diff options
author | Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | 2021-08-07 19:26:29 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-08-18 18:00:19 +0100 |
commit | 55b0822504a810f8517dc3e2b67dcbdba86e30f8 (patch) | |
tree | 63c2f188c73fb081cccd2302c6d698455a175234 /meta/recipes-core/systemd/systemd | |
parent | 8b5ec9d4836bc28c49b3f91f4612ee943eb7dbca (diff) | |
download | poky-55b0822504a810f8517dc3e2b67dcbdba86e30f8.tar.gz |
systemd: Add fix for CVE-2020-13529 and CVE-2021-33910
Added fix for below CVEs from below Link
http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_237-3ubuntu10.50.debian.tar.xz
1. CVE-2020-13529
Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
Hunk #1 refreshed to resolve patch-fuzz
2. CVE-2021-33910
Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
(From OE-Core rev: dcdd3c14beee89dc49261aeb4d7783cbb3fbeb89)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/systemd/systemd')
-rw-r--r-- | meta/recipes-core/systemd/systemd/CVE-2020-13529.patch | 42 | ||||
-rw-r--r-- | meta/recipes-core/systemd/systemd/CVE-2021-33910.patch | 67 |
2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch new file mode 100644 index 0000000000..6b499efbd8 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yu Watanabe <watanabe.yu+github@gmail.com> | ||
3 | Date: Thu, 24 Jun 2021 01:22:07 +0900 | ||
4 | Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command | ||
5 | |||
6 | This makes DHCP client ignore FORCERENEW requests, as unauthenticated | ||
7 | FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). | ||
8 | |||
9 | Let's re-enable this after RFC3118 (Authentication for DHCP Messages) | ||
10 | and/or RFC6704 (Forcerenew Nonce Authentication) are implemented. | ||
11 | |||
12 | Fixes #16774. | ||
13 | |||
14 | Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5] | ||
15 | CVE: CVE-2020-13529 | ||
16 | |||
17 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
18 | |||
19 | --- | ||
20 | src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++ | ||
21 | 1 file changed, 8 insertions(+) | ||
22 | |||
23 | --- a/src/libsystemd-network/sd-dhcp-client.c | ||
24 | +++ b/src/libsystemd-network/sd-dhcp-client.c | ||
25 | @@ -1392,9 +1392,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force, | ||
26 | if (r != DHCP_FORCERENEW) | ||
27 | return -ENOMSG; | ||
28 | |||
29 | +#if 0 | ||
30 | log_dhcp_client(client, "FORCERENEW"); | ||
31 | |||
32 | return 0; | ||
33 | +#else | ||
34 | + /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP | ||
35 | + * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW | ||
36 | + * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */ | ||
37 | + log_dhcp_client(client, "Received FORCERENEW, ignoring."); | ||
38 | + return -ENOMSG; | ||
39 | +#endif | ||
40 | } | ||
41 | |||
42 | static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) { | ||
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch new file mode 100644 index 0000000000..e92d721d3d --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
5 | Date: Wed, 23 Jun 2021 11:46:41 +0200 | ||
6 | Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path | ||
7 | |||
8 | The path may have unbounded length, for example through a fuse mount. | ||
9 | |||
10 | CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and | ||
11 | ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo | ||
12 | and each mountpoint is passed to mount_setup_unit(), which calls | ||
13 | unit_name_path_escape() underneath. A local attacker who is able to mount a | ||
14 | filesystem with a very long path can crash systemd and the whole system. | ||
15 | |||
16 | https://bugzilla.redhat.com/show_bug.cgi?id=1970887 | ||
17 | |||
18 | The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we | ||
19 | can't easily check the length after simplification before doing the | ||
20 | simplification, which in turns uses a copy of the string we can write to. | ||
21 | So we can't reject paths that are too long before doing the duplication. | ||
22 | Hence the most obvious solution is to switch back to strdup(), as before | ||
23 | 7410616cd9dbbec97cf98d75324da5cda2b2f7a2. | ||
24 | |||
25 | Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9] | ||
26 | CVE: CVE-2021-33910 | ||
27 | |||
28 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
29 | |||
30 | --- | ||
31 | src/basic/unit-name.c | 13 +++++-------- | ||
32 | 1 file changed, 5 insertions(+), 8 deletions(-) | ||
33 | |||
34 | --- a/src/basic/unit-name.c | ||
35 | +++ b/src/basic/unit-name.c | ||
36 | @@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, char **ret) { | ||
37 | } | ||
38 | |||
39 | int unit_name_path_escape(const char *f, char **ret) { | ||
40 | - char *p, *s; | ||
41 | + _cleanup_free_ char *p = NULL; | ||
42 | + char *s; | ||
43 | |||
44 | assert(f); | ||
45 | assert(ret); | ||
46 | |||
47 | - p = strdupa(f); | ||
48 | + p = strdup(f); | ||
49 | if (!p) | ||
50 | return -ENOMEM; | ||
51 | |||
52 | @@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f, char **ret) { | ||
53 | if (!path_is_normalized(p)) | ||
54 | return -EINVAL; | ||
55 | |||
56 | - /* Truncate trailing slashes */ | ||
57 | + /* Truncate trailing slashes and skip leading slashes */ | ||
58 | delete_trailing_chars(p, "/"); | ||
59 | - | ||
60 | - /* Truncate leading slashes */ | ||
61 | - p = skip_leading_chars(p, "/"); | ||
62 | - | ||
63 | - s = unit_name_escape(p); | ||
64 | + s = unit_name_escape(skip_leading_chars(p, "/")); | ||
65 | } | ||
66 | if (!s) | ||
67 | return -ENOMEM; | ||