systemd: Security fix CVE-2018-16866

Affects < v240 (From OE-Core rev: 10fa35a75617e82650b12d3e353a554f05f036dd) Signed-off-by: Marcus Cooper <marcusc@axis.com> >From v2 patch on openembedded-core@lists.openembedded.org Incresed file name number from 0026 to 0027. Signed-off-by: George McCollister <george.mccollister@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Marcus Cooper <marcus.cooper@axis.com> 2019-02-25 10:37:11 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-03-24 16:49:54 +0000
commit: d4e0f9252852ebfe5677d2bf0e6d70aacd7a984a (patch)
tree: 36b5ce6d3db87b817657709b2374f4d0601671c0
parent: 7be61780af1fd1c0a63a41880ece124e874610fa (diff)
download: poky-d4e0f9252852ebfe5677d2bf0e6d70aacd7a984a.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
new file mode 100644
index 0000000000..3925a4abbb
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
@@ -0,0 +1,49 @@
+From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001
+From: Filipe Brandenburger <filbranden@google.com>
+Date: Thu, 10 Jan 2019 14:53:33 -0800
+Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866
+The original code didn't account for the fact that strchr() would match on the
+'\0' character, making it read past the end of the buffer if no non-whitespace
+character was present.
+This bug was introduced in commit ec5ff4445cca6a which was first released in
+systemd v221 and later fixed in commit 8595102d3ddde6 which was released in
+v240, so versions in the range [v221, v240) are affected.
+Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b
+also includes a change from systemd master which removes a heap buffer overflow
+a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.
+CVE: CVE-2018-16866
+Upstream-Status: Backport
+Signed-off-by: Marcus Cooper <marcusc@axis.com>
+---
+ src/journal/journald-syslog.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
+index 9dea116722..809b318c06 100644
+--- a/src/journal/journald-syslog.c
+++ b/src/journal/journald-syslog.c
+@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
+         e = l;
+         l--;
+ 
+-        if (p[l-1] == ']') {
+        if (l > 0 && p[l-1] == ']') {
+                 size_t k = l-1;
+ 
+                 for (;;) {
+@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
+         if (t)
+                 *identifier = t;
+ 
+-        if (strchr(WHITESPACE, p[e]))
+        if (p[e] != '\0' && strchr(WHITESPACE, p[e]))
+                 e++;
+         *buf = p + e;
+         return e;
+-- 
+2.11.0
diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb
index fd110a8340..96f419a7f9 100644
--- a/meta/recipes-core/systemd/systemd_237.bb
+++ b/meta/recipes-core/systemd/systemd_237.bb
@@ -60,6 +60,7 @@ SRC_URI += "file://touchscreen.rules \
           file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \
           file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \
           file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \
+           file://0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
           "
 SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
author	Marcus Cooper <marcus.cooper@axis.com>	2019-02-25 10:37:11 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-03-24 16:49:54 +0000
commit	d4e0f9252852ebfe5677d2bf0e6d70aacd7a984a (patch)
tree	36b5ce6d3db87b817657709b2374f4d0601671c0
parent	7be61780af1fd1c0a63a41880ece124e874610fa (diff)
download	poky-d4e0f9252852ebfe5677d2bf0e6d70aacd7a984a.tar.gz

diff --git a/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch new file mode 100644 index 0000000000..3925a4abbb --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
@@ -0,0 +1,49 @@
		1	From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001
		2	From: Filipe Brandenburger <filbranden@google.com>
		3	Date: Thu, 10 Jan 2019 14:53:33 -0800
		4	Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866
		5
		6	The original code didn't account for the fact that strchr() would match on the
		7	'\0' character, making it read past the end of the buffer if no non-whitespace
		8	character was present.
		9
		10	This bug was introduced in commit ec5ff4445cca6a which was first released in
		11	systemd v221 and later fixed in commit 8595102d3ddde6 which was released in
		12	v240, so versions in the range [v221, v240) are affected.
		13
		14	Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b
		15	also includes a change from systemd master which removes a heap buffer overflow
		16	a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.
		17
		18	CVE: CVE-2018-16866
		19	Upstream-Status: Backport
		20	Signed-off-by: Marcus Cooper <marcusc@axis.com>
		21	---
		22	src/journal/journald-syslog.c \| 4 ++--
		23	1 file changed, 2 insertions(+), 2 deletions(-)
		24
		25	diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
		26	index 9dea116722..809b318c06 100644
		27	--- a/src/journal/journald-syslog.c
		28	+++ b/src/journal/journald-syslog.c
		29	@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char buf, char identifier, char **pid)
		30	e = l;
		31	l--;
		32
		33	- if (p[l-1] == ']') {
		34	+ if (l > 0 && p[l-1] == ']') {
		35	size_t k = l-1;
		36
		37	for (;;) {
		38	@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char buf, char identifier, char **pid)
		39	if (t)
		40	*identifier = t;
		41
		42	- if (strchr(WHITESPACE, p[e]))
		43	+ if (p[e] != '\0' && strchr(WHITESPACE, p[e]))
		44	e++;
		45	*buf = p + e;
		46	return e;
		47	--
		48	2.11.0
		49


diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb index fd110a8340..96f419a7f9 100644 --- a/meta/recipes-core/systemd/systemd_237.bb +++ b/meta/recipes-core/systemd/systemd_237.bb
@@ -60,6 +60,7 @@ SRC_URI += "file://touchscreen.rules \
60	file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \	60	file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \
61	file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \	61	file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \
62	file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \	62	file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \
		63	file://0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
63	"	64	"
64	SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"	65	SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
65		66