From: Hitendra Prajapati <[email protected]> Backport commit[0] and [1] which fixes this vulnerability as mentioned in Debian report [2].
[0] https://github.com/systemd/systemd/commit/773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a [1] https://github.com/systemd/systemd/commit/bfa0a842822c4f79da9d47f8a773fd128d8f8a0a [2] https://security-tracker.debian.org/tracker/CVE-2026-40226 More details : https://nvd.nist.gov/vuln/detail/CVE-2026-40226 Signed-off-by: Hitendra Prajapati <[email protected]> Signed-off-by: Fabien Thomas <[email protected]> --- .../systemd/systemd/CVE-2026-40226-01.patch | 63 +++++++++++++++++++ .../systemd/systemd/CVE-2026-40226-02.patch | 39 ++++++++++++ meta/recipes-core/systemd/systemd_255.21.bb | 2 + 3 files changed, 104 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch diff --git a/meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch b/meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch new file mode 100644 index 0000000000..6f2893cab7 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch @@ -0,0 +1,63 @@ +From 773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a Mon Sep 17 00:00:00 2001 +From: Luca Boccassi <[email protected]> +Date: Wed, 11 Mar 2026 12:15:26 +0000 +Subject: [PATCH] nspawn: apply BindUser/Ephemeral from settings file only if + trusted + +Originally reported on yeswehack.com as: +YWH-PGM9780-116 + +Follow-up for 2f8930449079403b26c9164b8eeac78d5af2c8df +Follow-up for a2f577fca0be79b23f61f033229b64884e7d840a + +(cherry picked from commit 61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40) +(cherry picked from commit 718711ed876c870a72149eea279b819cdab14e91) +(cherry picked from commit e4db9c12957d315c0ed22c6ca87a816d0927d6dc) + + +CVE: CVE-2026-40226 +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a] +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + src/nspawn/nspawn.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 005a3d2be1..0ac0c94f06 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -4275,8 +4275,13 @@ static int merge_settings(Settings *settings, const char *path) { + } + + if ((arg_settings_mask & SETTING_EPHEMERAL) == 0 && +- settings->ephemeral >= 0) +- arg_ephemeral = settings->ephemeral; ++ settings->ephemeral >= 0) { ++ ++ if (!arg_settings_trusted) ++ log_warning("Ignoring ephemeral setting, file %s is not trusted.", path); ++ else ++ arg_ephemeral = settings->ephemeral; ++ } + + if ((arg_settings_mask & SETTING_DIRECTORY) == 0 && + settings->root) { +@@ -4444,8 +4449,13 @@ static int merge_settings(Settings *settings, const char *path) { + } + + if ((arg_settings_mask & SETTING_BIND_USER) == 0 && +- !strv_isempty(settings->bind_user)) +- strv_free_and_replace(arg_bind_user, settings->bind_user); ++ !strv_isempty(settings->bind_user)) { ++ ++ if (!arg_settings_trusted) ++ log_warning("Ignoring bind user setting, file %s is not trusted.", path); ++ else ++ strv_free_and_replace(arg_bind_user, settings->bind_user); ++ } + + if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0 && + settings->notify_ready >= 0) +-- +2.50.1 + diff --git a/meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch b/meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch new file mode 100644 index 0000000000..47f780e6c5 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch @@ -0,0 +1,39 @@ +From bfa0a842822c4f79da9d47f8a773fd128d8f8a0a Mon Sep 17 00:00:00 2001 +From: Luca Boccassi <[email protected]> +Date: Wed, 11 Mar 2026 13:27:14 +0000 +Subject: [PATCH] nspawn: normalize pivot_root paths + +Originally reported on yeswehack.com as: +YWH-PGM9780-116 + +Follow-up for b53ede699cdc5233041a22591f18863fb3fe2672 + +(cherry picked from commit 7b85f5498a958e5bb660c703b8f4a71cceed3373) +(cherry picked from commit 6566dc1451089e07090f5a114ae2eb43ed39188d) +(cherry picked from commit 1c55a0a5e26a07df828f72092ad1203e221b60db) + +CVE: CVE-2026-40226 +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/bfa0a842822c4f79da9d47f8a773fd128d8f8a0a] +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + src/nspawn/nspawn-mount.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c +index 470f477f22..09c442a63a 100644 +--- a/src/nspawn/nspawn-mount.c ++++ b/src/nspawn/nspawn-mount.c +@@ -1255,7 +1255,9 @@ int pivot_root_parse(char **pivot_root_new, char **pivot_root_old, const char *s + + if (!path_is_absolute(root_new)) + return -EINVAL; +- if (root_old && !path_is_absolute(root_old)) ++ if (!path_is_normalized(root_new)) ++ return -EINVAL; ++ if (root_old && (!path_is_absolute(root_old) || !path_is_normalized(root_old))) + return -EINVAL; + + free_and_replace(*pivot_root_new, root_new); +-- +2.50.1 + diff --git a/meta/recipes-core/systemd/systemd_255.21.bb b/meta/recipes-core/systemd/systemd_255.21.bb index fe9d699816..9c5f8af240 100644 --- a/meta/recipes-core/systemd/systemd_255.21.bb +++ b/meta/recipes-core/systemd/systemd_255.21.bb @@ -31,6 +31,8 @@ SRC_URI += " \ file://0008-implment-systemd-sysv-install-for-OE.patch \ file://CVE-2026-40225-01.patch \ file://CVE-2026-40225-02.patch \ + file://CVE-2026-40226-01.patch \ + file://CVE-2026-40226-02.patch \ " # patches needed by musl
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236512): https://lists.openembedded.org/g/openembedded-core/message/236512 Mute This Topic: https://lists.openembedded.org/mt/119164905/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
