Debrand for AlmaLinux

0620-nspawn-apply-BindUser-Ephemeral-from-settings-file-o.patch

@@ -0,0 +1,55 @@
+From e158db18bb0b49ef363f1c471c86ff07a085643a Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Wed, 11 Mar 2026 12:15:26 +0000
+Subject: [PATCH] nspawn: apply BindUser/Ephemeral from settings file only if
+ trusted
+
+Originally reported on yeswehack.com as:
+YWH-PGM9780-116
+
+Follow-up for 2f8930449079403b26c9164b8eeac78d5af2c8df
+Follow-up for a2f577fca0be79b23f61f033229b64884e7d840a
+
+(cherry picked from commit 61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40)
+
+Resolves: RHEL-163873
+---
+ src/nspawn/nspawn.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 724639df5c..acf579c007 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -4739,8 +4739,13 @@ static int merge_settings(Settings *settings, const char *path) {
+         }
+ 
+         if ((arg_settings_mask & SETTING_EPHEMERAL) == 0 &&
+-            settings->ephemeral >= 0)
+-                arg_ephemeral = settings->ephemeral;
++            settings->ephemeral >= 0) {
++
++                if (!arg_settings_trusted)
++                        log_warning("Ignoring ephemeral setting, file %s is not trusted.", path);
++                else
++                        arg_ephemeral = settings->ephemeral;
++        }
+ 
+         if ((arg_settings_mask & SETTING_DIRECTORY) == 0 &&
+             settings->root) {
+@@ -4908,8 +4913,13 @@ static int merge_settings(Settings *settings, const char *path) {
+         }
+ 
+         if ((arg_settings_mask & SETTING_BIND_USER) == 0 &&
+-            !strv_isempty(settings->bind_user))
+-                strv_free_and_replace(arg_bind_user, settings->bind_user);
++            !strv_isempty(settings->bind_user)) {
++
++                if (!arg_settings_trusted)
++                        log_warning("Ignoring bind user setting, file %s is not trusted.", path);
++                else
++                        strv_free_and_replace(arg_bind_user, settings->bind_user);
++        }
+ 
+         if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0 &&
+             settings->notify_ready >= 0)

0621-nspawn-normalize-pivot_root-paths.patch

@@ -0,0 +1,32 @@
+From a135589382ce0fa1b0b485d013ff6d806699b795 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Wed, 11 Mar 2026 13:27:14 +0000
+Subject: [PATCH] nspawn: normalize pivot_root paths
+
+Originally reported on yeswehack.com as:
+YWH-PGM9780-116
+
+Follow-up for b53ede699cdc5233041a22591f18863fb3fe2672
+
+(cherry picked from commit 7b85f5498a958e5bb660c703b8f4a71cceed3373)
+
+Resolves: RHEL-163873
+---
+ src/nspawn/nspawn-mount.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
+index ddbdba6fb6..c233cdf600 100644
+--- a/src/nspawn/nspawn-mount.c
++++ b/src/nspawn/nspawn-mount.c
+@@ -1309,7 +1309,9 @@ int pivot_root_parse(char **pivot_root_new, char **pivot_root_old, const char *s
+ 
+         if (!path_is_absolute(root_new))
+                 return -EINVAL;
+-        if (root_old && !path_is_absolute(root_old))
++        if (!path_is_normalized(root_new))
++                return -EINVAL;
++        if (root_old && (!path_is_absolute(root_old) || !path_is_normalized(root_old)))
+                 return -EINVAL;
+ 
+         free_and_replace(*pivot_root_new, root_new);

0622-udev-check-for-invalid-chars-in-various-fields-recei.patch

@@ -0,0 +1,124 @@
+From d6a6a19aa8c6128bb2f2b745013cbe647b15f2f9 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Fri, 6 Mar 2026 19:32:35 +0000
+Subject: [PATCH] udev: check for invalid chars in various fields received from
+ the kernel
+
+(cherry picked from commit 16325b35fa6ecb25f66534a562583ce3b96d52f3)
+
+Resolves: RHEL-163879
+---
+ src/udev/dmi_memory_id/dmi_memory_id.c | 3 ++-
+ src/udev/scsi_id/scsi_id.c             | 5 +++--
+ src/udev/udev-builtin-net_id.c         | 9 +++++++++
+ src/udev/v4l_id/v4l_id.c               | 5 ++++-
+ 4 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c
+index e62222a307..d8370bbe3f 100644
+--- a/src/udev/dmi_memory_id/dmi_memory_id.c
++++ b/src/udev/dmi_memory_id/dmi_memory_id.c
+@@ -51,6 +51,7 @@
+ #include "string-util.h"
+ #include "udev-util.h"
+ #include "unaligned.h"
++#include "utf8.h"
+ 
+ #define SUPPORTED_SMBIOS_VER 0x030300
+ 
+@@ -185,7 +186,7 @@ static void dmi_memory_device_string(
+ 
+         str = strdupa_safe(dmi_string(h, s));
+         str = strstrip(str);
+-        if (!isempty(str))
++        if (!isempty(str) && utf8_is_valid(str) && !string_has_cc(str, /* ok= */ NULL))
+                 printf("MEMORY_DEVICE_%u_%s=%s\n", slot_num, attr_suffix, str);
+ }
+ 
+diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
+index b63a46a730..650bf7824f 100644
+--- a/src/udev/scsi_id/scsi_id.c
++++ b/src/udev/scsi_id/scsi_id.c
+@@ -27,6 +27,7 @@
+ #include "strv.h"
+ #include "strxcpyx.h"
+ #include "udev-util.h"
++#include "utf8.h"
+ 
+ static const struct option options[] = {
+         { "device",             required_argument, NULL, 'd' },
+@@ -450,8 +451,8 @@ static int scsi_id(char *maj_min_dev) {
+                 }
+                 if (dev_scsi.tgpt_group[0] != '\0')
+                         printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
+-                if (dev_scsi.unit_serial_number[0] != '\0')
+-                        printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
++                if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
++                        printf("ID_SCSI_SERIAL=%s\n", serial_str);
+                 goto out;
+         }
+ 
+diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
+index 96e792bcde..0d3c62f4b5 100644
+--- a/src/udev/udev-builtin-net_id.c
++++ b/src/udev/udev-builtin-net_id.c
+@@ -40,6 +40,7 @@
+ #include "strv.h"
+ #include "strxcpyx.h"
+ #include "udev-builtin.h"
++#include "utf8.h"
+ 
+ #define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1)
+ #define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1)
+@@ -236,6 +237,9 @@ static int get_port_specifier(sd_device *dev, bool fallback_to_dev_id, char **re
+                         }
+                 }
+ 
++                if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
++                        return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
++
+                 /* Otherwise, use phys_port_name as is. */
+                 buf = strjoin("n", phys_port_name);
+                 if (!buf)
+@@ -340,6 +344,9 @@ static int names_pci_onboard_label(UdevEvent *event, sd_device *pci_dev, const c
+         if (r < 0)
+                 return log_device_debug_errno(pci_dev, r, "Failed to get PCI onboard label: %m");
+ 
++        if (!utf8_is_valid(label) || string_has_cc(label, /* ok= */ NULL))
++                return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid label");
++
+         char str[ALTIFNAMSIZ];
+         if (snprintf_ok(str, sizeof str, "%s%s",
+                         naming_scheme_has(NAMING_LABEL_NOPREFIX) ? "" : prefix,
+@@ -1257,6 +1264,8 @@ static int names_netdevsim(UdevEvent *event, const char *prefix) {
+         if (isempty(phys_port_name))
+                 return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EOPNOTSUPP),
+                                               "The 'phys_port_name' attribute is empty.");
++        if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
++                return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
+ 
+         char str[ALTIFNAMSIZ];
+         if (snprintf_ok(str, sizeof str, "%si%un%s", prefix, addr, phys_port_name))
+diff --git a/src/udev/v4l_id/v4l_id.c b/src/udev/v4l_id/v4l_id.c
+index 5c540659f3..8e29f8898e 100644
+--- a/src/udev/v4l_id/v4l_id.c
++++ b/src/udev/v4l_id/v4l_id.c
+@@ -19,6 +19,8 @@
+ #include "build.h"
+ #include "fd-util.h"
+ #include "main-func.h"
++#include "string-util.h"
++#include "utf8.h"
+ 
+ static const char *arg_device = NULL;
+ 
+@@ -72,7 +74,8 @@ static int run(int argc, char *argv[]) {
+                 int capabilities;
+ 
+                 printf("ID_V4L_VERSION=2\n");
+-                printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
++                if (utf8_is_valid((char *)v2cap.card) && !string_has_cc((char *)v2cap.card, /* ok= */ NULL))
++                        printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
+                 printf("ID_V4L_CAPABILITIES=:");
+ 
+                 if (v2cap.capabilities & V4L2_CAP_DEVICE_CAPS)

0623-udev-ensure-there-is-space-for-trailing-NUL-before-c.patch

@@ -0,0 +1,45 @@
+From 94e160ec13ff9c2673ce403579f5899f9a698f24 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Fri, 6 Mar 2026 19:42:16 +0000
+Subject: [PATCH] udev: ensure there is space for trailing NUL before calling
+ sprintf
+
+sprintf will write 5 characters, as it adds a trailing NUL byte.
+
+Reported on yeswehack.com as:
+YWH-PGM9780-62
+
+Follow-up for 8cfcf9980a3
+
+(cherry picked from commit 69e4ba69d689748d1d515c5a8d063073df3c5821)
+
+Related: RHEL-163879
+---
+ src/shared/device-nodes.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/shared/device-nodes.c b/src/shared/device-nodes.c
+index d08c40fe2c..20206ee7b4 100644
+--- a/src/shared/device-nodes.c
++++ b/src/shared/device-nodes.c
+@@ -7,6 +7,7 @@
+ 
+ #include "device-nodes.h"
+ #include "path-util.h"
++#include "stdio-util.h"
+ #include "string-util.h"
+ #include "utf8.h"
+ 
+@@ -39,10 +40,10 @@ int encode_devnode_name(const char *str, char *str_enc, size_t len) {
+ 
+                 } else if (str[i] == '\\' || !allow_listed_char_for_devnode(str[i], NULL)) {
+ 
+-                        if (len-j < 4)
++                        if (len-j < 5)
+                                 return -EINVAL;
+ 
+-                        sprintf(&str_enc[j], "\\x%02x", (unsigned char) str[i]);
++                        assert_se(snprintf_ok(&str_enc[j], 5, "\\x%02x", (unsigned char) str[i]));
+                         j += 4;
+ 
+                 } else {

0624-udev-ensure-tag-parsing-stays-within-bounds.patch

@@ -0,0 +1,32 @@
+From 25730b46464a2636ab8cd760c5b609cdf6118787 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Fri, 6 Mar 2026 20:25:05 +0000
+Subject: [PATCH] udev: ensure tag parsing stays within bounds
+
+This cannot actually happen, but add a safety check nonetheless.
+
+Reported on yeswehack.com as:
+YWH-PGM9780-43
+
+Follow-up for d7867b31836173d1a943ecb1cab6484536126411
+
+(cherry picked from commit 45a200cd751fae382f4145760cf84fd181db1319)
+
+Related: RHEL-163879
+---
+ src/udev/udev-builtin-path_id.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/udev/udev-builtin-path_id.c b/src/udev/udev-builtin-path_id.c
+index d6ea471482..545757dc09 100644
+--- a/src/udev/udev-builtin-path_id.c
++++ b/src/udev/udev-builtin-path_id.c
+@@ -667,7 +667,7 @@ static void add_id_tag(UdevEvent *event, const char *path) {
+         size_t i = 0;
+ 
+         /* compose valid udev tag name */
+-        for (const char *p = path; *p; p++) {
++        for (const char *p = path; *p && i < sizeof(tag) - 1; p++) {
+                 if (ascii_isdigit(*p) ||
+                     ascii_isalpha(*p) ||
+                     *p == '-') {

0625-udev-fix-review-mixup.patch

@@ -0,0 +1,32 @@
+From ba01fb71dd8d0e7384b76afaaa5aabcd98a65748 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Fri, 13 Mar 2026 11:10:47 +0000
+Subject: [PATCH] udev: fix review mixup
+
+The previous version in the PR changed variable and sanitized it
+in place. The second version switched to skip if CCs are in the
+string instead, but didn't move back to the original variable.
+Because it's an existing variable, no CI caught it.
+
+Follow-up for 16325b35fa6ecb25f66534a562583ce3b96d52f3
+
+(cherry picked from commit 54f880b02ecf7362e630ffc885d1466df6ee6820)
+
+Resolves: RHEL-163879
+---
+ src/udev/scsi_id/scsi_id.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
+index 650bf7824f..854f8ffa05 100644
+--- a/src/udev/scsi_id/scsi_id.c
++++ b/src/udev/scsi_id/scsi_id.c
+@@ -452,7 +452,7 @@ static int scsi_id(char *maj_min_dev) {
+                 if (dev_scsi.tgpt_group[0] != '\0')
+                         printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
+                 if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
+-                        printf("ID_SCSI_SERIAL=%s\n", serial_str);
++                        printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
+                 goto out;
+         }
+ 

0626-udev-scsi-id-check-for-invalid-chars-in-various-fiel.patch

@@ -0,0 +1,52 @@
+From b9ef1cfa591b4df7d4f0f3d329596fe242f59c04 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Fri, 10 Apr 2026 19:04:04 +0100
+Subject: [PATCH] udev/scsi-id: check for invalid chars in various fields
+ received from the kernel
+
+Follow-up for 16325b35fa6ecb25f66534a562583ce3b96d52f3
+
+(cherry picked from commit 5f700d148c44063c0f0dbb9fc136866339cd3fa7)
+
+Related: RHEL-163879
+---
+ src/udev/scsi_id/scsi_id.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
+index 854f8ffa05..bc350fed47 100644
+--- a/src/udev/scsi_id/scsi_id.c
++++ b/src/udev/scsi_id/scsi_id.c
+@@ -398,6 +398,10 @@ static int set_inq_values(struct scsi_id_device *dev_scsi, const char *path) {
+         return 0;
+ }
+ 
++static bool scsi_string_is_valid(const char *s) {
++        return !isempty(s) && utf8_is_valid(s) && !string_has_cc(s, /* ok= */ NULL);
++}
++
+ /*
+  * scsi_id: try to get an id, if one is found, printf it to stdout.
+  * returns a value passed to exit() - 0 if printed an id, else 1.
+@@ -441,17 +445,17 @@ static int scsi_id(char *maj_min_dev) {
+                         udev_replace_chars(serial_str, NULL);
+                         printf("ID_SERIAL_SHORT=%s\n", serial_str);
+                 }
+-                if (dev_scsi.wwn[0] != '\0') {
++                if (scsi_string_is_valid(dev_scsi.wwn)) {
+                         printf("ID_WWN=0x%s\n", dev_scsi.wwn);
+-                        if (dev_scsi.wwn_vendor_extension[0] != '\0') {
++                        if (scsi_string_is_valid(dev_scsi.wwn_vendor_extension)) {
+                                 printf("ID_WWN_VENDOR_EXTENSION=0x%s\n", dev_scsi.wwn_vendor_extension);
+                                 printf("ID_WWN_WITH_EXTENSION=0x%s%s\n", dev_scsi.wwn, dev_scsi.wwn_vendor_extension);
+                         } else
+                                 printf("ID_WWN_WITH_EXTENSION=0x%s\n", dev_scsi.wwn);
+                 }
+-                if (dev_scsi.tgpt_group[0] != '\0')
++                if (scsi_string_is_valid(dev_scsi.tgpt_group))
+                         printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
+-                if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
++                if (scsi_string_is_valid(dev_scsi.unit_serial_number))
+                         printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
+                 goto out;
+         }

0627-udev-builtin-net-id-print-cescaped-bad-attributes.patch

@@ -0,0 +1,88 @@
+From 85a08c191d3def1eb358cd01ff96116ddb9a51d3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@amutable.com>
+Date: Wed, 11 Mar 2026 11:27:48 +0100
+Subject: [PATCH] udev-builtin-net-id: print cescaped bad attributes
+
+Follow-up for 16325b35fa6ecb25f66534a562583ce3b96d52f3. Let's
+log those bad value to make it easier to figure out why things
+are not working if we reject an attribute.
+
+(cherry picked from commit 7c4047957ef58744ecfad6d277f7c45d430f6d70)
+
+Related: RHEL-163879
+---
+ src/udev/udev-builtin-net_id.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
+index 0d3c62f4b5..fd39a90c87 100644
+--- a/src/udev/udev-builtin-net_id.c
++++ b/src/udev/udev-builtin-net_id.c
+@@ -28,6 +28,7 @@
+ #include "device-private.h"
+ #include "device-util.h"
+ #include "dirent-util.h"
++#include "escape.h"
+ #include "ether-addr-util.h"
+ #include "fd-util.h"
+ #include "fileio.h"
+@@ -45,6 +46,12 @@
+ #define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1)
+ #define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1)
+ 
++static int log_invalid_device_attr(sd_device *dev, const char *attr, const char *value) {
++        _cleanup_free_ char *escaped = cescape(value);
++        return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL),
++                                      "Invalid %s value '%s'.", attr, strnull(escaped));
++}
++
+ /* skip intermediate virtio devices */
+ static sd_device *device_skip_virtio(sd_device *dev) {
+         /* there can only ever be one virtio bus per parent device, so we can
+@@ -238,7 +245,7 @@ static int get_port_specifier(sd_device *dev, bool fallback_to_dev_id, char **re
+                 }
+ 
+                 if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
+-                        return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
++                        return log_invalid_device_attr(dev, "phys_port_name", phys_port_name);
+ 
+                 /* Otherwise, use phys_port_name as is. */
+                 buf = strjoin("n", phys_port_name);
+@@ -345,7 +352,7 @@ static int names_pci_onboard_label(UdevEvent *event, sd_device *pci_dev, const c
+                 return log_device_debug_errno(pci_dev, r, "Failed to get PCI onboard label: %m");
+ 
+         if (!utf8_is_valid(label) || string_has_cc(label, /* ok= */ NULL))
+-                return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid label");
++                return log_invalid_device_attr(dev, "label", label);
+ 
+         char str[ALTIFNAMSIZ];
+         if (snprintf_ok(str, sizeof str, "%s%s",
+@@ -751,8 +758,7 @@ static int names_vio(UdevEvent *event, const char *prefix) {
+                                               "VIO bus ID and slot ID have invalid length: %s", s);
+ 
+         if (!in_charset(s, HEXDIGITS))
+-                return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL),
+-                                              "VIO bus ID and slot ID contain invalid characters: %s", s);
++                return log_invalid_device_attr(dev, "VIO bus ID and slot ID", s);
+ 
+         /* Parse only slot ID (the last 4 hexdigits). */
+         r = safe_atou_full(s + 4, 16, &slotid);
+@@ -808,8 +814,7 @@ static int names_platform(UdevEvent *event, const char *prefix) {
+                 return -EOPNOTSUPP;
+ 
+         if (!in_charset(vendor, validchars))
+-                return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ENOENT),
+-                                              "Platform vendor contains invalid characters: %s", vendor);
++                return log_invalid_device_attr(dev, "platform vendor", vendor);
+ 
+         ascii_strlower(vendor);
+ 
+@@ -1265,7 +1270,7 @@ static int names_netdevsim(UdevEvent *event, const char *prefix) {
+                 return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EOPNOTSUPP),
+                                               "The 'phys_port_name' attribute is empty.");
+         if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
+-                return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
++                return log_invalid_device_attr(dev, "phys_port_name", phys_port_name);
+ 
+         char str[ALTIFNAMSIZ];
+         if (snprintf_ok(str, sizeof str, "%si%un%s", prefix, addr, phys_port_name))

systemd.spec

@@ -48,7 +48,7 @@ Url:            https://systemd.io
 # Allow users to specify the version and release when building the rpm by 
 # setting the %%version_override and %%release_override macros.
 Version:        %{?version_override}%{!?version_override:257}
-Release:        23%{?dist}.1.alma.1
+Release:        23%{?dist}.2.alma.1
 
 %global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?)
 
@@ -729,6 +729,14 @@ Patch0616: 0616-path-util-invert-PATH_STARTSWITH_ACCEPT_DOT_DOT-flag.patch
 Patch0617: 0617-sd-json-fix-off-by-one-issue-when-updating-parent-fo.patch
 Patch0618: 0618-core-cgroup-avoid-one-unnecessary-strjoina.patch
 Patch0619: 0619-core-validate-input-cgroup-path-more-prudently.patch
+Patch0620: 0620-nspawn-apply-BindUser-Ephemeral-from-settings-file-o.patch
+Patch0621: 0621-nspawn-normalize-pivot_root-paths.patch
+Patch0622: 0622-udev-check-for-invalid-chars-in-various-fields-recei.patch
+Patch0623: 0623-udev-ensure-there-is-space-for-trailing-NUL-before-c.patch
+Patch0624: 0624-udev-ensure-tag-parsing-stays-within-bounds.patch
+Patch0625: 0625-udev-fix-review-mixup.patch
+Patch0626: 0626-udev-scsi-id-check-for-invalid-chars-in-various-fiel.patch
+Patch0627: 0627-udev-builtin-net-id-print-cescaped-bad-attributes.patch
 
 # Downstream-only patches (9000–9999)
 %endif
@@ -1680,9 +1688,19 @@ rm -f .file-list-*
 rm -f %{name}.lang
 
 %changelog
-* Wed May 20 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 257-23.1.alma.1
+* Wed Jun 03 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 257-23.2.alma.1
 - Debrand for AlmaLinux
 
+* Thu Apr 16 2026 systemd maintenance team <systemd-maint@redhat.com> - 257-23.2
+- nspawn: apply BindUser/Ephemeral from settings file only if trusted (RHEL-163873)
+- nspawn: normalize pivot_root paths (RHEL-163873)
+- udev: check for invalid chars in various fields received from the kernel (RHEL-163879)
+- udev: ensure there is space for trailing NUL before calling sprintf (RHEL-163879)
+- udev: ensure tag parsing stays within bounds (RHEL-163879)
+- udev: fix review mixup (RHEL-163879)
+- udev/scsi-id: check for invalid chars in various fields received from the kernel (RHEL-163879)
+- udev-builtin-net-id: print cescaped bad attributes (RHEL-163879)
+
 * Wed Apr 08 2026 systemd maintenance team <systemd-maint@redhat.com> - 257-23.1
 - ci: re-enable bpf-framework option for build and unit test jobs (RHEL-152080)
 - ci: add bpftool workaround to codeql job too (RHEL-152080)