[PATCH] nspawn: normalize pivot_root paths

Originally reported on yeswehack.com as:
YWH-PGM9780-116

Follow-up for b53ede699cdc5233041a22591f18863fb3fe2672

(cherry picked from commit 7b85f5498a958e5bb660c703b8f4a71cceed3373)
(cherry picked from commit 6566dc1451089e07090f5a114ae2eb43ed39188d)
(cherry picked from commit 1c55a0a5e26a07df828f72092ad1203e221b60db)

Origin: upstream, https://github.com/systemd/systemd/commit/bfa0a842822c4f79da9d47f8a773fd128d8f8a0a

Gbp-Pq: Name CVE-2026-40226-2.patch

diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index 2ea1bed36112166c5e2f224aa87794084218faac..2e8ed13457cc4e29e8a835d4a06fb615329ad067 100644 (file)
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -1217,7 +1217,9 @@ int pivot_root_parse(char **pivot_root_new, char **pivot_root_old, const char *s
 
         if (!path_is_absolute(root_new))
                 return -EINVAL;
-        if (root_old && !path_is_absolute(root_old))
+        if (!path_is_normalized(root_new))
+                return -EINVAL;
+        if (root_old && (!path_is_absolute(root_old) || !path_is_normalized(root_old)))
                 return -EINVAL;
 
         free_and_replace(*pivot_root_new, root_new);