_version}.tar.gz
 Source1607: %{pyyaml}-%{pyyaml_version}.tar.gz
 ## rsa is dependency for "pip install",
 ## but gets removed to use cryptography lib instead
@@ -225,9 +223,11 @@ Patch76: RHEL-145088-fence_ibm_vpc-fix-missing-statuses.patch
 # all archs
 Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
 Patch1001: RHEL-146344-kubevirt-fix-bundled-pyasn1-CVE-2026-23490.patch
+Patch1002: RHEL-157203-1-kubevirt-fix-bundled-pyasn1-CVE-2026-30922.patch
 # cloud (x86_64 only)
 Patch2000: bz2217902-2-aws-azure-fix-bundled-dateutil-CVE-2007-4559.patch
 Patch2001: RHEL-142460-fix-bundled-pyasn1-CVE-2026-23490.patch
+Patch2002: RHEL-157203-2-google-fix-bundled-pyasn1-CVE-2026-30922.patch
 
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath nutanix_ahv redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
@@ -484,10 +484,12 @@ sed -i -e "s/#PYTHON3_VERSION#/%{python3_version}/" %{_sourcedir}/*.patch make/*
 pushd support
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1000}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1001}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1002}
 
 %ifarch x86_64
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2000}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2001}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2002}
 %endif
 popd
 
@@ -658,8 +660,8 @@ Provides: bundled(python-google-auth) = 1.32.0
 Provides: bundled(python-google-auth-httplib2) = 0.1.0
 Provides: bundled(python-httplib2) = 0.19.1
 Provides: bundled(python-protobuf) = 3.17.3
-Provides: bundled(python-pyasn1) = 0.4.8
-Provides: bundled(python-pyasn1-modules) = 0.2.8
+Provides: bundled(python3-%{pyasn1}) = %{pyasn1_version}
+Provides: bundled(python3-%{pyasn1modules}) = %{pyasn1modules_version}
 Provides: bundled(python-pyroute2) = 0.7.12
 Provides: bundled(python-pytz) = 2021.1
 Provides: bundled(python-rsa) = 4.7.2
@@ -1514,6 +1516,10 @@ are located on corosync cluster nodes.
 %endif
 
 %changelog
+* Wed Apr 29 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-112
+- bundled pyasn1: fix CVE-2026-30922
+  Resolves: RHEL-157203
+
 * Thu Apr 16 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-111
 - bundled cryptography: replace with dependency to fix CVE-2026-26007
 - bundled PyJWT: upgrade to v2.12.1 to fix CVE-2026-32597