summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwenlin.kang@windriver.com <wenlin.kang@windriver.com>2020-06-29 00:54:41 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-08-04 23:17:38 +0100
commitf77e7daad0711c8217a5bd18841735f0a9b623f5 (patch)
tree1788193ddc7a8f66f0deb351a1a9679951d2fb07
parentac2df959504b7610ba9285510999c2db5c2ffb88 (diff)
downloadpoky-f77e7daad0711c8217a5bd18841735f0a9b623f5.tar.gz
systemd: fix CVE-2020-13776
Backport from systemd.git. (OE-Core master rev: a1b22b2263da6d11a4e0cbfa792d2bd1e56f5346) (From OE-Core rev: e6f233ebcef08f61dc00d2b20f2efcfdae33a694) Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2020-13776.patch96
-rw-r--r--meta/recipes-core/systemd/systemd_243.2.bb1
2 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
new file mode 100644
index 0000000000..7b5e3e7f7a
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
@@ -0,0 +1,96 @@
1From 156a5fd297b61bce31630d7a52c15614bf784843 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
3Date: Sun, 31 May 2020 18:21:09 +0200
4Subject: [PATCH 1/1] basic/user-util: always use base 10 for user/group
5 numbers
6
7We would parse numbers with base prefixes as user identifiers. For example,
8"0x2b3bfa0" would be interpreted as UID==45334432 and "01750" would be
9interpreted as UID==1000. This parsing was used also in cases where either a
10user/group name or number may be specified. This means that names like
110x2b3bfa0 would be ambiguous: they are a valid user name according to our
12documented relaxed rules, but they would also be parsed as numeric uids.
13
14This behaviour is definitely not expected by users, since tools generally only
15accept decimal numbers (e.g. id, getent passwd), while other tools only accept
16user names and thus will interpret such strings as user names without even
17attempting to convert them to numbers (su, ssh). So let's follow suit and only
18accept numbers in decimal notation. Effectively this means that we will reject
19such strings as a username/uid/groupname/gid where strict mode is used, and try
20to look up a user/group with such a name in relaxed mode.
21
22Since the function changed is fairly low-level and fairly widely used, this
23affects multiple tools: loginctl show-user/enable-linger/disable-linger foo',
24the third argument in sysusers.d, fourth and fifth arguments in tmpfiles.d,
25etc.
26
27Fixes #15985.
28---
29 src/basic/user-util.c | 2 +-
30 src/test/test-user-util.c | 10 ++++++++++
31 2 files changed, 11 insertions(+), 1 deletion(-)
32
33--- end of commit 156a5fd297b61bce31630d7a52c15614bf784843 ---
34
35
36Add definition of safe_atou32_full() from commit b934ac3d6e7dcad114776ef30ee9098693e7ab7e
37
38CVE: CVE-2020-13776
39
40Upstream-Status: Backport [https://github.com/systemd/systemd.git]
41
42Signed-off-by: Joe Slater <joe.slater@windriver.com>
43
44
45
46--- git.orig/src/basic/user-util.c
47+++ git/src/basic/user-util.c
48@@ -49,7 +49,7 @@ int parse_uid(const char *s, uid_t *ret)
49 assert(s);
50
51 assert_cc(sizeof(uid_t) == sizeof(uint32_t));
52- r = safe_atou32(s, &uid);
53+ r = safe_atou32_full(s, 10, &uid);
54 if (r < 0)
55 return r;
56
57--- git.orig/src/test/test-user-util.c
58+++ git/src/test/test-user-util.c
59@@ -48,9 +48,19 @@ static void test_parse_uid(void) {
60
61 r = parse_uid("65535", &uid);
62 assert_se(r == -ENXIO);
63+ assert_se(uid == 100);
64+
65+ r = parse_uid("0x1234", &uid);
66+ assert_se(r == -EINVAL);
67+ assert_se(uid == 100);
68+
69+ r = parse_uid("01234", &uid);
70+ assert_se(r == 0);
71+ assert_se(uid == 1234);
72
73 r = parse_uid("asdsdas", &uid);
74 assert_se(r == -EINVAL);
75+ assert_se(uid == 1234);
76 }
77
78 static void test_uid_ptr(void) {
79--- git.orig/src/basic/parse-util.h
80+++ git/src/basic/parse-util.h
81@@ -45,9 +45,13 @@ static inline int safe_atoux16(const cha
82
83 int safe_atoi16(const char *s, int16_t *ret);
84
85-static inline int safe_atou32(const char *s, uint32_t *ret_u) {
86+static inline int safe_atou32_full(const char *s, unsigned base, uint32_t *ret_u) {
87 assert_cc(sizeof(uint32_t) == sizeof(unsigned));
88- return safe_atou(s, (unsigned*) ret_u);
89+ return safe_atou_full(s, base, (unsigned*) ret_u);
90+}
91+
92+static inline int safe_atou32(const char *s, uint32_t *ret_u) {
93+ return safe_atou32_full(s, 0, (unsigned*) ret_u);
94 }
95
96 static inline int safe_atoi32(const char *s, int32_t *ret_i) {
diff --git a/meta/recipes-core/systemd/systemd_243.2.bb b/meta/recipes-core/systemd/systemd_243.2.bb
index 082eb4c384..905348176c 100644
--- a/meta/recipes-core/systemd/systemd_243.2.bb
+++ b/meta/recipes-core/systemd/systemd_243.2.bb
@@ -25,6 +25,7 @@ SRC_URI += "file://touchscreen.rules \
25 file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \ 25 file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \
26 file://99-default.preset \ 26 file://99-default.preset \
27 file://0001-Merge-branch-polkit-ref-count.patch \ 27 file://0001-Merge-branch-polkit-ref-count.patch \
28 file://CVE-2020-13776.patch \
28 " 29 "
29 30
30# patches needed by musl 31# patches needed by musl