summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch6
-rw-r--r--meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch56
-rw-r--r--meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields.patch139
-rw-r--r--meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch49
-rw-r--r--meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch84
-rw-r--r--meta/recipes-core/systemd/systemd/0027-journal-fix-syslog_parse_identifier.patch77
-rw-r--r--meta/recipes-core/systemd/systemd/0028-journal-do-not-remove-multiple-spaces-after-identifi.patch84
-rw-r--r--meta/recipes-core/systemd/systemd_239.bb6
8 files changed, 195 insertions, 306 deletions
diff --git a/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch b/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch
index c3009545b1..c2f78be39e 100644
--- a/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch
+++ b/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch
@@ -1,4 +1,4 @@
1From fe19f5a9d0d8b9977e9507a9b66c3cc66744cd38 Mon Sep 17 00:00:00 2001 1From 9cb07e7d82c7c4f28bbaa1478e1387e8ea3d03dd Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> 2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
3Date: Wed, 5 Dec 2018 18:38:39 +0100 3Date: Wed, 5 Dec 2018 18:38:39 +0100
4Subject: [PATCH] journald: do not store the iovec entry for process 4Subject: [PATCH] journald: do not store the iovec entry for process
@@ -16,6 +16,10 @@ journal_file_append_entry() returns -E2BIG.
16 16
17Patch backported from systemd master at 17Patch backported from systemd master at
18084eeb865ca63887098e0945fb4e93c852b91b0f. 18084eeb865ca63887098e0945fb4e93c852b91b0f.
19
20CVE: CVE-2018-16864
21Upstream-Status: Backport
22Signed-off-by: Marcus Cooper <marcusc@axis.com>
19--- 23---
20 src/basic/io-util.c | 10 ++++++++++ 24 src/basic/io-util.c | 10 ++++++++++
21 src/basic/io-util.h | 2 ++ 25 src/basic/io-util.h | 2 ++
diff --git a/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch
deleted file mode 100644
index 50a01efe8f..0000000000
--- a/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch
+++ /dev/null
@@ -1,56 +0,0 @@
1From 4566aaf97f5b4143b930d75628f3abc905249dcd Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
3Date: Wed, 5 Dec 2018 22:45:02 +0100
4Subject: [PATCH] journald: set a limit on the number of fields (1k)
5
6We allocate a iovec entry for each field, so with many short entries,
7our memory usage and processing time can be large, even with a relatively
8small message size. Let's refuse overly long entries.
9
10CVE-2018-16865
11https://bugzilla.redhat.com/show_bug.cgi?id=1653861
12
13What from I can see, the problem is not from an alloca, despite what the CVE
14description says, but from the attack multiplication that comes from creating
15many very small iovecs: (void* + size_t) for each three bytes of input message.
16
17Patch backported from systemd master at
18052c57f132f04a3cf4148f87561618da1a6908b4.
19---
20 src/basic/journal-importer.h | 3 +++
21 src/journal/journald-native.c | 5 +++++
22 2 files changed, 8 insertions(+)
23
24diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h
25index f49ce734a1..c4ae45d32d 100644
26--- a/src/basic/journal-importer.h
27+++ b/src/basic/journal-importer.h
28@@ -16,6 +16,9 @@
29 #define DATA_SIZE_MAX (1024*1024*768u)
30 #define LINE_CHUNK 8*1024u
31
32+/* The maximum number of fields in an entry */
33+#define ENTRY_FIELD_COUNT_MAX 1024
34+
35 struct iovec_wrapper {
36 struct iovec *iovec;
37 size_t size_bytes;
38diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
39index 5ff22a10af..951d092053 100644
40--- a/src/journal/journald-native.c
41+++ b/src/journal/journald-native.c
42@@ -140,6 +140,11 @@ static int server_process_entry(
43 }
44
45 /* A property follows */
46+ if (n > ENTRY_FIELD_COUNT_MAX) {
47+ log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
48+ r = 1;
49+ goto finish;
50+ }
51
52 /* n existing properties, 1 new, +1 for _TRANSPORT */
53 if (!GREEDY_REALLOC(iovec, m,
54--
552.11.0
56
diff --git a/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields.patch b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields.patch
new file mode 100644
index 0000000000..ae9ef5de56
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields.patch
@@ -0,0 +1,139 @@
1From 7cad044b72406cbadf048da432c29afea74c3c10 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
3Date: Wed, 5 Dec 2018 22:45:02 +0100
4Subject: [PATCH] journald: set a limit on the number of fields
5
6The fix for CVE-2018-16865 is plucked from two commits that have
7been pushed to systemd master.
8
9journald: set a limit on the number of fields (1k)
10
11We allocate a iovec entry for each field, so with many short entries,
12our memory usage and processing time can be large, even with a relatively
13small message size. Let's refuse overly long entries.
14
15CVE-2018-16865
16https://bugzilla.redhat.com/show_bug.cgi?id=1653861
17
18What from I can see, the problem is not from an alloca, despite what the CVE
19description says, but from the attack multiplication that comes from creating
20many very small iovecs: (void* + size_t) for each three bytes of input message.
21
22Patch backported from systemd master at
23052c57f132f04a3cf4148f87561618da1a6908b4.
24
25journal-remote: set a limit on the number of fields in a message
26
27Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is
28reused for the new error condition (too many fields).
29
30This matches the change done for systemd-journald, hence forming the second
31part of the fix for CVE-2018-16865
32(https://bugzilla.redhat.com/show_bug.cgi?id=1653861).
33
34Patch backported from systemd master at
35ef4d6abe7c7fab6cbff975b32e76b09feee56074.
36with the changes applied by 7fdb237f5473cb8fc2129e57e8a0039526dcb4fd
37removed.
38
39CVE: CVE-2018-16865
40Upstream-Status: Backport
41Signed-off-by: Marcus Cooper <marcusc@axis.com>
42---
43 src/basic/journal-importer.c | 5 ++++-
44 src/basic/journal-importer.h | 3 +++
45 src/journal-remote/journal-remote-main.c | 7 ++++++-
46 src/journal-remote/journal-remote.c | 5 ++++-
47 src/journal/journald-native.c | 5 +++++
48 5 files changed, 22 insertions(+), 3 deletions(-)
49
50diff --git a/src/basic/journal-importer.c b/src/basic/journal-importer.c
51index ca203bbbfc..3ac55a66d9 100644
52--- a/src/basic/journal-importer.c
53+++ b/src/basic/journal-importer.c
54@@ -23,6 +23,9 @@ enum {
55 };
56
57 static int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) {
58+ if (iovw->count >= ENTRY_FIELD_COUNT_MAX)
59+ return -E2BIG;
60+
61 if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1))
62 return log_oom();
63
64@@ -98,7 +101,7 @@ static int get_line(JournalImporter *imp, char **line, size_t *size) {
65 imp->scanned = imp->filled;
66 if (imp->scanned >= DATA_SIZE_MAX) {
67 log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX);
68- return -E2BIG;
69+ return -ENOBUFS;
70 }
71
72 if (imp->passive_fd)
73diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h
74index f49ce734a1..c4ae45d32d 100644
75--- a/src/basic/journal-importer.h
76+++ b/src/basic/journal-importer.h
77@@ -16,6 +16,9 @@
78 #define DATA_SIZE_MAX (1024*1024*768u)
79 #define LINE_CHUNK 8*1024u
80
81+/* The maximum number of fields in an entry */
82+#define ENTRY_FIELD_COUNT_MAX 1024
83+
84 struct iovec_wrapper {
85 struct iovec *iovec;
86 size_t size_bytes;
87diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c
88index 8fda9d1499..3a01fef646 100644
89--- a/src/journal-remote/journal-remote-main.c
90+++ b/src/journal-remote/journal-remote-main.c
91@@ -212,7 +212,12 @@ static int process_http_upload(
92 break;
93 else if (r < 0) {
94 log_warning("Failed to process data for connection %p", connection);
95- if (r == -E2BIG)
96+ if (r == -ENOBUFS)
97+ return mhd_respondf(connection,
98+ r, MHD_HTTP_PAYLOAD_TOO_LARGE,
99+ "Entry is above the maximum of %u, aborting connection %p.",
100+ DATA_SIZE_MAX, connection);
101+ else if (r == -E2BIG)
102 return mhd_respondf(connection,
103 r, MHD_HTTP_PAYLOAD_TOO_LARGE,
104 "Entry is too large, maximum is " STRINGIFY(DATA_SIZE_MAX) " bytes.");
105diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c
106index beb75a1cb4..67e3a70c06 100644
107--- a/src/journal-remote/journal-remote.c
108+++ b/src/journal-remote/journal-remote.c
109@@ -408,7 +408,10 @@ int journal_remote_handle_raw_source(
110 log_debug("%zu active sources remaining", s->active);
111 return 0;
112 } else if (r == -E2BIG) {
113- log_notice_errno(E2BIG, "Entry too big, skipped");
114+ log_notice("Entry with too many fields, skipped");
115+ return 1;
116+ } else if (r == -ENOBUFS) {
117+ log_notice("Entry too big, skipped");
118 return 1;
119 } else if (r == -EAGAIN) {
120 return 0;
121diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
122index 5ff22a10af..951d092053 100644
123--- a/src/journal/journald-native.c
124+++ b/src/journal/journald-native.c
125@@ -140,6 +140,11 @@ static int server_process_entry(
126 }
127
128 /* A property follows */
129+ if (n > ENTRY_FIELD_COUNT_MAX) {
130+ log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
131+ r = 1;
132+ goto finish;
133+ }
134
135 /* n existing properties, 1 new, +1 for _TRANSPORT */
136 if (!GREEDY_REALLOC(iovec, m,
137--
1382.11.0
139
diff --git a/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
new file mode 100644
index 0000000000..3925a4abbb
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
@@ -0,0 +1,49 @@
1From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001
2From: Filipe Brandenburger <filbranden@google.com>
3Date: Thu, 10 Jan 2019 14:53:33 -0800
4Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866
5
6The original code didn't account for the fact that strchr() would match on the
7'\0' character, making it read past the end of the buffer if no non-whitespace
8character was present.
9
10This bug was introduced in commit ec5ff4445cca6a which was first released in
11systemd v221 and later fixed in commit 8595102d3ddde6 which was released in
12v240, so versions in the range [v221, v240) are affected.
13
14Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b
15also includes a change from systemd master which removes a heap buffer overflow
16a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.
17
18CVE: CVE-2018-16866
19Upstream-Status: Backport
20Signed-off-by: Marcus Cooper <marcusc@axis.com>
21---
22 src/journal/journald-syslog.c | 4 ++--
23 1 file changed, 2 insertions(+), 2 deletions(-)
24
25diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
26index 9dea116722..809b318c06 100644
27--- a/src/journal/journald-syslog.c
28+++ b/src/journal/journald-syslog.c
29@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
30 e = l;
31 l--;
32
33- if (p[l-1] == ']') {
34+ if (l > 0 && p[l-1] == ']') {
35 size_t k = l-1;
36
37 for (;;) {
38@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
39 if (t)
40 *identifier = t;
41
42- if (strchr(WHITESPACE, p[e]))
43+ if (p[e] != '\0' && strchr(WHITESPACE, p[e]))
44 e++;
45 *buf = p + e;
46 return e;
47--
482.11.0
49
diff --git a/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch b/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch
deleted file mode 100644
index 104945cc25..0000000000
--- a/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch
+++ /dev/null
@@ -1,84 +0,0 @@
1From 4183ec3a135663128834ca8b35d50a60999343a7 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
3Date: Fri, 7 Dec 2018 10:48:10 +0100
4Subject: [PATCH] journal-remote: set a limit on the number of fields in a
5 message
6
7Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is
8reused for the new error condition (too many fields).
9
10This matches the change done for systemd-journald, hence forming the second
11part of the fix for CVE-2018-16865
12(https://bugzilla.redhat.com/show_bug.cgi?id=1653861).
13
14Patch backported from systemd master at
15ef4d6abe7c7fab6cbff975b32e76b09feee56074.
16---
17 src/basic/journal-importer.c | 5 ++++-
18 src/journal-remote/journal-remote-main.c | 10 ++++++----
19 src/journal-remote/journal-remote.c | 5 ++++-
20 3 files changed, 14 insertions(+), 6 deletions(-)
21
22diff --git a/src/basic/journal-importer.c b/src/basic/journal-importer.c
23index ca203bbbfc..3ac55a66d9 100644
24--- a/src/basic/journal-importer.c
25+++ b/src/basic/journal-importer.c
26@@ -23,6 +23,9 @@ enum {
27 };
28
29 static int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) {
30+ if (iovw->count >= ENTRY_FIELD_COUNT_MAX)
31+ return -E2BIG;
32+
33 if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1))
34 return log_oom();
35
36@@ -98,7 +101,7 @@ static int get_line(JournalImporter *imp, char **line, size_t *size) {
37 imp->scanned = imp->filled;
38 if (imp->scanned >= DATA_SIZE_MAX) {
39 log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX);
40- return -E2BIG;
41+ return -ENOBUFS;
42 }
43
44 if (imp->passive_fd)
45diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c
46index 8fda9d1499..f52618fb7b 100644
47--- a/src/journal-remote/journal-remote-main.c
48+++ b/src/journal-remote/journal-remote-main.c
49@@ -212,10 +212,12 @@ static int process_http_upload(
50 break;
51 else if (r < 0) {
52 log_warning("Failed to process data for connection %p", connection);
53- if (r == -E2BIG)
54- return mhd_respondf(connection,
55- r, MHD_HTTP_PAYLOAD_TOO_LARGE,
56- "Entry is too large, maximum is " STRINGIFY(DATA_SIZE_MAX) " bytes.");
57+ if (r == -ENOBUFS)
58+ log_warning_errno(r, "Entry is above the maximum of %u, aborting connection %p.",
59+ DATA_SIZE_MAX, connection);
60+ else if (r == -E2BIG)
61+ log_warning_errno(r, "Entry with more fields than the maximum of %u, aborting connection %p.",
62+ ENTRY_FIELD_COUNT_MAX, connection);
63 else
64 return mhd_respondf(connection,
65 r, MHD_HTTP_UNPROCESSABLE_ENTITY,
66diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c
67index beb75a1cb4..67e3a70c06 100644
68--- a/src/journal-remote/journal-remote.c
69+++ b/src/journal-remote/journal-remote.c
70@@ -408,7 +408,10 @@ int journal_remote_handle_raw_source(
71 log_debug("%zu active sources remaining", s->active);
72 return 0;
73 } else if (r == -E2BIG) {
74- log_notice_errno(E2BIG, "Entry too big, skipped");
75+ log_notice("Entry with too many fields, skipped");
76+ return 1;
77+ } else if (r == -ENOBUFS) {
78+ log_notice("Entry too big, skipped");
79 return 1;
80 } else if (r == -EAGAIN) {
81 return 0;
82--
832.11.0
84
diff --git a/meta/recipes-core/systemd/systemd/0027-journal-fix-syslog_parse_identifier.patch b/meta/recipes-core/systemd/systemd/0027-journal-fix-syslog_parse_identifier.patch
deleted file mode 100644
index d4df0e12fd..0000000000
--- a/meta/recipes-core/systemd/systemd/0027-journal-fix-syslog_parse_identifier.patch
+++ /dev/null
@@ -1,77 +0,0 @@
1From 8ccebb04e07628f7fe10131d6cd4f19d6a0d8f45 Mon Sep 17 00:00:00 2001
2From: Yu Watanabe <watanabe.yu+github@gmail.com>
3Date: Wed, 8 Aug 2018 15:06:36 +0900
4Subject: [PATCH] journal: fix syslog_parse_identifier()
5
6Fixes #9829.
7
8An out of bounds read was discovered in systemd-journald in the way it
9parses log messages that terminate with a colon ':'. A local attacker
10can use this flaw to disclose process memory data.
11
12Patch backported from systemd master at
13a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.
14
15This matches the change done for systemd-journald, hence forming the first
16part of the fix for CVE-2018-16866.
17---
18 src/journal/journald-syslog.c | 6 +++---
19 src/journal/test-journal-syslog.c | 10 ++++++++--
20 2 files changed, 11 insertions(+), 5 deletions(-)
21
22diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
23index 9dea116722..97711ac7a3 100644
24--- a/src/journal/journald-syslog.c
25+++ b/src/journal/journald-syslog.c
26@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
27 e = l;
28 l--;
29
30- if (p[l-1] == ']') {
31+ if (l > 0 && p[l-1] == ']') {
32 size_t k = l-1;
33
34 for (;;) {
35@@ -219,8 +219,8 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
36 if (t)
37 *identifier = t;
38
39- if (strchr(WHITESPACE, p[e]))
40- e++;
41+ e += strspn(p + e, WHITESPACE);
42+
43 *buf = p + e;
44 return e;
45 }
46diff --git a/src/journal/test-journal-syslog.c b/src/journal/test-journal-syslog.c
47index 9ba86f6c8a..05f759817e 100644
48--- a/src/journal/test-journal-syslog.c
49+++ b/src/journal/test-journal-syslog.c
50@@ -5,8 +5,8 @@
51 #include "macro.h"
52 #include "string-util.h"
53
54-static void test_syslog_parse_identifier(const char* str,
55- const char *ident, const char*pid, int ret) {
56+static void test_syslog_parse_identifier(const char *str,
57+ const char *ident, const char *pid, int ret) {
58 const char *buf = str;
59 _cleanup_free_ char *ident2 = NULL, *pid2 = NULL;
60 int ret2;
61@@ -21,7 +21,13 @@ static void test_syslog_parse_identifier(const char* str,
62 int main(void) {
63 test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11);
64 test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6);
65+ test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 7);
66 test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0);
67+ test_syslog_parse_identifier(":", "", NULL, 1);
68+ test_syslog_parse_identifier(": ", "", NULL, 3);
69+ test_syslog_parse_identifier("pidu:", "pidu", NULL, 5);
70+ test_syslog_parse_identifier("pidu: ", "pidu", NULL, 6);
71+ test_syslog_parse_identifier("pidu : ", NULL, NULL, 0);
72
73 return 0;
74 }
75--
762.11.0
77
diff --git a/meta/recipes-core/systemd/systemd/0028-journal-do-not-remove-multiple-spaces-after-identifi.patch b/meta/recipes-core/systemd/systemd/0028-journal-do-not-remove-multiple-spaces-after-identifi.patch
deleted file mode 100644
index fa2c01034b..0000000000
--- a/meta/recipes-core/systemd/systemd/0028-journal-do-not-remove-multiple-spaces-after-identifi.patch
+++ /dev/null
@@ -1,84 +0,0 @@
1From c3a7da1bbb6d2df8ab7ea1c7ce34ded37a21959f Mon Sep 17 00:00:00 2001
2From: Yu Watanabe <watanabe.yu+github@gmail.com>
3Date: Fri, 10 Aug 2018 11:07:54 +0900
4Subject: [PATCH] journal: do not remove multiple spaces after identifier in
5 syslog message
6
7Single space is used as separator.
8C.f. discussions in #156.
9
10Fixes #9839 introduced by a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.
11
12Patch backported from systemd master at
138595102d3ddde6d25c282f965573a6de34ab4421.
14
15This matches the change done for systemd-journald, hence forming the second
16part of the fix for CVE-2018-16866
17---
18 src/journal/journald-syslog.c | 4 +++-
19 src/journal/test-journal-syslog.c | 24 ++++++++++++++----------
20 2 files changed, 17 insertions(+), 11 deletions(-)
21
22diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
23index 97711ac7a3..e0b55cc566 100644
24--- a/src/journal/journald-syslog.c
25+++ b/src/journal/journald-syslog.c
26@@ -219,7 +219,9 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
27 if (t)
28 *identifier = t;
29
30- e += strspn(p + e, WHITESPACE);
31+ /* Single space is used as separator */
32+ if (p[e] != '\0' && strchr(WHITESPACE, p[e]))
33+ e++;
34
35 *buf = p + e;
36 return e;
37diff --git a/src/journal/test-journal-syslog.c b/src/journal/test-journal-syslog.c
38index 05f759817e..7294cde032 100644
39--- a/src/journal/test-journal-syslog.c
40+++ b/src/journal/test-journal-syslog.c
41@@ -6,7 +6,7 @@
42 #include "string-util.h"
43
44 static void test_syslog_parse_identifier(const char *str,
45- const char *ident, const char *pid, int ret) {
46+ const char *ident, const char *pid, const char *rest, int ret) {
47 const char *buf = str;
48 _cleanup_free_ char *ident2 = NULL, *pid2 = NULL;
49 int ret2;
50@@ -16,18 +16,22 @@ static void test_syslog_parse_identifier(const char *str,
51 assert_se(ret == ret2);
52 assert_se(ident == ident2 || streq_ptr(ident, ident2));
53 assert_se(pid == pid2 || streq_ptr(pid, pid2));
54+ assert_se(streq(buf, rest));
55 }
56
57 int main(void) {
58- test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11);
59- test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6);
60- test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 7);
61- test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0);
62- test_syslog_parse_identifier(":", "", NULL, 1);
63- test_syslog_parse_identifier(": ", "", NULL, 3);
64- test_syslog_parse_identifier("pidu:", "pidu", NULL, 5);
65- test_syslog_parse_identifier("pidu: ", "pidu", NULL, 6);
66- test_syslog_parse_identifier("pidu : ", NULL, NULL, 0);
67+ test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", "xxx", 11);
68+ test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, "xxx", 6);
69+ test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, " xxx", 6);
70+ test_syslog_parse_identifier("pidu xxx", NULL, NULL, "pidu xxx", 0);
71+ test_syslog_parse_identifier(" pidu xxx", NULL, NULL, " pidu xxx", 0);
72+ test_syslog_parse_identifier("", NULL, NULL, "", 0);
73+ test_syslog_parse_identifier(" ", NULL, NULL, " ", 0);
74+ test_syslog_parse_identifier(":", "", NULL, "", 1);
75+ test_syslog_parse_identifier(": ", "", NULL, " ", 2);
76+ test_syslog_parse_identifier("pidu:", "pidu", NULL, "", 5);
77+ test_syslog_parse_identifier("pidu: ", "pidu", NULL, "", 6);
78+ test_syslog_parse_identifier("pidu : ", NULL, NULL, "pidu : ", 0);
79
80 return 0;
81 }
82--
832.11.0
84
diff --git a/meta/recipes-core/systemd/systemd_239.bb b/meta/recipes-core/systemd/systemd_239.bb
index 20c7ba44b6..8c0366232f 100644
--- a/meta/recipes-core/systemd/systemd_239.bb
+++ b/meta/recipes-core/systemd/systemd_239.bb
@@ -39,10 +39,8 @@ SRC_URI += "file://touchscreen.rules \
39 file://0002-core-Fix-use-after-free-case-in-load_from_path.patch \ 39 file://0002-core-Fix-use-after-free-case-in-load_from_path.patch \
40 file://0001-meson-rename-Ddebug-to-Ddebug-extra.patch \ 40 file://0001-meson-rename-Ddebug-to-Ddebug-extra.patch \
41 file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \ 41 file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \
42 file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \ 42 file://0025-journald-set-a-limit-on-the-number-of-fields.patch \
43 file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \ 43 file://0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
44 file://0027-journal-fix-syslog_parse_identifier.patch \
45 file://0028-journal-do-not-remove-multiple-spaces-after-identifi.patch \
46 " 44 "
47 45
48# patches made for musl are only applied on TCLIBC is musl 46# patches made for musl are only applied on TCLIBC is musl