[{"id":3682109,"web_url":"http://patchwork.ozlabs.org/comment/3682109/","msgid":"<20260424162643.161128-1-thomas.perale@mind.be>","list_archive_url":null,"date":"2026-04-24T16:26:43","subject":"Re: [Buildroot] [PATCH for 2025.02.x] package/systemd: add patch\n for CVE-2026-40226","submitter":{"id":87308,"url":"http://patchwork.ozlabs.org/api/people/87308/","name":"Thomas Perale","email":"thomas.perale@mind.be"},"content":"In reply of:\n> This backports the fix for the following vulnerability:\n> - CVE-2026-40226:\n> In nspawn in systemd 233 through 259 before 260, an escape-to-host\n> action can occur via a crafted optional config file.\n> https://www.cve.org/CVERecord?id=CVE-2026-40226\n> \n> Signed-off-by: Titouan Christophe \n\nApplied to 2025.02.x. Thanks\n\n> ---\n> package/systemd/0001-Fix-CVE-2026-40226.patch | 90 +++++++++++++++++++\n> 1 file changed, 90 insertions(+)\n> create mode 100644 package/systemd/0001-Fix-CVE-2026-40226.patch\n> \n> diff --git a/package/systemd/0001-Fix-CVE-2026-40226.patch b/package/systemd/0001-Fix-CVE-2026-40226.patch\n> new file mode 100644\n> index 0000000000..250b6aff33\n> --- /dev/null\n> +++ b/package/systemd/0001-Fix-CVE-2026-40226.patch\n> @@ -0,0 +1,90 @@\n> +From b3131f63747db53ad76a9aab2d21da1ce9d59b9d Mon Sep 17 00:00:00 2001\n> +From: Titouan Christophe \n> +Date: Mon, 20 Apr 2026 12:04:45 +0200\n> +Subject: [PATCH] Fix CVE-2026-40226\n> +\n> +This is the concatenation of the 2 upstream commits:\n> +\n> +===============================================================================\n> +[1/2] nspawn: apply BindUser/Ephemeral from settings file only if trusted\n> +\n> +Originally reported on yeswehack.com as:\n> +YWH-PGM9780-116\n> +\n> +Follow-up for 2f8930449079403b26c9164b8eeac78d5af2c8df\n> +Follow-up for a2f577fca0be79b23f61f033229b64884e7d840a\n> +\n> +Upstream: https://github.com/systemd/systemd/commit/61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40\n> +===============================================================================\n> +[2/2] nspawn: normalize pivot_root paths\n> +\n> +Originally reported on yeswehack.com as:\n> +YWH-PGM9780-116\n> +\n> +Follow-up for b53ede699cdc5233041a22591f18863fb3fe2672\n> +\n> +Upstream: https://github.com/systemd/systemd/commit/7b85f5498a958e5bb660c703b8f4a71cceed3373\n> +===============================================================================\n> +\n> +CVE: CVE-2026-34155\n> +\n> +Signed-off-by: Titouan Christophe \n> +---\n> + src/nspawn/nspawn-mount.c | 4 +++-\n> + src/nspawn/nspawn.c | 18 ++++++++++++++----\n> + 2 files changed, 17 insertions(+), 5 deletions(-)\n> +\n> +diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c\n> +index 874d54e734..cba69cf0a9 100644\n> +--- a/src/nspawn/nspawn-mount.c\n> ++++ b/src/nspawn/nspawn-mount.c\n> +@@ -1311,7 +1311,9 @@ int pivot_root_parse(char **pivot_root_new, char **pivot_root_old, const char *s\n> + \n> + if (!path_is_absolute(root_new))\n> + return -EINVAL;\n> +- if (root_old && !path_is_absolute(root_old))\n> ++ if (!path_is_normalized(root_new))\n> ++ return -EINVAL;\n> ++ if (root_old && (!path_is_absolute(root_old) || !path_is_normalized(root_old)))\n> + return -EINVAL;\n> + \n> + free_and_replace(*pivot_root_new, root_new);\n> +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c\n> +index 459caa7c58..8692c771ba 100644\n> +--- a/src/nspawn/nspawn.c\n> ++++ b/src/nspawn/nspawn.c\n> +@@ -4626,8 +4626,13 @@ static int merge_settings(Settings *settings, const char *path) {\n> + }\n> + \n> + if ((arg_settings_mask & SETTING_EPHEMERAL) == 0 &&\n> +- settings->ephemeral >= 0)\n> +- arg_ephemeral = settings->ephemeral;\n> ++ settings->ephemeral >= 0) {\n> ++\n> ++ if (!arg_settings_trusted)\n> ++ log_warning(\"Ignoring ephemeral setting, file %s is not trusted.\", path);\n> ++ else\n> ++ arg_ephemeral = settings->ephemeral;\n> ++ }\n> + \n> + if ((arg_settings_mask & SETTING_DIRECTORY) == 0 &&\n> + settings->root) {\n> +@@ -4795,8 +4800,13 @@ static int merge_settings(Settings *settings, const char *path) {\n> + }\n> + \n> + if ((arg_settings_mask & SETTING_BIND_USER) == 0 &&\n> +- !strv_isempty(settings->bind_user))\n> +- strv_free_and_replace(arg_bind_user, settings->bind_user);\n> ++ !strv_isempty(settings->bind_user)) {\n> ++\n> ++ if (!arg_settings_trusted)\n> ++ log_warning(\"Ignoring bind user setting, file %s is not trusted.\", path);\n> ++ else\n> ++ strv_free_and_replace(arg_bind_user, settings->bind_user);\n> ++ }\n> + \n> + if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0 &&\n> + settings->notify_ready >= 0)\n> +-- \n> +2.53.0\n> +\n> -- \n> 2.53.0\n> \n> _______________________________________________\n> buildroot mailing list\n> buildroot@buildroot.org\n> https://lists.buildroot.org/mailman/listinfo/buildroot","headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=N7l3PzRx;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g2JJJ2rj7z1y2d\n\tfor ;\n Sat, 25 Apr 2026 02:26:56 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 9B09B84D8B;\n\tFri, 24 Apr 2026 16:26:53 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Mdk99j704kLQ; Fri, 24 Apr 2026 16:26:51 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 8378684E35;\n\tFri, 24 Apr 2026 16:26:51 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n by lists1.osuosl.org (Postfix) with ESMTP id 98A91194\n for ; Fri, 24 Apr 2026 16:26:47 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 8ABEE429B8\n for ; Fri, 24 Apr 2026 16:26:47 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id nLfsJpvFAQIS for ;\n Fri, 24 Apr 2026 16:26:46 +0000 (UTC)","from mail-wm1-x331.google.com (mail-wm1-x331.google.com\n [IPv6:2a00:1450:4864:20::331])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 6279E429B7\n for ; Fri, 24 Apr 2026 16:26:46 +0000 (UTC)","by mail-wm1-x331.google.com with SMTP id\n 5b1f17b1804b1-488b0e1b870so131935485e9.2\n for ; Fri, 24 Apr 2026 09:26:46 -0700 (PDT)","from arch ([79.132.248.48]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488fb74c789sm178191585e9.5.2026.04.24.09.26.43\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 24 Apr 2026 09:26:43 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8378684E35","OpenDKIM Filter v2.11.0 smtp4.osuosl.org 6279E429B7"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1777048011;\n\tbh=Ct12m6x3NHAhpk9JkOaZZ5Qaks6EW+5EM/vTOt9peJc=;\n\th=To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=N7l3PzRxGOjgqMdAe+zttIw6mnrBX7deJ7PLXyQpQ3F6sSvBlYr/qMgoaDUzwhqI+\n\t JftI1CQwh+1ztsoyh/PQTYC7I8Z3LSi/Gmw/mfcWpFjtFLFNRyhNKJpFGHevQGgPbd\n\t U5GOvhn/MZEEfcR6ICptBMoMZEP3iV4ZpXht3IBNC5QJU+w1SDF/7zf5JvZQtTxNCT\n\t k4pQgYJ/nXk/Ht146fJyMYDZhqqubPN/fgLrja+ClXIHX2x4h+ZihPrcxHmwvO99nA\n\t VP1dEbjVQfFYbxSURZAgBbRlJYaWzcGyQCLLtJdSnH8cE1H+cTegH6r5iud394p4v1\n\t ZE1FvqZCnB6hA==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::331; helo=mail-wm1-x331.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org 6279E429B7","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777048004; x=1777652804;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=xuU3CwfHPl0bmes221NcTyaWGjTLg4QoniSJTn6Ta6E=;\n b=matT+hsDyzdImml7f+ylF5QZHjg9PjzmbYgh4Xgq9wygNwzDlfXThI3pSS3hNNz31+\n OZyZ6E9mChLINYURn7nszW3faRMwq8AintcM/3nGCwfV13j7mq4qXMmqITpbLpOzJp8h\n bOOU/rm9/WHRV7rP3r+12NEcBJt3KChRlYtEQdP1/U2KJmHhBaV4ncqlkT9u/R8BiJ0/\n ey6vgmBQuxBV2DWlnqmC1R7+H2jX+lci4WpI9DJvhmLRsAdntOCNZi5Zl1dz91+K5XFa\n 4Abg3xQQQfpFrRdb9O5orYWRiNJNCv0fJsbY3pfZk2E9pHtYYjsHoZcyEiAXlWS6Gg8Q\n 5hJQ==","X-Forwarded-Encrypted":"i=1;\n AFNElJ+JQGHEGeHzdexcQqz9hI/wYwCPbZzUbAjyJzCjdk461iGAX1Sn5WPK3leG2Y7FmngdipxYHFowGxk=@buildroot.org","X-Gm-Message-State":"AOJu0Yyx+OKnFYqUGZ8h0ihtRRCRTdPdCh48CO6Xx/ivigMs9eLfVam6\n 0C/Qve6VQ5cVnKaDh0mHDSn4lmGOlzFJGyzlMJz1EQhvWz1TSbcLUHf/RsMKKNGxgfQ=","X-Gm-Gg":"AeBDievgdKAbG6OOZjWkAkoMeLRyX/bVyxQ6ljp0bSJdpkU6PCC3fkNy/3z/AUX3plS\n vIe7TS3lwPfev9w7nvOssAv6qL0+Lp8l3bvYG7/OhvelvIoDZN7zOVpnxNg94LnF+nw6KuEoV1l\n QKimLI/X5U1amF8oKLVIB6Geqsar6tiPItHnoRNhbIcp3ArGJ64Jk8THAwKRzK6rQaqkYbIoXxM\n kl0vhsIb2f/jKtfRVDnUUK17WKYaXHaWMdJ7Y8NB0kQCOdxXGQSYWCUF8SJTX7tdMsMm2c7jZua\n W450GSQY7tIiX67+lQWwGHtu8WQ9UnBpb0y1kPxme7H14ASl4UaxnCbdqF2aUecL3b+BDD27CMu\n qTSw5WOwOzrVIFT67UlGzTmRt40qjM6G7ODD85zpdtHRGMsi8kg6DqgWlpgXKysQZiJ8eA8H+1Z\n UFndMWvj2+TEpQ6R3krPRGXpmQJn4EOdTWmlBX","X-Received":"by 2002:a05:600c:350e:b0:488:a82f:bb95 with SMTP id\n 5b1f17b1804b1-488fb7861c0mr490221735e9.29.1777048004118;\n Fri, 24 Apr 2026 09:26:44 -0700 (PDT)","To":"Titouan Christophe ","Cc":"Thomas Perale ,\n\tbuildroot@buildroot.org","Date":"Fri, 24 Apr 2026 18:26:43 +0200","Message-ID":"<20260424162643.161128-1-thomas.perale@mind.be>","X-Mailer":"git-send-email 2.54.0","In-Reply-To":"<20260420154559.2707314-1-titouan.christophe@mind.be>","References":"<20260420154559.2707314-1-titouan.christophe@mind.be>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1777048004; x=1777652804; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=xuU3CwfHPl0bmes221NcTyaWGjTLg4QoniSJTn6Ta6E=;\n b=ffvdC/xo1bYG6kvCAeo0i9yHm3wNyyws0mjH7lWnk8KaGOvqFT0fSaLJSk/KXahjui\n 8I1lfruN8kkMGRRNATIXhzNB7uoEou1qQcWH9+27NIuzHsBiBlTwZLgftgqfHb26qFBg\n sMuq+OXIt4f7s0hyyDlmaakGsjcrVJjqrpDV2Z8GZD/nP/gOtAeiVHu79HCwXjaB8EMY\n PutmuSO4HSeQ+l0jZ3tYGim/vz6rzapJopNzhHdCfIMhek/u5yi0ET06CJw9eM+7DGDZ\n fO55/Is7BLjKfW2A3sMWnO75JeETMmzWX5vEQdUOwSp+7IhdbTM25Dj5p8IrsVeu1Y6u\n VANg==","X-Mailman-Original-Authentication-Results":["smtp4.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp4.osuosl.org;\n dkim=pass (2048-bit key) header.d=mind.be header.i=@mind.be\n header.a=rsa-sha256 header.s=google header.b=ffvdC/xo"],"Subject":"Re: [Buildroot] [PATCH for 2025.02.x] package/systemd: add patch\n for CVE-2026-40226","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","From":"Thomas Perale via buildroot ","Reply-To":"Thomas Perale ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "}}]