1 files changed, 182 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch
new file mode 100644
index 0000000000..f02f62b772
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch
@@ -0,0 +1,182 @@
+From 0a42426d797406b4b01a0d9c13bb759c2629d108 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 7 Oct 2020 11:15:05 +0200
+Subject: [PATCH] pager: make pager secure when under euid is changed or
+ explicitly requested
+The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about
+less now), and we automatically enable secure mode in certain cases, but not
+otherwise.
+This approach is more nuanced, but should provide a better experience for
+users:
+- Previusly we would set LESSSECURE=1 and trust the pager to make use of
+  it. But this has an effect only on less. We need to not start pagers which
+  are insecure when in secure mode. In particular more is like that and is a
+  very popular pager.
+- We don't enable secure mode always, which means that those other pagers can
+  reasonably used.
+- We do the right thing by default, but the user has ultimate control by
+  setting SYSTEMD_PAGERSECURE.
+Fixes #5666.
+v2:
+- also check $PKEXEC_UID
+v3:
+- use 'sd_pid_get_owner_uid() != geteuid()' as the condition
+CVE: CVE-2023-26604
+Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/0a42426d797406b4b01a0d9c13bb759c2629d108]
+Comments: Hunk refreshed
+Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
+---
+ man/less-variables.xml | 30 +++++++++++++++----
+ src/shared/pager.c     | 63 ++++++++++++++++++++++++++-------------
+ 2 files changed, 66 insertions(+), 27 deletions(-)
+diff --git a/man/less-variables.xml b/man/less-variables.xml
+index c52511c..049e9f7 100644
+--- a/man/less-variables.xml
+++ b/man/less-variables.xml
+@@ -65,12 +65,30 @@
+     </varlistentry>
+ 
+     <varlistentry id='lesssecure'>
+-      <term><varname>$SYSTEMD_LESSSECURE</varname></term>
+-
+-      <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment
+-      variable when invoking the pager, which controls the "secure" mode of less (which disables commands
+-      such as <literal>|</literal> which allow to easily shell out to external command lines). By default
+-      less secure mode is enabled, with this setting it may be disabled.</para></listitem>
+      <term><varname>$SYSTEMD_PAGERSECURE</varname></term>
+
+      <listitem><para>Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if
+      false, disabled. If <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, secure mode is enabled
+      if the effective UID is not the same as the owner of the login session, see <citerefentry
+      project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
+      <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+      In secure mode, <option>LESSSECURE=1</option> will be set when invoking the pager, and the pager shall
+      disable commands that open or create new files or start new subprocesses. When
+      <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, pagers which are not known to implement
+      secure mode will not be used. (Currently only
+      <citerefentry><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> implements
+      secure mode.)</para>
+
+      <para>Note: when commands are invoked with elevated privileges, for example under <citerefentry
+      project='man-pages'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
+      <citerefentry
+      project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, care
+      must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the
+      pager may be enabled automatically as describe above. Setting <varname>SYSTEMD_PAGERSECURE=0</varname>
+      or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note
+      that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to be
+      honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too. It might be reasonable to completly
+      disable the pager using <option>--no-pager</option> instead.</para></listitem>
+     </varlistentry>
+ 
+     <varlistentry id='colors'>
+diff --git a/src/shared/pager.c b/src/shared/pager.c
+index a3b6576..a72d9ea 100644
+--- a/src/shared/pager.c
+++ b/src/shared/pager.c
+@@ -8,6 +8,8 @@
+ #include <sys/prctl.h>
+ #include <unistd.h>
+ 
+#include "sd-login.h"
+
+ #include "copy.h"
+ #include "env-util.h"
+ #include "fd-util.h"
+@@ -164,25 +166,42 @@ int pager_open(PagerFlags flags) {
+                 }
+ 
+                 /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out
+-                 * privileged stuff. */
+-                r = getenv_bool("SYSTEMD_LESSSECURE");
+-                if (r == 0) { /* Remove env var if off */
+-                        if (unsetenv("LESSSECURE") < 0) {
+-                                log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m");
+-                                _exit(EXIT_FAILURE);
+-                        }
+-                } else {
+-                        /* Set env var otherwise */
+                 * privileged stuff. If the user set $SYSTEMD_PAGERSECURE, trust their configuration of the
+                 * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE
+                 * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we
+                 * know to be good. */
+                int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE");
+                bool trust_pager = use_secure_mode >= 0;
+                if (use_secure_mode == -ENXIO) {
+                        uid_t uid;
+
+                        r = sd_pid_get_owner_uid(0, &uid);
+                         if (r < 0)
+-                                log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m");
+                                log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m");
+ 
+-                        if (setenv("LESSSECURE", "1", 1) < 0) {
+-                                log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m");
+-                                _exit(EXIT_FAILURE);
+-                        }
+                        use_secure_mode = r < 0 || uid != geteuid();
+
+                } else if (use_secure_mode < 0) {
+                        log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m");
+                        use_secure_mode = true;
+                 }
+ 
+-                if (pager_args) {
+                /* We generally always set variables used by less, even if we end up using a different pager.
+                 * They shouldn't hurt in any case, and ideally other pagers would look at them too. */
+                if (use_secure_mode)
+                        r = setenv("LESSSECURE", "1", 1);
+                else
+                        r = unsetenv("LESSSECURE");
+                if (r < 0) {
+                        log_error_errno(errno, "Failed to adjust environment variable LESSSECURE: %m");
+                        _exit(EXIT_FAILURE);
+                }
+
+                if (trust_pager && pager_args) { /* The pager config might be set globally, and we cannot
+                                                  * know if the user adjusted it to be appropriate for the
+                                                  * secure mode. Thus, start the pager specified through
+                                                  * envvars only when $SYSTEMD_PAGERSECURE was explicitly set
+                                                  * as well. */
+                         r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false);
+                         if (r < 0) {
+                                 log_error_errno(r, "Failed to write pager name to socket: %m");
+@@ -194,13 +213,14 @@ int pager_open(PagerFlags flags) {
+                                        "Failed to execute '%s', using fallback pagers: %m", pager_args[0]);
+                 }
+ 
+-                /* Debian's alternatives command for pagers is
+-                 * called 'pager'. Note that we do not call
+-                 * sensible-pagers here, since that is just a
+-                 * shell script that implements a logic that
+-                 * is similar to this one anyway, but is
+-                 * Debian-specific. */
+                /* Debian's alternatives command for pagers is called 'pager'. Note that we do not call
+                 * sensible-pagers here, since that is just a shell script that implements a logic that is
+                 * similar to this one anyway, but is Debian-specific. */
+                 FOREACH_STRING(exe, "pager", "less", "more") {
+                        /* Only less implements secure mode right now. */
+                        if (use_secure_mode && !streq(exe, "less"))
+                                continue;
+
+                         r = loop_write(exe_name_pipe[1], exe, strlen(exe) + 1, false);
+                         if (r  < 0) {
+                                 log_error_errno(r, "Failed to write pager name to socket: %m");
+@@ -211,6 +231,7 @@ int pager_open(PagerFlags flags) {
+                                        "Failed to execute '%s', using next fallback pager: %m", exe);
+                 }
+ 
+                /* Our builtin is also very secure. */
+                 r = loop_write(exe_name_pipe[1], "(built-in)", strlen("(built-in)") + 1, false);
+                 if (r < 0) {
+                         log_error_errno(r, "Failed to write pager name to socket: %m");

diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch new file mode 100644 index 0000000000..f02f62b772 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch
@@ -0,0 +1,182 @@
	1	From 0a42426d797406b4b01a0d9c13bb759c2629d108 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
	3	Date: Wed, 7 Oct 2020 11:15:05 +0200
	4	Subject: [PATCH] pager: make pager secure when under euid is changed or
	5	explicitly requested
	6
	7	The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about
	8	less now), and we automatically enable secure mode in certain cases, but not
	9	otherwise.
	10
	11	This approach is more nuanced, but should provide a better experience for
	12	users:
	13
	14	- Previusly we would set LESSSECURE=1 and trust the pager to make use of
	15	it. But this has an effect only on less. We need to not start pagers which
	16	are insecure when in secure mode. In particular more is like that and is a
	17	very popular pager.
	18
	19	- We don't enable secure mode always, which means that those other pagers can
	20	reasonably used.
	21
	22	- We do the right thing by default, but the user has ultimate control by
	23	setting SYSTEMD_PAGERSECURE.
	24
	25	Fixes #5666.
	26
	27	v2:
	28	- also check $PKEXEC_UID
	29
	30	v3:
	31	- use 'sd_pid_get_owner_uid() != geteuid()' as the condition
	32
	33	CVE: CVE-2023-26604
	34	Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/0a42426d797406b4b01a0d9c13bb759c2629d108]
	35	Comments: Hunk refreshed
	36	Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
	37	---
	38	man/less-variables.xml \| 30 +++++++++++++++----
	39	src/shared/pager.c \| 63 ++++++++++++++++++++++++++-------------
	40	2 files changed, 66 insertions(+), 27 deletions(-)
	41
	42	diff --git a/man/less-variables.xml b/man/less-variables.xml
	43	index c52511c..049e9f7 100644
	44	--- a/man/less-variables.xml
	45	+++ b/man/less-variables.xml
	46	@@ -65,12 +65,30 @@
	47	</varlistentry>
	48
	49	<varlistentry id='lesssecure'>
	50	- <term><varname>$SYSTEMD_LESSSECURE</varname></term>
	51	-
	52	- <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment
	53	- variable when invoking the pager, which controls the "secure" mode of less (which disables commands
	54	- such as <literal>\|</literal> which allow to easily shell out to external command lines). By default
	55	- less secure mode is enabled, with this setting it may be disabled.</para></listitem>
	56	+ <term><varname>$SYSTEMD_PAGERSECURE</varname></term>
	57	+
	58	+ <listitem><para>Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if
	59	+ false, disabled. If <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, secure mode is enabled
	60	+ if the effective UID is not the same as the owner of the login session, see <citerefentry
	61	+ project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
	62	+ <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
	63	+ In secure mode, <option>LESSSECURE=1</option> will be set when invoking the pager, and the pager shall
	64	+ disable commands that open or create new files or start new subprocesses. When
	65	+ <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, pagers which are not known to implement
	66	+ secure mode will not be used. (Currently only
	67	+ <citerefentry><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> implements
	68	+ secure mode.)</para>
	69	+
	70	+ <para>Note: when commands are invoked with elevated privileges, for example under <citerefentry
	71	+ project='man-pages'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
	72	+ <citerefentry
	73	+ project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, care
	74	+ must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the
	75	+ pager may be enabled automatically as describe above. Setting <varname>SYSTEMD_PAGERSECURE=0</varname>
	76	+ or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note
	77	+ that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to be
	78	+ honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too. It might be reasonable to completly
	79	+ disable the pager using <option>--no-pager</option> instead.</para></listitem>
	80	</varlistentry>
	81
	82	<varlistentry id='colors'>
	83	diff --git a/src/shared/pager.c b/src/shared/pager.c
	84	index a3b6576..a72d9ea 100644
	85	--- a/src/shared/pager.c
	86	+++ b/src/shared/pager.c
	87	@@ -8,6 +8,8 @@
	88	#include <sys/prctl.h>
	89	#include <unistd.h>
	90
	91	+#include "sd-login.h"
	92	+
	93	#include "copy.h"
	94	#include "env-util.h"
	95	#include "fd-util.h"
	96	@@ -164,25 +166,42 @@ int pager_open(PagerFlags flags) {
	97	}
	98
	99	/* People might invoke us from sudo, don't needlessly allow less to be a way to shell out
	100	- * privileged stuff. */
	101	- r = getenv_bool("SYSTEMD_LESSSECURE");
	102	- if (r == 0) { /* Remove env var if off */
	103	- if (unsetenv("LESSSECURE") < 0) {
	104	- log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m");
	105	- _exit(EXIT_FAILURE);
	106	- }
	107	- } else {
	108	- /* Set env var otherwise */
	109	+ * privileged stuff. If the user set $SYSTEMD_PAGERSECURE, trust their configuration of the
	110	+ * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE
	111	+ * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we
	112	+ * know to be good. */
	113	+ int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE");
	114	+ bool trust_pager = use_secure_mode >= 0;
	115	+ if (use_secure_mode == -ENXIO) {
	116	+ uid_t uid;
	117	+
	118	+ r = sd_pid_get_owner_uid(0, &uid);
	119	if (r < 0)
	120	- log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m");
	121	+ log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m");
	122
	123	- if (setenv("LESSSECURE", "1", 1) < 0) {
	124	- log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m");
	125	- _exit(EXIT_FAILURE);
	126	- }
	127	+ use_secure_mode = r < 0 \|\| uid != geteuid();
	128	+
	129	+ } else if (use_secure_mode < 0) {
	130	+ log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m");
	131	+ use_secure_mode = true;
	132	}
	133
	134	- if (pager_args) {
	135	+ /* We generally always set variables used by less, even if we end up using a different pager.
	136	+ * They shouldn't hurt in any case, and ideally other pagers would look at them too. */
	137	+ if (use_secure_mode)
	138	+ r = setenv("LESSSECURE", "1", 1);
	139	+ else
	140	+ r = unsetenv("LESSSECURE");
	141	+ if (r < 0) {
	142	+ log_error_errno(errno, "Failed to adjust environment variable LESSSECURE: %m");
	143	+ _exit(EXIT_FAILURE);
	144	+ }
	145	+
	146	+ if (trust_pager && pager_args) { /* The pager config might be set globally, and we cannot
	147	+ * know if the user adjusted it to be appropriate for the
	148	+ * secure mode. Thus, start the pager specified through
	149	+ * envvars only when $SYSTEMD_PAGERSECURE was explicitly set
	150	+ * as well. */
	151	r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false);
	152	if (r < 0) {
	153	log_error_errno(r, "Failed to write pager name to socket: %m");
	154	@@ -194,13 +213,14 @@ int pager_open(PagerFlags flags) {
	155	"Failed to execute '%s', using fallback pagers: %m", pager_args[0]);
	156	}
	157
	158	- /* Debian's alternatives command for pagers is
	159	- * called 'pager'. Note that we do not call
	160	- * sensible-pagers here, since that is just a
	161	- * shell script that implements a logic that
	162	- * is similar to this one anyway, but is
	163	- * Debian-specific. */
	164	+ /* Debian's alternatives command for pagers is called 'pager'. Note that we do not call
	165	+ * sensible-pagers here, since that is just a shell script that implements a logic that is
	166	+ * similar to this one anyway, but is Debian-specific. */
	167	FOREACH_STRING(exe, "pager", "less", "more") {
	168	+ /* Only less implements secure mode right now. */
	169	+ if (use_secure_mode && !streq(exe, "less"))
	170	+ continue;
	171	+
	172	r = loop_write(exe_name_pipe[1], exe, strlen(exe) + 1, false);
	173	if (r < 0) {
	174	log_error_errno(r, "Failed to write pager name to socket: %m");
	175	@@ -211,6 +231,7 @@ int pager_open(PagerFlags flags) {
	176	"Failed to execute '%s', using next fallback pager: %m", exe);
	177	}
	178
	179	+ /* Our builtin is also very secure. */
	180	r = loop_write(exe_name_pipe[1], "(built-in)", strlen("(built-in)") + 1, false);
	181	if (r < 0) {
	182	log_error_errno(r, "Failed to write pager name to socket: %m");