Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package dracut for openSUSE:Factory checked in at 2026-06-22 18:04:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dracut (Old) and /work/SRC/openSUSE:Factory/.dracut.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dracut" Mon Jun 22 18:04:58 2026 rev:261 rq:1360541 version:110+suse.35.g9834432 Changes: -------- --- /work/SRC/openSUSE:Factory/dracut/dracut.changes 2026-06-04 18:56:30.522306972 +0200 +++ /work/SRC/openSUSE:Factory/.dracut.new.1956/dracut.changes 2026-06-22 18:05:03.552444897 +0200 @@ -1,0 +2,8 @@ +Fri Jun 19 07:51:03 UTC 2026 - [email protected] + +- Update to version 110+suse.35.g9834432: + * fix(fips): handle zipl (bsc#1262515) + * fix(network-legacy): sanitize DHCP values in dhclient-script.sh (bsc#1268322, CVE-2026-6893) + * fix(network-legacy): add input validation to RFC 3442 route parser + +------------------------------------------------------------------- Old: ---- dracut-110+suse.32.g36b00ba7.tar.xz New: ---- dracut-110+suse.35.g9834432.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dracut.spec ++++++ --- /var/tmp/diff_new_pack.8mseN4/_old 2026-06-22 18:05:05.360507981 +0200 +++ /var/tmp/diff_new_pack.8mseN4/_new 2026-06-22 18:05:05.364508121 +0200 @@ -26,7 +26,7 @@ %endif Name: dracut -Version: 110+suse.32.g36b00ba7 +Version: 110+suse.35.g9834432 Release: 0 Summary: Event driven initramfs infrastructure License: GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-or-later ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.8mseN4/_old 2026-06-22 18:05:05.440510772 +0200 +++ /var/tmp/diff_new_pack.8mseN4/_new 2026-06-22 18:05:05.448511051 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/opensuse/dracut-ng.git</param> - <param name="changesrevision">36b00ba7230af6815c492fcb2f52493a9cdb4306</param></service></servicedata> + <param name="changesrevision">9834432df50f8427267047919393c73d127dfbe5</param></service></servicedata> (No newline at EOF) ++++++ dracut-110+suse.32.g36b00ba7.tar.xz -> dracut-110+suse.35.g9834432.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-110+suse.32.g36b00ba7/modules.d/11fips/fips-lib.sh new/dracut-110+suse.35.g9834432/modules.d/11fips/fips-lib.sh --- old/dracut-110+suse.32.g36b00ba7/modules.d/11fips/fips-lib.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/dracut-110+suse.35.g9834432/modules.d/11fips/fips-lib.sh 2026-06-19 09:48:05.000000000 +0200 @@ -0,0 +1,25 @@ +#!/bin/sh + +get_vmname() { + local _vmname + + case "$(uname -m)" in + s390|s390x) + _vmname=image + ;; + ppc*) + _vmname=vmlinux + ;; + aarch64) + _vmname=Image + ;; + armv*) + _vmname=zImage + ;; + *) + _vmname=vmlinuz + ;; + esac + + echo "$_vmname" +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-110+suse.32.g36b00ba7/modules.d/11fips/fips.sh new/dracut-110+suse.35.g9834432/modules.d/11fips/fips.sh --- old/dracut-110+suse.32.g36b00ba7/modules.d/11fips/fips.sh 2026-06-03 09:28:33.000000000 +0200 +++ new/dracut-110+suse.35.g9834432/modules.d/11fips/fips.sh 2026-06-19 09:48:05.000000000 +0200 @@ -1,6 +1,7 @@ -#!/bin/sh +#!/bin/bash command -v getarg > /dev/null || . /lib/dracut-lib.sh +command -v get_vmname > /dev/null || . /lib/fips-lib.sh # find fipscheck, prefer kernel-based version fipscheck() { @@ -97,6 +98,47 @@ fi } +mount_zipl() { + boot=$(getarg rd.zipl=) + + if [ -d /boot/zipl ] && ismounted /boot/zipl; then + fips_info "Nothing to do, /boot/zipl is already mounted..." + return 0 + fi + if [ -z "$boot" ]; then + die "You have to specify rd.zipl=<boot device> as a boot option for fips=1" + fi + case "$boot" in + LABEL=* | UUID=* | PARTUUID=* | PARTLABEL=*) + boot="$(label_uuid_to_dev "$boot")" + ;; + /dev/*) ;; + + *) + die "You have to specify rd.zipl=<boot device> as a boot option for fips=1" + ;; + esac + if ! [ -e "$boot" ]; then + udevadm trigger --action=add > /dev/null 2>&1 + + i=0 + while ! [ -e "$boot" ]; do + udevadm settle --exit-if-exists="$boot" + [ -e "$boot" ] && break + sleep 0.5 + i=$((i + 1)) + [ $i -gt 40 ] && break + done + fi + + [ -e "$boot" ] || die "$boot: no such device" + + mkdir -p /boot/zipl || die "Couldn't create mount point for /boot/zipl" + fips_info "Mounting $boot as /boot/zipl" + mount -oro "$boot" /boot/zipl || die "Couldn't mount $boot" + FIPS_MOUNTED_ZIPL=1 +} + do_rhevh_check() { KERNEL=$(uname -r) kpath=${1} @@ -154,30 +196,6 @@ done } -get_vmname() { - local _vmname - - case "$(uname -m)" in - s390|s390x) - _vmname=image - ;; - ppc*) - _vmname=vmlinux - ;; - aarch64) - _vmname=Image - ;; - armv*) - _vmname=zImage - ;; - *) - _vmname=vmlinuz - ;; - esac - - echo "$_vmname" -} - fips_load_crypto() { local _k local _v @@ -199,7 +217,7 @@ # If we find some hardware specific modules and cannot load them # it is not a problem, proceed. if [ "$_found" = "0" ]; then - # shellcheck disable=SC2055 + # shellcheck disable=SC2055 disable=SC2166 if [ "$_module" != "${_module%intel}" \ -o "$_module" != "${_module%ssse3}" \ -o "$_module" != "${_module%x86_64}" \ @@ -231,6 +249,9 @@ do_fips() { KERNEL=$(uname -r) + #FIXME: "lib64" might be wrong, but (for now) it's vital only for s390x => good enough + # (and a symlink from "lib" exists) + FIPSCHECKDIR=/usr/lib64/fipscheck if ! getarg rd.fips.skipkernel > /dev/null; then @@ -264,6 +285,7 @@ fi # Trim off any leading GRUB boot device (e.g. ($root) ) + # shellcheck disable=SC2001 BOOT_IMAGE="$(echo "${BOOT_IMAGE}" | sed 's/^(.*)//')" BOOT_IMAGE_NAME="${BOOT_IMAGE##*/}" @@ -274,6 +296,11 @@ if [ -z "$BOOT_IMAGE_NAME" ]; then BOOT_IMAGE_NAME="${_vmname}-${KERNEL}" + if getargbool 0 initgrub; then + # only needed for zipl booted first stage + mount_zipl + BOOT_IMAGE_PATH=zipl/ + fi elif ! [ -e "/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE}" ]; then #if /boot is not a separate partition BOOT_IMAGE might start with /boot BOOT_IMAGE_PATH=${BOOT_IMAGE_PATH#"/boot"} @@ -285,10 +312,15 @@ fi fi - BOOT_IMAGE_HMAC="/boot/${BOOT_IMAGE_PATH}/.${BOOT_IMAGE_NAME}.hmac" + BOOT_IMAGE_HMAC="/boot/${BOOT_IMAGE_PATH}.${BOOT_IMAGE_NAME}.hmac" if ! [ -e "${BOOT_IMAGE_HMAC}" ]; then - warn "${BOOT_IMAGE_HMAC} does not exist" - return 1 + FCDBIH="${FIPSCHECKDIR}/${_vmname}-${KERNEL}.hmac" + if [ -r "${FCDBIH}" ]; then + BOOT_IMAGE_HMAC="${FCDBIH}" + else + warn "${BOOT_IMAGE_HMAC} does not exist" + return 1 + fi fi BOOT_IMAGE_KERNEL="/boot/${BOOT_IMAGE_PATH}${BOOT_IMAGE_NAME}" @@ -297,6 +329,12 @@ return 1 fi + # kernel-based fipscheck doesn't respect it's man-page... + ln -s "${BOOT_IMAGE_KERNEL}" "/${_vmname}-${KERNEL}" + ln -sf "${BOOT_IMAGE_HMAC}" "/.${_vmname}-${KERNEL}.hmac" + # so base the checks on sym-links in / + BOOT_IMAGE_KERNEL="/${_vmname}-${KERNEL}" + if [ -n "$(fipscheck)" ]; then $(fipscheck) "${BOOT_IMAGE_KERNEL}" || return 1 else @@ -316,6 +354,10 @@ else fips_info "Not unmounting /boot" fi + if [ "$FIPS_MOUNTED_ZIPL" = 1 ]; then + fips_info "Unmounting /boot/zipl" + umount /boot/zipl > /dev/null 2>&1 + fi return 0 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-110+suse.32.g36b00ba7/modules.d/11fips/module-setup.sh new/dracut-110+suse.35.g9834432/modules.d/11fips/module-setup.sh --- old/dracut-110+suse.32.g36b00ba7/modules.d/11fips/module-setup.sh 2026-06-03 09:28:33.000000000 +0200 +++ new/dracut-110+suse.35.g9834432/modules.d/11fips/module-setup.sh 2026-06-19 09:48:05.000000000 +0200 @@ -7,7 +7,7 @@ # called by dracut installkernel() { - local _fipsmodules _mod _bootfstype + local _fipsmodules _mod _bootfstype _vmname _fipscheckdir if [[ -f "${srcmods}/modules.fips" ]]; then read -d '' -r _fipsmodules < "${srcmods}/modules.fips" else @@ -54,6 +54,18 @@ dwarning "Can't determine fs type for /boot, FIPS check may fail." fi fi + + # shellcheck source=fips-lib.sh + . "$moddir/fips-lib.sh" + _vmname=$(get_vmname) + if [[ -e "${srcmods}/.${_vmname}.hmac" ]]; then + _fipscheckdir="${initdir}/usr/lib64/fipscheck" + mkdir -p "${_fipscheckdir}" + cp -p "${srcmods}/.${_vmname}.hmac" "${_fipscheckdir}/${_vmname}-${kernel}.hmac" + ln_r /usr/lib64/fipscheck /usr/lib/fipscheck + else + dwarning "${srcmods}/.${_vmname}.hmac not found" + fi } # called by dracut @@ -62,8 +74,9 @@ inst_hook pre-pivot 01 "$moddir/fips-noboot.sh" inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh" inst_script "$moddir/fips.sh" /sbin/fips.sh + inst_simple "$moddir/fips-lib.sh" "/lib/fips-lib.sh" - inst_multiple rmmod insmod mount uname umount grep sed cut find sort cat tail tr + inst_multiple rmmod insmod mount uname umount grep sed ln cut find sort cat tail tr inst_multiple -o sha512hmac \ fipscheck \ /usr/libexec/libkcapi/fipscheck \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-110+suse.32.g36b00ba7/modules.d/35network-legacy/dhclient-script.sh new/dracut-110+suse.35.g9834432/modules.d/35network-legacy/dhclient-script.sh --- old/dracut-110+suse.32.g36b00ba7/modules.d/35network-legacy/dhclient-script.sh 2026-06-03 09:28:33.000000000 +0200 +++ new/dracut-110+suse.35.g9834432/modules.d/35network-legacy/dhclient-script.sh 2026-06-19 09:48:05.000000000 +0200 @@ -14,11 +14,11 @@ mask=$new_subnet_mask bcast=$new_broadcast_address gw=${new_routers%%,*} - domain=$new_domain_name # get rid of control chars + domain=$(printf -- "%s" "$new_domain_name" | tr -d '[:cntrl:]') search=$(printf -- "%s" "$new_domain_search" | tr -d '[:cntrl:]') namesrv=$new_domain_name_servers - hostname=$new_host_name + hostname=$(printf '%s' "$new_host_name" | tr -d -c 'a-zA-Z0-9.-') [ -n "$new_dhcp_lease_time" ] && lease_time=$new_dhcp_lease_time [ -n "$new_max_life" ] && lease_time=$new_max_life preferred_lft=$lease_time @@ -46,20 +46,32 @@ ${preferred_lft:+preferred_lft ${preferred_lft}} if [ -n "$gw" ]; then - if [ "$mask" = "255.255.255.255" ]; then - # point-to-point connection => set explicit route to gateway - echo ip route add "$gw" dev "$netif" > /tmp/net."$netif".gw - fi - - echo "$gw" | { - IFS=' ' read -r main_gw other_gw - echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw - if [ -n "$other_gw" ]; then - for g in $other_gw; do - echo ip route add default via "$g" dev "$netif" >> /tmp/net."$netif".gw - done + gw_check=0 + for g in $gw; do + case "$g" in + *[!0-9.]*) + gw_check=1 + break + ;; + esac + done + + if [ $gw_check -eq 0 ]; then + if [ "$mask" = "255.255.255.255" ]; then + # point-to-point connection => set explicit route to gateway + echo ip route add "$gw" dev "$netif" > /tmp/net."$netif".gw fi - } + + echo "$gw" | { + IFS=' ' read -r main_gw other_gw + echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw + if [ -n "$other_gw" ]; then + for g in $other_gw; do + echo ip route add default via "$g" dev "$netif" >> /tmp/net."$netif".gw + done + fi + } + fi fi if getargbool 1 rd.peerdns; then @@ -72,15 +84,15 @@ fi # Note: hostname can be fqdn OR short hostname, so chop off any # trailing domain name and explicitly add any domain if set. - [ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname + [ -n "$hostname" ] && echo "echo '${hostname%."$domain"}${domain:+.$domain}' > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname } setup_interface6() { - domain=$new_domain_name # get rid of control chars + domain=$(printf -- "%s" "$new_domain_name" | tr -d '[:cntrl:]') search=$(printf -- "%s" "$new_dhcp6_domain_search" | tr -d '[:cntrl:]') namesrv=$new_dhcp6_name_servers - hostname=$new_host_name + hostname=$(printf '%s' "$new_host_name" | tr -d -c 'a-zA-Z0-9.-') [ -n "$new_dhcp_lease_time" ] && lease_time=$new_dhcp_lease_time [ -n "$new_max_life" ] && lease_time=$new_max_life preferred_lft=$lease_time @@ -105,54 +117,83 @@ # Note: hostname can be fqdn OR short hostname, so chop off any # trailing domain name and explicitly add any domain if set. - [ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname + [ -n "$hostname" ] && echo "echo '${hostname%."$domain"}${domain:+.$domain}' > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname } parse_option_121() { - while [ $# -ne 0 ]; do + # RFC 3442 classless static routes format: + # Each route is: <mask_width> <dest_octets...> <gateway_4_octets> + # mask_width determines how many destination octets follow (0-4) + # + # Validate all arguments are numeric upfront to prevent + # shell injection via crafted octets in destination/gateway. + for _octet in "$@"; do + case "$_octet" in + '' | *[!0-9]*) return 0 ;; + esac + done + + while [ $# -ge 5 ]; do mask="$1" + + # Validate mask is a number between 0-32 + if [ "$mask" -lt 0 ] 2> /dev/null || [ "$mask" -gt 32 ] 2> /dev/null; then + return 0 + fi shift - # Is the destination a multicast group? - if [ "$1" -ge 224 ] && [ "$1" -lt 240 ]; then - multicast=1 + # Calculate how many destination address bytes we need based on mask + if [ "$mask" -gt 24 ]; then + need_dest=4 + elif [ "$mask" -gt 16 ]; then + need_dest=3 + elif [ "$mask" -gt 8 ]; then + need_dest=2 + elif [ "$mask" -gt 0 ]; then + need_dest=1 else - multicast=0 + need_dest=0 fi - # Parse the arguments into a CIDR net/mask string + # We need: destination bytes + 4 gateway bytes + need_total=$((need_dest + 4)) + if [ $# -lt $need_total ]; then + return 0 + fi + + # Check if destination is multicast (224.0.0.0 - 239.255.255.255) + multicast=0 + if [ $need_dest -ge 1 ]; then + if [ "$1" -ge 224 ] 2> /dev/null && [ "$1" -lt 240 ] 2> /dev/null; then + multicast=1 + fi + fi + + # Build destination address based on mask width if [ "$mask" -gt 24 ]; then destination="$1.$2.$3.$4/$mask" - shift - shift - shift - shift + shift 4 elif [ "$mask" -gt 16 ]; then destination="$1.$2.$3.0/$mask" - shift - shift - shift + shift 3 elif [ "$mask" -gt 8 ]; then destination="$1.$2.0.0/$mask" - shift - shift + shift 2 elif [ "$mask" -gt 0 ]; then destination="$1.0.0.0/$mask" - shift + shift 1 else destination="0.0.0.0/$mask" fi - # Read the gateway + # Read gateway (always 4 bytes) + if [ $# -lt 4 ]; then + return 0 + fi gateway="$1.$2.$3.$4" - shift - shift - shift - shift + shift 4 - # Multicast routing on Linux - # - If you set a next-hop address for a multicast group, this breaks with Cisco switches - # - If you simply leave it link-local and attach it to an interface, it works fine. + # Build and emit the route command if [ $multicast -eq 1 ] || [ "$gateway" = "0.0.0.0" ]; then temp_result="$destination dev $interface" else
