Patch dnf5 for CVE-2024-2746, CVE-2024-1929

azurelinux-security · azurelinux-security · commit 9de751f6366f · 2025-08-18T07:27:23.000Z
diff --git a/SPECS/dnf5/CVE-2024-1929.patch b/SPECS/dnf5/CVE-2024-1929.patch
@@ -0,0 +1,70 @@
+From bdc6e9895af1bf9759d56314f2018d7fb1ca0abf Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 18 Aug 2025 07:25:14 +0000
+Subject: [PATCH] dnfdaemon: Explicitly specify allowed config overrides
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/rpm-software-management/dnf5/commit/6e51bf2f0d585ab661806076c1e428c6482ddf86.patch
+---
+ dnf5daemon-server/session.cpp | 38 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/dnf5daemon-server/session.cpp b/dnf5daemon-server/session.cpp
+index 8e86723..fd50514 100644
+--- a/dnf5daemon-server/session.cpp
++++ b/dnf5daemon-server/session.cpp
+@@ -34,6 +34,37 @@ along with libdnf.  If not, see <https://www.gnu.org/licenses/>.
+ #include <chrono>
+ #include <iostream>
+ #include <string>
++#include <unordered_set>
++
++static const std::unordered_set<std::string> ALLOWED_MAIN_CONF_OVERRIDES = {
++    "allow_downgrade",
++    "allow_vendor_change",
++    "best",
++    "clean_requirements_on_remove",
++    "disable_excludes",
++    "exclude_from_weak",
++    "exclude_from_weak_autodetect",
++    "excludepkgs",
++    "ignorearch",
++    "includepkgs",
++    "installonly_limit",
++    "installonlypkgs",
++    "install_weak_deps",
++    "keepcache",
++    "module_obsoletes",
++    "module_platform_id",
++    "module_stream_switch",
++    "multilib_policy",
++    "obsoletes",
++    "optional_metadata_types",
++    "protect_running_kernel",
++    "reposdir",
++    "skip_broken",
++    "skip_if_unavailable",
++    "skip_unavailable",
++    "strict",
++};
++
+ 
+ 
+ Session::Session(
+@@ -63,7 +94,12 @@ Session::Session(
+         auto value = opt.second;
+         auto bind = opt_binds.find(key);
+         if (bind != opt_binds.end()) {
+-            bind->second.new_string(libdnf::Option::Priority::RUNTIME, value);
++            if (ALLOWED_MAIN_CONF_OVERRIDES.find(key) != ALLOWED_MAIN_CONF_OVERRIDES.end()) {
++                bind->second.new_string(libdnf::Option::Priority::RUNTIME, value);
++            } else {
++                base->get_logger()->warning("Config option {} not allowed.", key);
++                continue;
++            }
+         } else {
+             base->get_logger()->warning("Unknown config option: {}", key);
+         }
+-- 
+2.45.4
+
diff --git a/SPECS/dnf5/CVE-2024-2746.patch b/SPECS/dnf5/CVE-2024-2746.patch
@@ -0,0 +1,30 @@
+From 94b4f01fc13c453c6207752ad4ba33ede1b581de Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 18 Aug 2025 07:24:45 +0000
+Subject: [PATCH] dnf5daemon: Remove reposdir from allowed config overrides by
+ rejecting reposdir in session overrides
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/rpm-software-management/dnf5/commit/07c5770482605ca78aaed41f7224d141c5980de4.patch
+---
+ dnf5daemon-server/session.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/dnf5daemon-server/session.cpp b/dnf5daemon-server/session.cpp
+index fd50514..fc4f57e 100644
+--- a/dnf5daemon-server/session.cpp
++++ b/dnf5daemon-server/session.cpp
+@@ -92,6 +92,10 @@ Session::Session(
+     for (auto & opt : conf_overrides) {
+         auto key = opt.first;
+         auto value = opt.second;
++        if (key == "reposdir") {
++            base->get_logger()->warning("Config override not allowed: {}", key);
++            continue;
++        }
+         auto bind = opt_binds.find(key);
+         if (bind != opt_binds.end()) {
+             if (ALLOWED_MAIN_CONF_OVERRIDES.find(key) != ALLOWED_MAIN_CONF_OVERRIDES.end()) {
+-- 
+2.45.4
+
diff --git a/SPECS/dnf5/dnf5.spec b/SPECS/dnf5/dnf5.spec
@@ -37,12 +37,14 @@
 Summary:        Command-line package manager
 Name:           dnf5
 Version:        %{project_version_major}.%{project_version_minor}.%{project_version_patch}
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://github.com/rpm-software-management/dnf5
 Source0:        %{url}/archive/%{version}/dnf5-%{version}.tar.gz
+Patch0:         CVE-2024-1929.patch
+Patch1:         CVE-2024-2746.patch
 # ========== build requires ==========
 BuildRequires:  bash-completion
 BuildRequires:  cmake
@@ -590,6 +592,9 @@ done
 
 
 %changelog
+* Mon Aug 18 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 5.0.14-3
+- Patch for CVE-2024-2746, CVE-2024-1929
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 5.0.14-2
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 
