Backport path_startswith_full()
This is a prerequisite to fix CVE-2026-29111.
path_startswith_full() was introduced in systemd v249, in commit
63f11e354a3:
"path-util: use path_find_first_component() in path_startswith()".
Looking at the commit, we can see that the existing path_startswith() function
became a special-case of path_startswith_full(), but there's more to it.
path_startswith_full() is also a complete rewrite of the original
path_startswith(), and the commit message mentions that the new implementation
is stricter.
To avoid surprises and potential regressions, this commit opts for a
conservative approach: we don't touch the existing path_startswith() function,
and we add path_startswith_full() as a entirely new function.
Note that it's enough for our purpose: the fix for CVE-2026-29111 makes use of
path_startswith_full().
path_startswith_full() was updated after it was introduced in v249: indeed, it
was extended to address CVE-2026-29111, and the change was backported to v257.
Therefore, this commits takes the function (and associated unit tests) from the
v257 branch.
Forwarded: not-needed
Gbp-Pq: Name CVE-2026-29111-2.patch
projects / systemd.git / commit