- bundled pyasn1: fix CVE-2026-23490

Resolves: RHEL-142448
2026-01-27 13:58:48 +01:00 · 2026-01-27 13:58:48 +01:00 · e977f9116e
commit e977f9116e
parent 61308bf3f5
2 changed files with 36 additions and 1 deletions
--- a/RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch
+++ b/RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch
@ -0,0 +1,28 @@
+--- a/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py	2019-10-17 07:00:19.000000000 +0200
+++ b/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py	2026-01-27 10:43:12.757563432 +0100
+@@ -22,6 +22,10 @@
+ 
+ noValue = base.noValue
+ 
+# Maximum number of continuation octets (high-bit set) allowed per OID arc.
+# 20 octets allows up to 140-bit integers, supporting UUID-based OIDs
+MAX_OID_ARC_CONTINUATION_OCTETS = 20
+
+ 
+ class AbstractDecoder(object):
+     protoComponent = None
+@@ -342,7 +346,14 @@
+                 # Construct subid from a number of octets
+                 nextSubId = subId
+                 subId = 0
+                continuationOctetCount = 0
+                 while nextSubId >= 128:
+                    continuationOctetCount += 1
+                    if continuationOctetCount > MAX_OID_ARC_CONTINUATION_OCTETS:
+                        raise error.PyAsn1Error(
+                            'OID arc exceeds maximum continuation octets limit (%d) '
+                            'at position %d' % (MAX_OID_ARC_CONTINUATION_OCTETS, index)
+                        )
+                     subId = (subId << 7) + (nextSubId & 0x7F)
+                     if index >= substrateLen:
+                         raise error.SubstrateUnderrunError(
--- a/resource-agents.spec
+++ b/resource-agents.spec
@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.27
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.28
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@ -199,6 +199,7 @@ Patch1012:	RHEL-50360-setuptools-fix-CVE-2024-6345.patch
 Patch1013:	RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch
 Patch1014:	RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch
 Patch1015:	RHEL-140787-fix-bundled-urllib3-CVE-2026-21441.patch
+Patch1016:	RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch

 Obsoletes:	heartbeat-resources <= %{version}
 Provides:	heartbeat-resources = %{version}
@ -757,6 +758,7 @@ pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1013}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1014}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1015}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1016}
 popd
 %endif

@ -1051,6 +1053,11 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm

 %changelog
+* Tue Jan 27 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.28
+- bundled pyasn1: fix CVE-2026-23490
+
+  Resolves: RHEL-142448
+
 * Tue Jan 20 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.27
 - bundled urllib3: fix CVE-2025-66471
 - bundled urllib3: fix CVE-2026-21441