Skip to content

fix(network-legacy): sanitize DHCP values in dhclient-script.sh#2470

Open
aafeijoo-suse wants to merge 2 commits into
dracut-ng:mainfrom
aafeijoo-suse:cve20266893
Open

fix(network-legacy): sanitize DHCP values in dhclient-script.sh#2470
aafeijoo-suse wants to merge 2 commits into
dracut-ng:mainfrom
aafeijoo-suse:cve20266893

Conversation

@aafeijoo-suse

@aafeijoo-suse aafeijoo-suse commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

A rogue DHCP server can inject shell commands through hostname, domain, gateway, and classless static route values. These values are written to /tmp files that setup_net() later sources as shell.

  • Sanitize hostname to RFC 952 chars (a-zA-Z0-9.-)
  • Strip control chars from domain (like search already does)
  • Validate gateway IPs contain only digits and dots
  • Single-quote interpolated values in generated shell commands
  • Validate all parse_option_121 octets are numeric upfront; the existing inline checks only validated mask and the first destination octet, leaving dest octets 2-4 and all four gateway octets unchecked — those flow into shell commands written to the initqueue/setup_net_"$netif".sh hook script via echo

Fixes: CVE-2026-6893
Co-developed-by: Claude Opus 4.6 noreply@anthropic.com

Checklist

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

@aafeijoo-suse aafeijoo-suse requested a review from a team as a code owner June 12, 2026 12:26
@github-actions github-actions Bot added modules Issue tracker for all modules network-legacy Issues related to the network-legacy module labels Jun 12, 2026
@aafeijoo-suse

aafeijoo-suse commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

Unrelated CI failure of TEST-72-NBD in openSUSE: #2381 (comment)

devkontrol
devkontrol previously approved these changes Jun 12, 2026
View reviewed changes

@devkontrol devkontrol left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @aafeijoo-suse

@Conan-Kudo

Conan-Kudo commented Jun 13, 2026

Copy link
Copy Markdown
Collaborator

What should we do about test 72 failing?

@devkontrol

devkontrol commented Jun 13, 2026

Copy link
Copy Markdown
Collaborator

What should we do about test 72 failing?

As @aafeijoo-suse mentioned, this failure is unrelated to this PR.

It adds to the cognitive load for PR reviews to require this side-discussions on the CI unrelated to PR - this is why I think it is important to keep the CI green at all times so that side-discussion are not needed or part of a separate PR.

If fix is not available, than temporary disable to the test run with another commit.

@devkontrol devkontrol added the highpriority High priority - can be set (and removed) by anyone who has permission to add/remove lables. label Jun 14, 2026
@devkontrol devkontrol added this to the 112 milestone Jun 14, 2026
bdrung
bdrung reviewed Jun 18, 2026
View reviewed changes
Comment thread modules.d/35network-legacy/dhclient-script.sh Outdated
echo ip route add "$gw" dev "$netif" > /tmp/net."$netif".gw
fi
case "$gw" in
*[!0-9.]*)

@bdrung bdrung Jun 18, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the code, gw can contain a space separated list of gateways. This code will spit out a warning.

@aafeijoo-suse aafeijoo-suse Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, sorry, you're right. PTAL.

@aafeijoo-suse aafeijoo-suse force-pushed the cve20266893 branch 2 times, most recently from 3e015f5 to af8b860 Compare June 19, 2026 04:37
@aafeijoo-suse
fix(network-legacy): sanitize DHCP values in dhclient-script.sh
96373f7 
A rogue DHCP server can inject shell commands through hostname,
domain, gateway, and classless static route values. These values
are written to /tmp files that setup_net() later sources as shell.

- Sanitize hostname to RFC 952 chars (a-zA-Z0-9.-)
- Strip control chars from domain (like search already does)
- Validate gateway IPs contain only digits and dots
- Single-quote interpolated values in generated shell commands
- Validate all parse_option_121 octets are numeric upfront;
  the existing inline checks only validated mask and the first
  destination octet, leaving dest octets 2-4 and all four
  gateway octets unchecked — those flow into shell commands
  written to the initqueue/setup_net_"$netif".sh hook script
  via echo

Fixes: CVE-2026-6893
Co-developed-by: Claude Opus 4.6 <noreply@anthropic.com>
@aafeijoo-suse
ci: skip test 72 on openSUSE due to bug in nbd-3.27.1
d9fe05f 
See dracut-ng#2381
@github-actions github-actions Bot added the github Issues related to .github label Jun 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bdrung bdrung bdrung left review comments
@devkontrol devkontrol devkontrol approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

github Issues related to .github highpriority High priority - can be set (and removed) by anyone who has permission to add/remove lables. modules Issue tracker for all modules network-legacy Issues related to the network-legacy module

Projects

None yet

Milestone

112

Development

Successfully merging this pull request may close these issues.

4 participants

@aafeijoo-suse @Conan-Kudo @devkontrol @bdrung