[AutoPR- Security] Patch firewalld for CVE-2026-4948 [MEDIUM] (#16991)

azurelinux-security · web-flow · commit 4c329ef1d348 · 2026-05-08T22:20:35.000+05:30
diff --git a/SPECS/firewalld/CVE-2026-4948.patch b/SPECS/firewalld/CVE-2026-4948.patch
@@ -0,0 +1,38 @@
+From 201acfad89ff7839876e7c88ae93f81ac4db20ca Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Fri, 1 May 2026 17:07:09 +0000
+Subject: [PATCH] fix(policy): use PK_ACTION_CONFIG for
+ set{ZoneSettings2,PolicySettings}\n\nReference:
+ https://access.redhat.com/security/cve/cve-2026-4948
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/firewalld/firewalld/commit/5fb3914ad830feff6cb2b0670457c60a323c6c6c.patch
+---
+ src/firewall/server/firewalld.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
+index be53fba..ceaa432 100644
+--- a/src/firewall/server/firewalld.py
++++ b/src/firewall/server/firewalld.py
+@@ -946,7 +946,7 @@ class FirewallD(DbusServiceObject):
+         log.debug1("getZoneSettings2(%s)", zone)
+         return self.fw.zone.get_config_with_settings_dict(zone)
+ 
+-    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
++    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG)
+     @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sa{sv}')
+     @dbus_handle_exceptions
+     def setZoneSettings2(self, zone, settings, sender=None):
+@@ -970,7 +970,7 @@ class FirewallD(DbusServiceObject):
+         log.debug1("policy.getPolicySettings(%s)", policy)
+         return self.fw.policy.get_config_with_settings_dict(policy)
+ 
+-    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
++    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG)
+     @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICY, in_signature='sa{sv}')
+     @dbus_handle_exceptions
+     def setPolicySettings(self, policy, settings, sender=None):
+-- 
+2.45.4
+
diff --git a/SPECS/firewalld/firewalld.spec b/SPECS/firewalld/firewalld.spec
@@ -3,7 +3,7 @@
 Summary:        A firewall daemon with D-Bus interface providing a dynamic firewall
 Name:           firewalld
 Version:        2.0.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -13,6 +13,7 @@ Source1:        FedoraServer.xml
 Source2:        FedoraWorkstation.xml
 Patch0:         firewalld-only-MDNS-default.patch
 Patch1:         firewalld_fix_testsuite.patch
+Patch2:         CVE-2026-4948.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -309,6 +310,9 @@ fi
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Fri May 01 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.0.2-4
+- Patch for CVE-2026-4948
+
 * Mon Jun 16 2025 Sumedh Sharma <sumsharma@microsoft.com> - 2.0.2-3
 - disable ipv6_rpfilter in configuration
 - fix testsuite provided by firewalld-test sub-package
