Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ignition for openSUSE:Factory checked in at 2026-04-01 19:54:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ignition (Old) and /work/SRC/openSUSE:Factory/.ignition.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ignition" Wed Apr 1 19:54:54 2026 rev:58 rq:1343891 version:2.26.0 Changes: -------- --- /work/SRC/openSUSE:Factory/ignition/ignition.changes 2026-03-10 17:47:52.754088954 +0100 +++ /work/SRC/openSUSE:Factory/.ignition.new.21863/ignition.changes 2026-04-01 19:55:19.588833090 +0200 @@ -1,0 +2,6 @@ +Tue Mar 31 11:41:47 UTC 2026 - Ignaz Forster <[email protected]> + +- Add CVE-2026-33186.patch + * Fixes [bsc#1260251] + +------------------------------------------------------------------- New: ---- CVE-2026-33186.patch ----------(New B)---------- New: - Add CVE-2026-33186.patch * Fixes [bsc#1260251] ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ignition.spec ++++++ --- /var/tmp/diff_new_pack.RC5hET/_old 2026-04-01 19:55:24.049017200 +0200 +++ /var/tmp/diff_new_pack.RC5hET/_new 2026-04-01 19:55:24.077018356 +0200 @@ -43,6 +43,7 @@ Patch2: 0002-allow-multiple-mounts-of-same-device.patch Patch3: 0003-Move-the-GPT-header-on-resized-disks.patch Patch4: 0004-Order-ignition-disks.service-before-systemd-fsck-roo.patch +Patch5: CVE-2026-33186.patch BuildRequires: dracut BuildRequires: libblkid-devel BuildRequires: systemd-rpm-macros ++++++ CVE-2026-33186.patch ++++++ >From 99ae605359309ee0b62db444832ad13601debfd3 Mon Sep 17 00:00:00 2001 From: Easwar Swaminathan <[email protected]> Date: Wed, 11 Mar 2026 23:34:57 +0000 Subject: [PATCH 1/3] grpc: enforce strict path checking for incoming requests on the server --- internal/envconfig/envconfig.go | 16 +++ server.go | 57 +++++++--- 2 files changed, 234 insertions(+), 16 deletions(-) diff --git a/internal/envconfig/envconfig.go b/internal/envconfig/envconfig.go index e8dc791299ea..7ad6fb44ca85 100644 --- a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go +++ b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go @@ -77,6 +77,22 @@ var ( // This feature is defined in gRFC A81 and is enabled by setting the // environment variable GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE to "true". XDSAuthorityRewrite = boolFromEnv("GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE", false) + + // DisableStrictPathChecking indicates whether strict path checking is + // disabled. This feature can be disabled by setting the environment + // variable GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING to "true". + // + // When strict path checking is enabled, gRPC will reject requests with + // paths that do not conform to the gRPC over HTTP/2 specification found at + // https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md. + // + // When disabled, gRPC will allow paths that do not contain a leading slash. + // Enabling strict path checking is recommended for security reasons, as it + // prevents potential path traversal vulnerabilities. + // + // A future release will remove this environment variable, enabling strict + // path checking behavior unconditionally. + DisableStrictPathChecking = boolFromEnv("GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING", false) ) func boolFromEnv(envVar string, def bool) bool { diff --git a/server.go b/server.go index 1b5cefe81715..8efb29a7b95c 100644 --- a/vendor/google.golang.org/grpc/server.go +++ b/vendor/google.golang.org/grpc/server.go @@ -42,6 +42,7 @@ import ( "google.golang.org/grpc/internal" "google.golang.org/grpc/internal/binarylog" "google.golang.org/grpc/internal/channelz" + "google.golang.org/grpc/internal/envconfig" "google.golang.org/grpc/internal/grpcsync" "google.golang.org/grpc/internal/grpcutil" istats "google.golang.org/grpc/internal/stats" @@ -143,6 +144,8 @@ type Server struct { serverWorkerChannel chan func() serverWorkerChannelClose func() + + strictPathCheckingLogEmitted atomic.Bool } type serverOptions struct { @@ -1741,6 +1764,24 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv return ss.s.WriteStatus(statusOK) } +func (s *Server) handleMalformedMethodName(stream *transport.ServerStream, ti *traceInfo) { + if ti != nil { + ti.tr.LazyLog(&fmtStringer{"Malformed method name %q", []any{stream.Method()}}, true) + ti.tr.SetError() + } + errDesc := fmt.Sprintf("malformed method name: %q", stream.Method()) + if err := stream.WriteStatus(status.New(codes.Unimplemented, errDesc)); err != nil { + if ti != nil { + ti.tr.LazyLog(&fmtStringer{"%v", []any{err}}, true) + ti.tr.SetError() + } + channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream failed to write status: %v", err) + } + if ti != nil { + ti.tr.Finish() + } +} + func (s *Server) handleStream(t transport.ServerTransport, stream *transport.ServerStream) { ctx := stream.Context() ctx = contextWithServer(ctx, s) @@ -1782,26 +1803,30 @@ func (s *Server) handleStream(t transport.ServerTransport, stream *transport.Ser } sm := stream.Method() - if sm != "" && sm[0] == '/' { + if sm == "" { + s.handleMalformedMethodName(stream, ti) + return + } + if sm[0] != '/' { + // TODO(easwars): Add a link to the CVE in the below log messages once + // published. + if envconfig.DisableStrictPathChecking { + if old := s.strictPathCheckingLogEmitted.Swap(true); !old { + channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream received malformed method name %q. Allowing it because the environment variable GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING is set to true, but this option will be removed in a future release.", sm) + } + } else { + if old := s.strictPathCheckingLogEmitted.Swap(true); !old { + channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream rejected malformed method name %q. To temporarily allow such requests, set the environment variable GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING to true. Note that this is not recommended as it may allow requests to bypass security policies.", sm) + } + s.handleMalformedMethodName(stream, ti) + return + } + } else { sm = sm[1:] } pos := strings.LastIndex(sm, "/") if pos == -1 { - if ti != nil { - ti.tr.LazyLog(&fmtStringer{"Malformed method name %q", []any{sm}}, true) - ti.tr.SetError() - } - errDesc := fmt.Sprintf("malformed method name: %q", stream.Method()) - if err := stream.WriteStatus(status.New(codes.Unimplemented, errDesc)); err != nil { - if ti != nil { - ti.tr.LazyLog(&fmtStringer{"%v", []any{err}}, true) - ti.tr.SetError() - } - channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream failed to write status: %v", err) - } - if ti != nil { - ti.tr.Finish() - } + s.handleMalformedMethodName(stream, ti) return } service := sm[:pos]
