From 8f6655f766eefa3459e47c0caf1a784aad31f14e Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Fri, 3 Jul 2026 09:25:37 +0000 Subject: [PATCH] Patch dhcpcd for CVE-2026-14258 --- SPECS/dhcpcd/CVE-2026-14258.patch | 79 +++++++++++++++++++++++++++++++ SPECS/dhcpcd/dhcpcd.spec | 6 ++- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 SPECS/dhcpcd/CVE-2026-14258.patch diff --git a/SPECS/dhcpcd/CVE-2026-14258.patch b/SPECS/dhcpcd/CVE-2026-14258.patch new file mode 100644 index 00000000000..34e44854e43 --- /dev/null +++ b/SPECS/dhcpcd/CVE-2026-14258.patch @@ -0,0 +1,79 @@ +From 7fdeb81886d9be679db3dfe10982e62579356a59 Mon Sep 17 00:00:00 2001 +From: Roy Marples +Date: Sat, 7 Dec 2024 10:25:44 +0000 +Subject: [PATCH] IPv6: Discard NA packets with a zero length option + +As per RFC 4861 4.6. + +Fixes #415. + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca54211481d21b0c915db98dd733b30794f.patch +--- + src/ipv6nd.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/ipv6nd.c b/src/ipv6nd.c +index 75655ab..3aaccf3 100644 +--- a/src/ipv6nd.c ++++ b/src/ipv6nd.c +@@ -1138,6 +1138,12 @@ ipv6nd_handlera(struct dhcpcd_ctx *ctx, + bool new_ia; + #endif + ++#define FREE_RAP(rap) \ ++ if (new_rap) \ ++ ipv6nd_removefreedrop_ra(rap, 0, 0); \ ++ else \ ++ ipv6nd_free_ra(rap); \ ++ + if (ifp == NULL || RS_STATE(ifp) == NULL) { + #ifdef DEBUG_RS + logdebugx("RA for unexpected interface from %s", sfrom); +@@ -1294,8 +1300,10 @@ ipv6nd_handlera(struct dhcpcd_ctx *ctx, + memcpy(&ndo, p, sizeof(ndo)); + olen = (size_t)ndo.nd_opt_len * 8; + if (olen == 0) { ++ /* RFC4681 4.6 says we MUST discard this ND packet. */ + logerrx("%s: zero length option", ifp->name); +- break; ++ FREE_RAP(rap); ++ return; + } + if (olen > len) { + logerrx("%s: option length exceeds message", +@@ -1319,10 +1327,7 @@ ipv6nd_handlera(struct dhcpcd_ctx *ctx, + else + logwarnx("%s: reject RA (option %d) from %s", + ifp->name, ndo.nd_opt_type, rap->sfrom); +- if (new_rap) +- ipv6nd_removefreedrop_ra(rap, 0, 0); +- else +- ipv6nd_free_ra(rap); ++ FREE_RAP(rap); + return; + } + +@@ -1573,10 +1578,7 @@ ipv6nd_handlera(struct dhcpcd_ctx *ctx, + { + logwarnx("%s: reject RA (no option %s) from %s", + ifp->name, dho->var, rap->sfrom); +- if (new_rap) +- ipv6nd_removefreedrop_ra(rap, 0, 0); +- else +- ipv6nd_free_ra(rap); ++ FREE_RAP(rap); + return; + } + } +@@ -1657,6 +1659,7 @@ nodhcp6: + + /* Expire should be called last as the rap object could be destroyed */ + ipv6nd_expirera(ifp); ++#undef FREE_RAP + } + + bool +-- +2.45.4 + diff --git a/SPECS/dhcpcd/dhcpcd.spec b/SPECS/dhcpcd/dhcpcd.spec index afd8955041b..4cd1f61c717 100644 --- a/SPECS/dhcpcd/dhcpcd.spec +++ b/SPECS/dhcpcd/dhcpcd.spec @@ -1,7 +1,7 @@ Summary: A minimalistic network configuration daemon with DHCPv4, rdisc and DHCPv6 support Name: dhcpcd Version: 10.0.8 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD-2-Clause AND ISC AND MIT Url: https://github.com/NetworkConfiguration/%{name} Source0: https://github.com/NetworkConfiguration/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -12,6 +12,7 @@ Patch0: CVE-2026-56114.patch Patch1: CVE-2026-56116.patch Patch2: CVE-2026-56117.patch Patch3: CVE-2026-56113.patch +Patch4: CVE-2026-14258.patch Group: System Environment/Base Vendor: Microsoft Corporation Distribution: Azure Linux @@ -79,6 +80,9 @@ install -d %{buildroot}%{_sharedstatedir}/%{_name} %{_sharedstatedir}/%{name} %changelog +* Fri Jul 03 2026 Azure Linux Security Servicing Account - 10.0.8-4 +- Patch for CVE-2026-14258 + * Mon Jun 29 2026 Azure Linux Security Servicing Account - 10.0.8-3 - Patch for CVE-2026-56113