From d6f0a77dd26df4c1ced80ffa63848279fd4330cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Tue, 20 Jan 2026 23:27:25 -0500
Subject: [PATCH] internal/instance: Prevent line breaks in environment
 variables
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

LXC doesn't currently have a syntax to hold a multi-line environment
variable in its configuration. The use of multi-line environment
variables leads to a corrupted configuration file and to a security
issue where additional lines may be added by an unprivileged user to
escalate their privileges.

This fixes CVE-2026-23953.

Reported-by: Rory McNamara <rory.mcnamara@snyk.io>
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
 internal/instance/config.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/internal/instance/config.go b/internal/instance/config.go
index a282f99e478..2c6c779205b 100644
--- a/internal/instance/config.go
+++ b/internal/instance/config.go
@@ -1376,7 +1376,13 @@ func ConfigKeyChecker(key string, instanceType api.InstanceType) (func(value str
 	//  liveupdate: yes
 	//  shortdesc: Free-form environment key/value
 	if strings.HasPrefix(key, "environment.") {
-		return validate.IsAny, nil
+		return func(val string) error {
+			if strings.Contains(val, "\n") {
+				return errors.New("Environment variables cannot contain line breaks")
+			}
+
+			return nil
+		}, nil
 	}
 
 	// gendoc:generate(entity=instance, group=miscellaneous, key=user.*)