summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2020-13776.patch96
-rw-r--r--meta/recipes-core/systemd/systemd_243.2.bb1
2 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
new file mode 100644
index 0000000..7b5e3e7
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
@@ -0,0 +1,96 @@
1From 156a5fd297b61bce31630d7a52c15614bf784843 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
3Date: Sun, 31 May 2020 18:21:09 +0200
4Subject: [PATCH 1/1] basic/user-util: always use base 10 for user/group
5 numbers
6
7We would parse numbers with base prefixes as user identifiers. For example,
8"0x2b3bfa0" would be interpreted as UID==45334432 and "01750" would be
9interpreted as UID==1000. This parsing was used also in cases where either a
10user/group name or number may be specified. This means that names like
110x2b3bfa0 would be ambiguous: they are a valid user name according to our
12documented relaxed rules, but they would also be parsed as numeric uids.
13
14This behaviour is definitely not expected by users, since tools generally only
15accept decimal numbers (e.g. id, getent passwd), while other tools only accept
16user names and thus will interpret such strings as user names without even
17attempting to convert them to numbers (su, ssh). So let's follow suit and only
18accept numbers in decimal notation. Effectively this means that we will reject
19such strings as a username/uid/groupname/gid where strict mode is used, and try
20to look up a user/group with such a name in relaxed mode.
21
22Since the function changed is fairly low-level and fairly widely used, this
23affects multiple tools: loginctl show-user/enable-linger/disable-linger foo',
24the third argument in sysusers.d, fourth and fifth arguments in tmpfiles.d,
25etc.
26
27Fixes #15985.
28---
29 src/basic/user-util.c | 2 +-
30 src/test/test-user-util.c | 10 ++++++++++
31 2 files changed, 11 insertions(+), 1 deletion(-)
32
33--- end of commit 156a5fd297b61bce31630d7a52c15614bf784843 ---
34
35
36Add definition of safe_atou32_full() from commit b934ac3d6e7dcad114776ef30ee9098693e7ab7e
37
38CVE: CVE-2020-13776
39
40Upstream-Status: Backport [https://github.com/systemd/systemd.git]
41
42Signed-off-by: Joe Slater <joe.slater@windriver.com>
43
44
45
46--- git.orig/src/basic/user-util.c
47+++ git/src/basic/user-util.c
48@@ -49,7 +49,7 @@ int parse_uid(const char *s, uid_t *ret)
49 assert(s);
50
51 assert_cc(sizeof(uid_t) == sizeof(uint32_t));
52- r = safe_atou32(s, &uid);
53+ r = safe_atou32_full(s, 10, &uid);
54 if (r < 0)
55 return r;
56
57--- git.orig/src/test/test-user-util.c
58+++ git/src/test/test-user-util.c
59@@ -48,9 +48,19 @@ static void test_parse_uid(void) {
60
61 r = parse_uid("65535", &uid);
62 assert_se(r == -ENXIO);
63+ assert_se(uid == 100);
64+
65+ r = parse_uid("0x1234", &uid);
66+ assert_se(r == -EINVAL);
67+ assert_se(uid == 100);
68+
69+ r = parse_uid("01234", &uid);
70+ assert_se(r == 0);
71+ assert_se(uid == 1234);
72
73 r = parse_uid("asdsdas", &uid);
74 assert_se(r == -EINVAL);
75+ assert_se(uid == 1234);
76 }
77
78 static void test_uid_ptr(void) {
79--- git.orig/src/basic/parse-util.h
80+++ git/src/basic/parse-util.h
81@@ -45,9 +45,13 @@ static inline int safe_atoux16(const cha
82
83 int safe_atoi16(const char *s, int16_t *ret);
84
85-static inline int safe_atou32(const char *s, uint32_t *ret_u) {
86+static inline int safe_atou32_full(const char *s, unsigned base, uint32_t *ret_u) {
87 assert_cc(sizeof(uint32_t) == sizeof(unsigned));
88- return safe_atou(s, (unsigned*) ret_u);
89+ return safe_atou_full(s, base, (unsigned*) ret_u);
90+}
91+
92+static inline int safe_atou32(const char *s, uint32_t *ret_u) {
93+ return safe_atou32_full(s, 0, (unsigned*) ret_u);
94 }
95
96 static inline int safe_atoi32(const char *s, int32_t *ret_i) {
diff --git a/meta/recipes-core/systemd/systemd_243.2.bb b/meta/recipes-core/systemd/systemd_243.2.bb
index 082eb4c..9053481 100644
--- a/meta/recipes-core/systemd/systemd_243.2.bb
+++ b/meta/recipes-core/systemd/systemd_243.2.bb
@@ -25,6 +25,7 @@ SRC_URI += "file://touchscreen.rules \
25 file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \ 25 file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \
26 file://99-default.preset \ 26 file://99-default.preset \
27 file://0001-Merge-branch-polkit-ref-count.patch \ 27 file://0001-Merge-branch-polkit-ref-count.patch \
28 file://CVE-2020-13776.patch \
28 " 29 "
29 30
30# patches needed by musl 31# patches needed by musl