diff options
| author | Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | 2021-08-07 19:26:29 +0530 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-08-18 18:00:19 +0100 |
| commit | 55b0822504a810f8517dc3e2b67dcbdba86e30f8 (patch) | |
| tree | 63c2f188c73fb081cccd2302c6d698455a175234 /meta/recipes-core/systemd | |
| parent | 8b5ec9d4836bc28c49b3f91f4612ee943eb7dbca (diff) | |
| download | poky-55b0822504a810f8517dc3e2b67dcbdba86e30f8.tar.gz | |
systemd: Add fix for CVE-2020-13529 and CVE-2021-33910
Added fix for below CVEs from below Link
http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_237-3ubuntu10.50.debian.tar.xz
1. CVE-2020-13529
Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
Hunk #1 refreshed to resolve patch-fuzz
2. CVE-2021-33910
Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
(From OE-Core rev: dcdd3c14beee89dc49261aeb4d7783cbb3fbeb89)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/systemd')
| -rw-r--r-- | meta/recipes-core/systemd/systemd/CVE-2020-13529.patch | 42 | ||||
| -rw-r--r-- | meta/recipes-core/systemd/systemd/CVE-2021-33910.patch | 67 | ||||
| -rw-r--r-- | meta/recipes-core/systemd/systemd_244.5.bb | 2 |
3 files changed, 111 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch new file mode 100644 index 0000000000..6b499efbd8 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch | |||
| @@ -0,0 +1,42 @@ | |||
| 1 | From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Yu Watanabe <watanabe.yu+github@gmail.com> | ||
| 3 | Date: Thu, 24 Jun 2021 01:22:07 +0900 | ||
| 4 | Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command | ||
| 5 | |||
| 6 | This makes DHCP client ignore FORCERENEW requests, as unauthenticated | ||
| 7 | FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). | ||
| 8 | |||
| 9 | Let's re-enable this after RFC3118 (Authentication for DHCP Messages) | ||
| 10 | and/or RFC6704 (Forcerenew Nonce Authentication) are implemented. | ||
| 11 | |||
| 12 | Fixes #16774. | ||
| 13 | |||
| 14 | Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5] | ||
| 15 | CVE: CVE-2020-13529 | ||
| 16 | |||
| 17 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
| 18 | |||
| 19 | --- | ||
| 20 | src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++ | ||
| 21 | 1 file changed, 8 insertions(+) | ||
| 22 | |||
| 23 | --- a/src/libsystemd-network/sd-dhcp-client.c | ||
| 24 | +++ b/src/libsystemd-network/sd-dhcp-client.c | ||
| 25 | @@ -1392,9 +1392,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force, | ||
| 26 | if (r != DHCP_FORCERENEW) | ||
| 27 | return -ENOMSG; | ||
| 28 | |||
| 29 | +#if 0 | ||
| 30 | log_dhcp_client(client, "FORCERENEW"); | ||
| 31 | |||
| 32 | return 0; | ||
| 33 | +#else | ||
| 34 | + /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP | ||
| 35 | + * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW | ||
| 36 | + * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */ | ||
| 37 | + log_dhcp_client(client, "Received FORCERENEW, ignoring."); | ||
| 38 | + return -ENOMSG; | ||
| 39 | +#endif | ||
| 40 | } | ||
| 41 | |||
| 42 | static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) { | ||
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch new file mode 100644 index 0000000000..e92d721d3d --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch | |||
| @@ -0,0 +1,67 @@ | |||
| 1 | Backport of: | ||
| 2 | |||
| 3 | From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001 | ||
| 4 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
| 5 | Date: Wed, 23 Jun 2021 11:46:41 +0200 | ||
| 6 | Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path | ||
| 7 | |||
| 8 | The path may have unbounded length, for example through a fuse mount. | ||
| 9 | |||
| 10 | CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and | ||
| 11 | ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo | ||
| 12 | and each mountpoint is passed to mount_setup_unit(), which calls | ||
| 13 | unit_name_path_escape() underneath. A local attacker who is able to mount a | ||
| 14 | filesystem with a very long path can crash systemd and the whole system. | ||
| 15 | |||
| 16 | https://bugzilla.redhat.com/show_bug.cgi?id=1970887 | ||
| 17 | |||
| 18 | The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we | ||
| 19 | can't easily check the length after simplification before doing the | ||
| 20 | simplification, which in turns uses a copy of the string we can write to. | ||
| 21 | So we can't reject paths that are too long before doing the duplication. | ||
| 22 | Hence the most obvious solution is to switch back to strdup(), as before | ||
| 23 | 7410616cd9dbbec97cf98d75324da5cda2b2f7a2. | ||
| 24 | |||
| 25 | Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9] | ||
| 26 | CVE: CVE-2021-33910 | ||
| 27 | |||
| 28 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
| 29 | |||
| 30 | --- | ||
| 31 | src/basic/unit-name.c | 13 +++++-------- | ||
| 32 | 1 file changed, 5 insertions(+), 8 deletions(-) | ||
| 33 | |||
| 34 | --- a/src/basic/unit-name.c | ||
| 35 | +++ b/src/basic/unit-name.c | ||
| 36 | @@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, char **ret) { | ||
| 37 | } | ||
| 38 | |||
| 39 | int unit_name_path_escape(const char *f, char **ret) { | ||
| 40 | - char *p, *s; | ||
| 41 | + _cleanup_free_ char *p = NULL; | ||
| 42 | + char *s; | ||
| 43 | |||
| 44 | assert(f); | ||
| 45 | assert(ret); | ||
| 46 | |||
| 47 | - p = strdupa(f); | ||
| 48 | + p = strdup(f); | ||
| 49 | if (!p) | ||
| 50 | return -ENOMEM; | ||
| 51 | |||
| 52 | @@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f, char **ret) { | ||
| 53 | if (!path_is_normalized(p)) | ||
| 54 | return -EINVAL; | ||
| 55 | |||
| 56 | - /* Truncate trailing slashes */ | ||
| 57 | + /* Truncate trailing slashes and skip leading slashes */ | ||
| 58 | delete_trailing_chars(p, "/"); | ||
| 59 | - | ||
| 60 | - /* Truncate leading slashes */ | ||
| 61 | - p = skip_leading_chars(p, "/"); | ||
| 62 | - | ||
| 63 | - s = unit_name_escape(p); | ||
| 64 | + s = unit_name_escape(skip_leading_chars(p, "/")); | ||
| 65 | } | ||
| 66 | if (!s) | ||
| 67 | return -ENOMEM; | ||
diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb index 8c95648ca0..7a7eddcd45 100644 --- a/meta/recipes-core/systemd/systemd_244.5.bb +++ b/meta/recipes-core/systemd/systemd_244.5.bb | |||
| @@ -20,6 +20,8 @@ SRC_URI += "file://touchscreen.rules \ | |||
| 20 | file://99-default.preset \ | 20 | file://99-default.preset \ |
| 21 | file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ | 21 | file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ |
| 22 | file://0003-implment-systemd-sysv-install-for-OE.patch \ | 22 | file://0003-implment-systemd-sysv-install-for-OE.patch \ |
| 23 | file://CVE-2021-33910.patch \ | ||
| 24 | file://CVE-2020-13529.patch \ | ||
| 23 | " | 25 | " |
| 24 | 26 | ||
| 25 | # patches needed by musl | 27 | # patches needed by musl |