diff --git a/0001-fix-CVE-2026-6893.patch b/0001-fix-CVE-2026-6893.patch new file mode 100644 index 0000000000000000000000000000000000000000..e4a5164ce9ceb7844fbc84f58ab8e02ee33686e5 --- /dev/null +++ b/0001-fix-CVE-2026-6893.patch @@ -0,0 +1,185 @@ +From 7243b11f71f17d08a6b60024dfab8e3ddf338458 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Thu, 23 Apr 2026 17:20:04 +0200 +Subject: [PATCH] fix(network-legacy): replace `echo` writes with `printf` to + prevent injection via DHCP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +DHCP-provided variables (hostname, gateway) were written with echo into +files later sourced as shell by net-lib.sh — allowing command injection +from a rogue DHCP server. + +Use printf with explicit variable escaping `%q` for sourced files: + - .hostname files (DHCP hostname, sourced at net-lib.sh:131) + - .gw files (DHCP routers, sourced at net-lib.sh:140) + - do_static gateway and hostname (kernel cmdline ip= parameter) + +Plain text config files (.resolv.conf) are left as echo — they are +read by awk, not sourced as shell, so %q escaping would be incorrect. + +Resolves: RHEL-170857 +--- + modules.d/35network-legacy/dhclient-script.sh | 24 +++++++++++++++------- + modules.d/35network-legacy/ifup.sh | 29 ++++++++++++++++++--------- + 2 files changed, 36 insertions(+), 17 deletions(-) + +diff --git a/modules.d/35network-legacy/dhclient-script.sh b/modules.d/35network-legacy/dhclient-script.sh +index 82fc7e2c..2272c4c0 100755 +--- a/modules.d/35network-legacy/dhclient-script.sh ++++ b/modules.d/35network-legacy/dhclient-script.sh +@@ -48,22 +48,24 @@ setup_interface() { + if [ -n "$gw" ]; then + if [ "$mask" = "255.255.255.255" ]; then + # point-to-point connection => set explicit route to gateway +- echo ip route add "$gw" dev "$netif" > /tmp/net."$netif".gw ++ printf 'ip route add %q dev %q\n' "$gw" "$netif" > /tmp/net."$netif".gw + fi + + echo "$gw" | { + IFS=' ' read -r main_gw other_gw +- echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw ++ printf 'ip route replace default via %q dev %q\n' "$main_gw" "$netif" >> /tmp/net."$netif".gw + if [ -n "$other_gw" ]; then + for g in $other_gw; do +- echo ip route add default via "$g" dev "$netif" >> /tmp/net."$netif".gw ++ printf 'ip route add default via %q dev %q\n' "$g" "$netif" >> /tmp/net."$netif".gw + done + fi + } + fi + + if getargbool 1 rd.peerdns; then +- [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net."$netif".resolv.conf ++ if [ -n "${search}${domain}" ]; then ++ echo "search $search $domain" > /tmp/net."$netif".resolv.conf ++ fi + if [ -n "$namesrv" ]; then + for s in $namesrv; do + echo nameserver "$s" +@@ -72,7 +74,10 @@ setup_interface() { + fi + # Note: hostname can be fqdn OR short hostname, so chop off any + # trailing domain name and explicity add any domain if set. +- [ -n "$hostname" ] && echo "echo ${hostname%.$domain}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname ++ if [ -n "$hostname" ]; then ++ safe_hostname=$(printf '%s' "${hostname%."$domain"}${domain:+.$domain}") ++ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname ++ fi + } + + setup_interface6() { +@@ -95,7 +100,9 @@ setup_interface6() { + ${preferred_lft:+preferred_lft ${preferred_lft}} + + if getargbool 1 rd.peerdns; then +- [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net."$netif".resolv.conf ++ if [ -n "${search}${domain}" ]; then ++ echo "search $search $domain" > /tmp/net."$netif".resolv.conf ++ fi + if [ -n "$namesrv" ]; then + for s in $namesrv; do + echo nameserver "$s" +@@ -105,7 +112,10 @@ setup_interface6() { + + # Note: hostname can be fqdn OR short hostname, so chop off any + # trailing domain name and explicity add any domain if set. +- [ -n "$hostname" ] && echo "echo ${hostname%.$domain}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname ++ if [ -n "$hostname" ]; then ++ safe_hostname=$(printf '%s' "${hostname%."$domain"}${domain:+.$domain}") ++ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname ++ fi + } + + parse_option_121() { +diff --git a/modules.d/35network-legacy/ifup.sh b/modules.d/35network-legacy/ifup.sh +index 0dc9541c..84c53dc4 100755 +--- a/modules.d/35network-legacy/ifup.sh ++++ b/modules.d/35network-legacy/ifup.sh +@@ -28,7 +28,7 @@ do_dhcp_parallel() { + # event for nfsroot + # XXX add -V vendor class and option parsing per kernel + +- [ -e "/tmp/dhclient.$netif.pid" ] && return 0 ++ [ -e "/tmp/dhclient.${netif}.pid" ] && return 0 + + if ! iface_has_carrier "$netif"; then + warn "No carrier detected on interface $netif" +@@ -121,8 +121,10 @@ do_ipv6auto() { + wait_for_ipv6_auto "$netif" + ret=$? + +- [ -n "$hostname" ] && echo "echo $hostname > /proc/sys/kernel/hostname" > "/tmp/net.${netif}.hostname" +- ++ if [ -n "$hostname" ]; then ++ safe_hostname=$(printf '%s' "${hostname}") ++ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname ++ fi + return "$ret" + } + +@@ -134,7 +136,10 @@ do_ipv6link() { + echo 0 > /proc/sys/net/ipv6/conf/"${netif}"/accept_redirects + linkup "$netif" + +- [ -n "$hostname" ] && echo "echo $hostname > /proc/sys/kernel/hostname" > "/tmp/net.${netif}.hostname" ++ if [ -n "$hostname" ]; then ++ safe_hostname=$(printf '%s' "${hostname}") ++ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname ++ fi + + return "$ret" + } +@@ -187,8 +192,12 @@ do_static() { + ip addr add "$ip/$mask" ${srv:+peer "$srv"} brd + dev "$netif" + fi + +- [ -n "$gw" ] && echo "ip route replace default via '$gw' dev '$netif'" > "/tmp/net.$netif.gw" +- [ -n "$hostname" ] && echo "echo '$hostname' > /proc/sys/kernel/hostname" > "/tmp/net.$netif.hostname" ++ [ -n "$gw" ] && printf "ip route replace default via %q dev %q\n" "$gw" "$netif" > "/tmp/net.${netif}.gw" ++ ++ if [ -n "$hostname" ]; then ++ safe_hostname=$(printf '%s' "${hostname}") ++ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname ++ fi + + return 0 + } +@@ -417,7 +426,7 @@ fi + [ -n "$2" -a "$2" = "-m" ] && [ -z "$netroot" ] && manualup="$2" + + if [ -n "$manualup" ]; then +- : > "/tmp/net.$netif.manualup" ++ : > "/tmp/net.${netif}.manualup" + rm -f "/tmp/net.${netif}.did-setup" + else + [ -e "/tmp/net.${netif}.did-setup" ] && exit 0 +@@ -458,7 +467,7 @@ for p in $(getargs ip=); do + # Store config for later use + for i in ip srv gw mask hostname macaddr mtu dns1 dns2; do + eval '[ "$'$i'" ] && echo '$i'="$'$i'"' +- done > "/tmp/net.$netif.override" ++ done > "/tmp/net.${netif}.override" + + for autoopt in $(str_replace "$autoconf" "," " "); do + case $autoopt in +@@ -492,7 +501,7 @@ for p in $(getargs ip=); do + # setup nameserver + for s in "$dns1" "$dns2" $(getargs nameserver); do + [ -n "$s" ] || continue +- echo "nameserver $s" >> "/tmp/net.$netif.resolv.conf" ++ echo "nameserver $s" >> "/tmp/net.${netif}.resolv.conf" + done + + if [ $ret -eq 0 ]; then +@@ -546,7 +555,7 @@ if [ -z "$NO_AUTO_DHCP" ] && [ ! -e "/tmp/net.${netif}.up" ]; then + + for s in $(getargs nameserver); do + [ -n "$s" ] || continue +- echo "nameserver $s" >> "/tmp/net.$netif.resolv.conf" ++ echo "nameserver $s" >> "/tmp/net.${netif}.resolv.conf" + done + + if [ "$ret" -eq 0 ] && [ -n "$(ls "/tmp/leaseinfo.${netif}"* 2> /dev/null)" ]; then + diff --git a/0002-fix-CVE-2026-6893.patch b/0002-fix-CVE-2026-6893.patch new file mode 100644 index 0000000000000000000000000000000000000000..506993e229c268ca3a5ec93ce47aeed62e73bdf4 --- /dev/null +++ b/0002-fix-CVE-2026-6893.patch @@ -0,0 +1,97 @@ +From e61fe6afe015744baebfd96411015ae360c1af08 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Wed, 29 Apr 2026 04:46:15 +0200 +Subject: [PATCH] fix(iscsi): replace `echo` writes with `printf` to prevent + variable injection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use printf with explicit variable escaping `%q` for shell scripts: + - mount-lun.sh hookdir script (iscsi_lun variable) + - udev rule (iscsi_lun sanitized via tr -d '"') + - initiatorname.iscsi (sourced as shell at iscsiroot.sh:161-163) + +Note: initiatorname.iscsi is also read by iscsid as plain text (no +shell unquoting). For valid IQNs ([a-z0-9.:_-]), %q is a no-op, so +iscsid sees the value unchanged. For malicious values with special +characters, %q would produce shell escaping that iscsid reads +literally — breaking the connection rather than allowing injection. + +Related: RHEL-170857 +--- + modules.d/95iscsi/iscsiroot.sh | 10 +++++----- + modules.d/95iscsi/parse-iscsiroot.sh | 4 ++-- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/modules.d/95iscsi/iscsiroot.sh b/modules.d/95iscsi/iscsiroot.sh +index 63b4ce19..24d9f5bb 100755 +--- a/modules.d/95iscsi/iscsiroot.sh ++++ b/modules.d/95iscsi/iscsiroot.sh +@@ -145,7 +145,7 @@ handle_netroot() { + + if [ -z "$iscsi_initiator" ] && [ -f /sys/firmware/ibft/initiator/initiator-name ] && ! [ -f /tmp/iscsi_set_initiator ]; then + iscsi_initiator=$(while read -r line || [ -n "$line" ]; do echo "$line"; done < /sys/firmware/ibft/initiator/initiator-name) +- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi ++ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi + rm -f /etc/iscsi/initiatorname.iscsi + mkdir -p /etc/iscsi + ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi +@@ -166,7 +166,7 @@ handle_netroot() { + + if [ -z "$iscsi_initiator" ]; then + iscsi_initiator=$(iscsi-iname) +- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi ++ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi + rm -f /etc/iscsi/initiatorname.iscsi + mkdir -p /etc/iscsi + ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi +@@ -190,7 +190,7 @@ handle_netroot() { + iscsi_lun=0 + fi + +- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi ++ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi + ln -fs /run/initiatorname.iscsi /dev/.initiatorname.iscsi + if ! [ -e /etc/iscsi/initiatorname.iscsi ]; then + mkdir -p /etc/iscsi +@@ -211,14 +211,14 @@ handle_netroot() { + + if [ "$root" = "dhcp" ] || [ "$netroot" = "dhcp" ]; then + # if root is not specified try to mount the whole iSCSI LUN +- printf 'SYMLINK=="disk/by-path/*-iscsi-*-%s", SYMLINK+="root"\n' "$iscsi_lun" >> /etc/udev/rules.d/99-iscsi-root.rules ++ printf 'SYMLINK=="disk/by-path/*-iscsi-*-%s", SYMLINK+="root"\n' "$(printf '%s' "$iscsi_lun" | tr -d '"')" >> /etc/udev/rules.d/99-iscsi-root.rules + udevadm control --reload + write_fs_tab /dev/root + wait_for_dev -n /dev/root + + # install mount script + [ -z "$DRACUT_SYSTEMD" ] \ +- && echo "iscsi_lun=$iscsi_lun . /bin/mount-lun.sh " > "$hookdir"/mount/01-$$-iscsi.sh ++ && printf 'iscsi_lun=%q . /bin/mount-lun.sh\n' "$iscsi_lun" > "$hookdir"/mount/01-$$-iscsi.sh + fi + + if strglobin "$iscsi_target_ip" '*:*:*' && ! strglobin "$iscsi_target_ip" '['; then +diff --git a/modules.d/95iscsi/parse-iscsiroot.sh b/modules.d/95iscsi/parse-iscsiroot.sh +index 75747111..1a102b12 100755 +--- a/modules.d/95iscsi/parse-iscsiroot.sh ++++ b/modules.d/95iscsi/parse-iscsiroot.sh +@@ -105,7 +105,7 @@ fi + + if arg=$(getarg rd.iscsi.initiator -d iscsi_initiator=) && [ -n "$arg" ] && ! [ -f /run/initiatorname.iscsi ]; then + iscsi_initiator=$arg +- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi ++ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi + ln -fs /run/initiatorname.iscsi /dev/.initiatorname.iscsi + rm -f /etc/iscsi/initiatorname.iscsi + mkdir -p /etc/iscsi +@@ -121,7 +121,7 @@ fi + if [ -z "$iscsi_initiator" ] && [ -f /sys/firmware/ibft/initiator/initiator-name ] && ! [ -f /tmp/iscsi_set_initiator ]; then + iscsi_initiator=$(while read -r line || [ -n "$line" ]; do echo "$line"; done < /sys/firmware/ibft/initiator/initiator-name) + if [ -n "$iscsi_initiator" ]; then +- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi ++ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi + rm -f /etc/iscsi/initiatorname.iscsi + mkdir -p /etc/iscsi + ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi + diff --git a/0003-fix-CVE-2026-6893.patch b/0003-fix-CVE-2026-6893.patch new file mode 100644 index 0000000000000000000000000000000000000000..428d15902e4e236eb64d19141b7cd5f2d5fdb5ca --- /dev/null +++ b/0003-fix-CVE-2026-6893.patch @@ -0,0 +1,46 @@ +From 977f1498201973eb1420aa309cbee71c4aa9bf56 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Tue, 12 May 2026 03:25:20 +0200 +Subject: [PATCH] fix(network): warn on suspicious shell metacharacters in + hostname file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +setup_net() sources /tmp/net.$netif.hostname as shell, which is written +by dhclient-script.sh or ifup.sh. Add a defensive check that warns if +the file contains shell metacharacters ($, `, ;, &, |, () that should +never appear in a legitimate hostname, indicating possible DHCP-based +command injection attempts. + +The file is still sourced for compatibility — the writer-side fix +(printf '%q') already prevents execution of injected content. + +Co-Authored-By: Claude Opus 4.6 + +Related: RHEL-170857 +--- + modules.d/40network/net-lib.sh | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh +index a294a390..7734c1f4 100755 +--- a/modules.d/40network/net-lib.sh ++++ b/modules.d/40network/net-lib.sh +@@ -127,8 +127,13 @@ setup_net() { + [ -e "/tmp/net.ifaces" ] && read -r IFACES < /tmp/net.ifaces + [ -z "$IFACES" ] && IFACES="$netif" + # run the scripts written by ifup +- # shellcheck disable=SC1090 +- [ -e /tmp/net."$netif".hostname ] && . /tmp/net."$netif".hostname ++ if [ -e /tmp/net."$netif".hostname ]; then ++ if grep -qE '[$`;&|(]' /tmp/net."$netif".hostname 2>/dev/null; then ++ warn "setup_net $netif: /tmp/net.$netif.hostname contains suspicious shell metacharacters" ++ fi ++ # shellcheck disable=SC1090 ++ . /tmp/net."$netif".hostname ++ fi + # shellcheck disable=SC1090 + [ -e /tmp/net."$netif".override ] && . /tmp/net."$netif".override + # shellcheck disable=SC1090 + diff --git a/0004-fix-CVE-2026-6893.patch b/0004-fix-CVE-2026-6893.patch new file mode 100644 index 0000000000000000000000000000000000000000..84f6688303e8f1b7dcd95c25810cf09e6102df4c --- /dev/null +++ b/0004-fix-CVE-2026-6893.patch @@ -0,0 +1,70 @@ +From c810e813fb25766fafb213fab4c8af66490bf8ce Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Tue, 12 May 2026 03:27:22 +0200 +Subject: [PATCH] fix(base): escape arguments in initqueue hook script + generation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +initqueue.sh writes arguments directly into generated hook scripts +via `echo "$exe" "$@"`. These scripts are later sourced by +dracut-initqueue.sh, so shell metacharacters in arguments (e.g. +DHCP-derived $netroot passed from parse-iscsiroot.sh) execute as +root in initramfs. + +Replace `echo` with `printf '%q'` to shell-escape all arguments +before writing them into the hook script, preventing command +injection via DHCP-controlled netroot values. + +Remove the fragile embedded single-quote wrapping ("'$var'") from +parse-iscsiroot.sh call sites (lines 90, 102) — those relied on +echo writing quotes verbatim for the shell to strip when sourcing. +With printf '%q', initqueue now handles escaping centrally, so the +manual wrapping is no longer needed and would cause literal quote +characters to leak into iscsiroot arguments. + +Co-Authored-By: Claude Opus 4.6 + +Related: RHEL-170857 +--- + modules.d/95iscsi/parse-iscsiroot.sh | 4 ++-- + modules.d/99base/initqueue.sh | 3 ++- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/modules.d/95iscsi/parse-iscsiroot.sh b/modules.d/95iscsi/parse-iscsiroot.sh +index 1a102b12..80aae95f 100755 +--- a/modules.d/95iscsi/parse-iscsiroot.sh ++++ b/modules.d/95iscsi/parse-iscsiroot.sh +@@ -87,7 +87,7 @@ if [ -n "$iscsi_firmware" ]; then + echo "${DRACUT_SYSTEMD+systemctl is-active initrd-root-device.target || }[ -f '/tmp/iscsistarted-firmware' ]" > "$hookdir"/initqueue/finished/iscsi_started.sh + initqueue --unique --online /sbin/iscsiroot online "iscsi:" "$NEWROOT" + initqueue --unique --onetime --timeout /sbin/iscsiroot timeout "iscsi:" "$NEWROOT" +- initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "'$NEWROOT'" ++ initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "$NEWROOT" + fi + + # ISCSI actually supported? +@@ -99,7 +99,7 @@ modprobe --all -b -q qla4xxx cxgb3i cxgb4i bnx2i be2iscsi + + if [ -n "$netroot" ] && [ "$root" != "/dev/root" ] && [ "$root" != "dhcp" ]; then + if ! getargbool 1 rd.neednet > /dev/null || ! getarg "ip="; then +- initqueue --unique --onetime --settled /sbin/iscsiroot dummy "'$netroot'" "'$NEWROOT'" ++ initqueue --unique --onetime --settled /sbin/iscsiroot dummy "$netroot" "$NEWROOT" + fi + fi + +diff --git a/modules.d/99base/initqueue.sh b/modules.d/99base/initqueue.sh +index 2c490793..672effd6 100755 +--- a/modules.d/99base/initqueue.sh ++++ b/modules.d/99base/initqueue.sh +@@ -64,7 +64,8 @@ fi + # shellcheck disable=SC2016 + [ -n "$onetime" ] && echo '[ -e "$job" ] && rm -f -- "$job"' + [ -n "$env" ] && echo "$env" +- echo "$exe" "$@" ++ printf '%q ' "$exe" "$@" ++ printf '\n' + } > "/tmp/$$-${job}.sh" + + mv -f "/tmp/$$-${job}.sh" "$hookdir/initqueue${qname}/${job}.sh" diff --git a/dracut.spec b/dracut.spec index 7b78a3783c29cef32534d302d9fb8ae61812daf1..467376db75d88d6122c2b9a174a91d03abc15435 100644 --- a/dracut.spec +++ b/dracut.spec @@ -3,7 +3,7 @@ Summary: Initramfs generator using udev Name: dracut Version: 059 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ and LGPLv2+ and GPLv2 URL: https://dracut.wiki.kernel.org/ Source0: https://github.com/dracutdevs/dracut/archive/%{version}/dracut-%{version}.tar.gz @@ -31,6 +31,11 @@ patch0014: backport-feat-systemd-install-systemd-executor.patch patch0015: 0001-rename-systemd-pcrphase-binary-to-systemd-pcrextend.patch # https://github.com/systemd/systemd/commit/a628d933 patch0016: 0002-add-new-systemd-hibernate-resume.service.patch +# https://github.com/dracut-ng/dracut/pull/2469 +patch0017: 0001-fix-CVE-2026-6893.patch +patch0018: 0002-fix-CVE-2026-6893.patch +patch0019: 0003-fix-CVE-2026-6893.patch +patch0020: 0004-fix-CVE-2026-6893.patch Patch3000: 0001-dracut-install-only-print-warning-log.patch @@ -383,6 +388,10 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install %changelog +* Mon Jun 22 2026 wynnfeng - 059-10 +- [Type] security +- [DESC] fix CVE-2026-6893 + * Tue Apr 22 2025 wynnfeng - 059-9 - add patch: only print warning when add drive failed to avoid stoping adding drive