Skip to content

[AutoPR- Security] Patch dnf5 for CVE-2024-2746, CVE-2024-1929 [HIGH] #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

[AutoPR- Security] Patch dnf5 for CVE-2024-2746, CVE-2024-1929 [HIGH] #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions SPECS/dnf5/CVE-2024-1929.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
From bdc6e9895af1bf9759d56314f2018d7fb1ca0abf Mon Sep 17 00:00:00 2001
From: AllSpark <[email protected]>
Date: Mon, 18 Aug 2025 07:25:14 +0000
Subject: [PATCH] dnfdaemon: Explicitly specify allowed config overrides

Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
Upstream-reference: AI Backport of https://github.com/rpm-software-management/dnf5/commit/6e51bf2f0d585ab661806076c1e428c6482ddf86.patch
---
dnf5daemon-server/session.cpp | 38 ++++++++++++++++++++++++++++++++++-
1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/dnf5daemon-server/session.cpp b/dnf5daemon-server/session.cpp
index 8e86723..fd50514 100644
--- a/dnf5daemon-server/session.cpp
+++ b/dnf5daemon-server/session.cpp
@@ -34,6 +34,37 @@ along with libdnf. If not, see <https://www.gnu.org/licenses/>.
#include <chrono>
#include <iostream>
#include <string>
+#include <unordered_set>
+
+static const std::unordered_set<std::string> ALLOWED_MAIN_CONF_OVERRIDES = {
+ "allow_downgrade",
+ "allow_vendor_change",
+ "best",
+ "clean_requirements_on_remove",
+ "disable_excludes",
+ "exclude_from_weak",
+ "exclude_from_weak_autodetect",
+ "excludepkgs",
+ "ignorearch",
+ "includepkgs",
+ "installonly_limit",
+ "installonlypkgs",
+ "install_weak_deps",
+ "keepcache",
+ "module_obsoletes",
+ "module_platform_id",
+ "module_stream_switch",
+ "multilib_policy",
+ "obsoletes",
+ "optional_metadata_types",
+ "protect_running_kernel",
+ "reposdir",
+ "skip_broken",
+ "skip_if_unavailable",
+ "skip_unavailable",
+ "strict",
+};
+


Session::Session(
@@ -63,7 +94,12 @@ Session::Session(
auto value = opt.second;
auto bind = opt_binds.find(key);
if (bind != opt_binds.end()) {
- bind->second.new_string(libdnf::Option::Priority::RUNTIME, value);
+ if (ALLOWED_MAIN_CONF_OVERRIDES.find(key) != ALLOWED_MAIN_CONF_OVERRIDES.end()) {
+ bind->second.new_string(libdnf::Option::Priority::RUNTIME, value);
+ } else {
+ base->get_logger()->warning("Config option {} not allowed.", key);
+ continue;
+ }
} else {
base->get_logger()->warning("Unknown config option: {}", key);
}
--
2.45.4

30 changes: 30 additions & 0 deletions SPECS/dnf5/CVE-2024-2746.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
From 94b4f01fc13c453c6207752ad4ba33ede1b581de Mon Sep 17 00:00:00 2001
From: AllSpark <[email protected]>
Date: Mon, 18 Aug 2025 07:24:45 +0000
Subject: [PATCH] dnf5daemon: Remove reposdir from allowed config overrides by
rejecting reposdir in session overrides

Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
Upstream-reference: AI Backport of https://github.com/rpm-software-management/dnf5/commit/07c5770482605ca78aaed41f7224d141c5980de4.patch
---
dnf5daemon-server/session.cpp | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/dnf5daemon-server/session.cpp b/dnf5daemon-server/session.cpp
index fd50514..fc4f57e 100644
--- a/dnf5daemon-server/session.cpp
+++ b/dnf5daemon-server/session.cpp
@@ -92,6 +92,10 @@ Session::Session(
for (auto & opt : conf_overrides) {
auto key = opt.first;
auto value = opt.second;
+ if (key == "reposdir") {
+ base->get_logger()->warning("Config override not allowed: {}", key);
+ continue;
+ }
auto bind = opt_binds.find(key);
if (bind != opt_binds.end()) {
if (ALLOWED_MAIN_CONF_OVERRIDES.find(key) != ALLOWED_MAIN_CONF_OVERRIDES.end()) {
--
2.45.4

7 changes: 6 additions & 1 deletion SPECS/dnf5/dnf5.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,14 @@
Summary: Command-line package manager
Name: dnf5
Version: %{project_version_major}.%{project_version_minor}.%{project_version_patch}
Release: 2%{?dist}
Release: 3%{?dist}
License: GPL-2.0-or-later
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://github.com/rpm-software-management/dnf5
Source0: %{url}/archive/%{version}/dnf5-%{version}.tar.gz
Patch0: CVE-2024-1929.patch
Patch1: CVE-2024-2746.patch
# ========== build requires ==========
BuildRequires: bash-completion
BuildRequires: cmake
Expand Down Expand Up @@ -590,6 +592,9 @@ done


%changelog
* Mon Aug 18 2025 Azure Linux Security Servicing Account <[email protected]> - 5.0.14-3
- Patch for CVE-2024-2746, CVE-2024-1929

* Wed Sep 20 2023 Jon Slobodzian <[email protected]> - 5.0.14-2
- Recompile with stack-protection fixed gcc version (CVE-2023-4039)

Expand Down
Loading