summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorrajmohan r <rajmohan.r@kpit.com>2023-04-19 16:04:55 +0530
committerSteve Sakoman <steve@sakoman.com>2023-04-26 04:19:06 -1000
commitafb4425be96e8e5a47a5dd3b87d5615bd3d8e0eb (patch)
tree3a8ede591cc89997ae6a28995323fc5ff938c53f
parent20c932eb013ebf83ef435a29edd8d10f577aaf4b (diff)
downloadpoky-afb4425be96e8e5a47a5dd3b87d5615bd3d8e0eb.tar.gz
systemd: Fix CVE-2023-26604
Below patch files to fix CVE-2023-26604 CVE-2023-26604-1.patch, CVE-2023-26604-2.patch and CVE-2023-26604-3.patch and CVE-2023-26604-4.patch make pager secure when under euid is changed or explicitly requested Reference: CVE-2023-26604-1.patch: https://github.com/systemd/systemd/pull/17270/commits/612ebf6c913dd0e4197c44909cb3157f5c51a2f0 CVE-2023-26604-2.patch: https://github.com/systemd/systemd/pull/17270/commits/1b5b507cd2d1d7a2b053151abb548475ad9c5c3b CVE-2023-26604-3.patch: https://github.com/systemd/systemd/pull/17270/commits/0a42426d797406b4b01a0d9c13bb759c2629d108 CVE-2023-26604-4.patch: https://github.com/systemd/systemd/pull/17359/commits/b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c (From OE-Core rev: 7880eb801dcee44a9e8920d249057492d1de6b12) Signed-off-by: rajmohan r <rajmohan.r@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch115
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch264
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch182
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch32
-rw-r--r--meta/recipes-core/systemd/systemd_244.5.bb4
5 files changed, 597 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch
new file mode 100644
index 0000000000..39f9480cf8
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch
@@ -0,0 +1,115 @@
1From 612ebf6c913dd0e4197c44909cb3157f5c51a2f0 Mon Sep 17 00:00:00 2001
2From: Lennart Poettering <lennart@poettering.net>
3Date: Mon, 31 Aug 2020 19:37:13 +0200
4Subject: [PATCH] pager: set $LESSSECURE whenver we invoke a pager
5
6Some extra safety when invoked via "sudo". With this we address a
7genuine design flaw of sudo, and we shouldn't need to deal with this.
8But it's still a good idea to disable this surface given how exotic it
9is.
10
11Prompted by #5666
12
13CVE: CVE-2023-26604
14Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/612ebf6c913dd0e4197c44909cb3157f5c51a2f0]
15Comments: Hunk not refreshed
16Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
17---
18 man/less-variables.xml | 9 +++++++++
19 man/systemctl.xml | 1 +
20 man/systemd.xml | 1 +
21 src/shared/pager.c | 23 +++++++++++++++++++++--
22 4 files changed, 32 insertions(+), 2 deletions(-)
23
24diff --git a/man/less-variables.xml b/man/less-variables.xml
25index 08e513c99f8e..c52511ca8e18 100644
26--- a/man/less-variables.xml
27+++ b/man/less-variables.xml
28@@ -64,6 +64,15 @@
29 the invoking terminal is determined to be UTF-8 compatible).</para></listitem>
30 </varlistentry>
31
32+ <varlistentry id='lesssecure'>
33+ <term><varname>$SYSTEMD_LESSSECURE</varname></term>
34+
35+ <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment
36+ variable when invoking the pager, which controls the "secure" mode of less (which disables commands
37+ such as <literal>|</literal> which allow to easily shell out to external command lines). By default
38+ less secure mode is enabled, with this setting it may be disabled.</para></listitem>
39+ </varlistentry>
40+
41 <varlistentry id='colors'>
42 <term><varname>$SYSTEMD_COLORS</varname></term>
43
44diff --git a/man/systemctl.xml b/man/systemctl.xml
45index 1c5502883700..a3f0c3041a57 100644
46--- a/man/systemctl.xml
47+++ b/man/systemctl.xml
48@@ -2240,6 +2240,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
49 <xi:include href="less-variables.xml" xpointer="pager"/>
50 <xi:include href="less-variables.xml" xpointer="less"/>
51 <xi:include href="less-variables.xml" xpointer="lesscharset"/>
52+ <xi:include href="less-variables.xml" xpointer="lesssecure"/>
53 <xi:include href="less-variables.xml" xpointer="colors"/>
54 <xi:include href="less-variables.xml" xpointer="urlify"/>
55 </refsect1>
56diff --git a/man/systemd.xml b/man/systemd.xml
57index a9040545c2ab..c92cfef77689 100644
58--- a/man/systemd.xml
59+++ b/man/systemd.xml
60@@ -692,6 +692,7 @@
61 <xi:include href="less-variables.xml" xpointer="pager"/>
62 <xi:include href="less-variables.xml" xpointer="less"/>
63 <xi:include href="less-variables.xml" xpointer="lesscharset"/>
64+ <xi:include href="less-variables.xml" xpointer="lesssecure"/>
65 <xi:include href="less-variables.xml" xpointer="colors"/>
66 <xi:include href="less-variables.xml" xpointer="urlify"/>
67
68diff --git a/src/shared/pager.c b/src/shared/pager.c
69index e03be6d23b2d..9c21881241f5 100644
70--- a/src/shared/pager.c
71+++ b/src/shared/pager.c
72@@ -9,6 +9,7 @@
73 #include <unistd.h>
74
75 #include "copy.h"
76+#include "env-util.h"
77 #include "fd-util.h"
78 #include "fileio.h"
79 #include "io-util.h"
80@@ -152,8 +153,7 @@ int pager_open(PagerFlags flags) {
81 _exit(EXIT_FAILURE);
82 }
83
84- /* Initialize a good charset for less. This is
85- * particularly important if we output UTF-8
86+ /* Initialize a good charset for less. This is particularly important if we output UTF-8
87 * characters. */
88 less_charset = getenv("SYSTEMD_LESSCHARSET");
89 if (!less_charset && is_locale_utf8())
90@@ -164,6 +164,25 @@ int pager_open(PagerFlags flags) {
91 _exit(EXIT_FAILURE);
92 }
93
94+ /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out
95+ * privileged stuff. */
96+ r = getenv_bool("SYSTEMD_LESSSECURE");
97+ if (r == 0) { /* Remove env var if off */
98+ if (unsetenv("LESSSECURE") < 0) {
99+ log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m");
100+ _exit(EXIT_FAILURE);
101+ }
102+ } else {
103+ /* Set env var otherwise */
104+ if (r < 0)
105+ log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m");
106+
107+ if (setenv("LESSSECURE", "1", 1) < 0) {
108+ log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m");
109+ _exit(EXIT_FAILURE);
110+ }
111+ }
112+
113 if (pager_args) {
114 r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false);
115 if (r < 0) {
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch
new file mode 100644
index 0000000000..95da7cfad6
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch
@@ -0,0 +1,264 @@
1From 1b5b507cd2d1d7a2b053151abb548475ad9c5c3b Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
3Date: Mon, 12 Oct 2020 18:57:32 +0200
4Subject: [PATCH] test-login: always test sd_pid_get_owner_uid(), modernize
5
6A long time some function only worked when in a session, and the test
7didn't execute them when sd_pid_get_session() failed. Let's always call
8them to increase coverage.
9
10While at it, let's test for ==0 not >=0 where we don't expect the function
11to return anything except 0 or error.
12
13CVE: CVE-2023-26604
14Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/1b5b507cd2d1d7a2b053151abb548475ad9c5c3b.patch]
15Comments: Hunk not refreshed
16Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
17---
18 src/libsystemd/sd-login/test-login.c | 131 ++++++++++++++-------------
19 1 file changed, 70 insertions(+), 61 deletions(-)
20
21diff --git a/src/libsystemd/sd-login/test-login.c b/src/libsystemd/sd-login/test-login.c
22index c0c77e04714b..0494fc77ba18 100644
23--- a/src/libsystemd/sd-login/test-login.c
24+++ b/src/libsystemd/sd-login/test-login.c
25@@ -5,21 +5,22 @@
26 #include "sd-login.h"
27
28 #include "alloc-util.h"
29+#include "errno-list.h"
30 #include "fd-util.h"
31 #include "format-util.h"
32 #include "log.h"
33 #include "string-util.h"
34 #include "strv.h"
35 #include "time-util.h"
36-#include "util.h"
37+#include "user-util.h"
38
39 static char* format_uids(char **buf, uid_t* uids, int count) {
40- int pos = 0, k, inc;
41+ int pos = 0, inc;
42 size_t size = (DECIMAL_STR_MAX(uid_t) + 1) * count + 1;
43
44 assert_se(*buf = malloc(size));
45
46- for (k = 0; k < count; k++) {
47+ for (int k = 0; k < count; k++) {
48 sprintf(*buf + pos, "%s"UID_FMT"%n", k > 0 ? " " : "", uids[k], &inc);
49 pos += inc;
50 }
51@@ -30,6 +31,10 @@ static char* format_uids(char **buf, uid_t* uids, int count) {
52 return *buf;
53 }
54
55+static const char *e(int r) {
56+ return r == 0 ? "OK" : errno_to_name(r);
57+}
58+
59 static void test_login(void) {
60 _cleanup_close_pair_ int pair[2] = { -1, -1 };
61 _cleanup_free_ char *pp = NULL, *qq = NULL,
62@@ -39,65 +44,71 @@ static void test_login(void) {
63 *seat = NULL, *session = NULL,
64 *unit = NULL, *user_unit = NULL, *slice = NULL;
65 int r;
66- uid_t u, u2;
67- char *t, **seats, **sessions;
68+ uid_t u, u2 = UID_INVALID;
69+ char *t, **seats = NULL, **sessions = NULL;
70
71 r = sd_pid_get_unit(0, &unit);
72- assert_se(r >= 0 || r == -ENODATA);
73- log_info("sd_pid_get_unit(0, …) → \"%s\"", strna(unit));
74+ log_info("sd_pid_get_unit(0, …) → %s / \"%s\"", e(r), strnull(unit));
75+ assert_se(IN_SET(r, 0, -ENODATA));
76
77 r = sd_pid_get_user_unit(0, &user_unit);
78- assert_se(r >= 0 || r == -ENODATA);
79- log_info("sd_pid_get_user_unit(0, …) → \"%s\"", strna(user_unit));
80+ log_info("sd_pid_get_user_unit(0, …) → %s / \"%s\"", e(r), strnull(user_unit));
81+ assert_se(IN_SET(r, 0, -ENODATA));
82
83 r = sd_pid_get_slice(0, &slice);
84- assert_se(r >= 0 || r == -ENODATA);
85- log_info("sd_pid_get_slice(0, …) → \"%s\"", strna(slice));
86+ log_info("sd_pid_get_slice(0, …) → %s / \"%s\"", e(r), strnull(slice));
87+ assert_se(IN_SET(r, 0, -ENODATA));
88+
89+ r = sd_pid_get_owner_uid(0, &u2);
90+ log_info("sd_pid_get_owner_uid(0, …) → %s / "UID_FMT, e(r), u2);
91+ assert_se(IN_SET(r, 0, -ENODATA));
92
93 r = sd_pid_get_session(0, &session);
94- if (r < 0) {
95- log_warning_errno(r, "sd_pid_get_session(0, …): %m");
96- if (r == -ENODATA)
97- log_info("Seems we are not running in a session, skipping some tests.");
98- } else {
99- log_info("sd_pid_get_session(0, …) → \"%s\"", session);
100-
101- assert_se(sd_pid_get_owner_uid(0, &u2) == 0);
102- log_info("sd_pid_get_owner_uid(0, …) → "UID_FMT, u2);
103-
104- assert_se(sd_pid_get_cgroup(0, &cgroup) == 0);
105- log_info("sd_pid_get_cgroup(0, …) → \"%s\"", cgroup);
106-
107- r = sd_uid_get_display(u2, &display_session);
108- assert_se(r >= 0 || r == -ENODATA);
109- log_info("sd_uid_get_display("UID_FMT", …) → \"%s\"",
110- u2, strnull(display_session));
111-
112- assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == 0);
113- sd_peer_get_session(pair[0], &pp);
114- sd_peer_get_session(pair[1], &qq);
115- assert_se(streq_ptr(pp, qq));
116-
117- r = sd_uid_get_sessions(u2, false, &sessions);
118+ log_info("sd_pid_get_session(0, …) → %s / \"%s\"", e(r), strnull(session));
119+
120+ r = sd_pid_get_cgroup(0, &cgroup);
121+ log_info("sd_pid_get_cgroup(0, …) → %s / \"%s\"", e(r), strnull(cgroup));
122+ assert_se(r == 0);
123+
124+ r = sd_uid_get_display(u2, &display_session);
125+ log_info("sd_uid_get_display("UID_FMT", …) → %s / \"%s\"", u2, e(r), strnull(display_session));
126+ if (u2 == UID_INVALID)
127+ assert_se(r == -EINVAL);
128+ else
129+ assert_se(IN_SET(r, 0, -ENODATA));
130+
131+ assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == 0);
132+ sd_peer_get_session(pair[0], &pp);
133+ sd_peer_get_session(pair[1], &qq);
134+ assert_se(streq_ptr(pp, qq));
135+
136+ r = sd_uid_get_sessions(u2, false, &sessions);
137+ assert_se(t = strv_join(sessions, " "));
138+ log_info("sd_uid_get_sessions("UID_FMT", …) → %s \"%s\"", u2, e(r), t);
139+ if (u2 == UID_INVALID)
140+ assert_se(r == -EINVAL);
141+ else {
142 assert_se(r >= 0);
143 assert_se(r == (int) strv_length(sessions));
144- assert_se(t = strv_join(sessions, " "));
145- strv_free(sessions);
146- log_info("sd_uid_get_sessions("UID_FMT", …) → [%i] \"%s\"", u2, r, t);
147- free(t);
148+ }
149+ sessions = strv_free(sessions);
150+ free(t);
151
152- assert_se(r == sd_uid_get_sessions(u2, false, NULL));
153+ assert_se(r == sd_uid_get_sessions(u2, false, NULL));
154
155- r = sd_uid_get_seats(u2, false, &seats);
156+ r = sd_uid_get_seats(u2, false, &seats);
157+ assert_se(t = strv_join(seats, " "));
158+ log_info("sd_uid_get_seats("UID_FMT", …) → %s \"%s\"", u2, e(r), t);
159+ if (u2 == UID_INVALID)
160+ assert_se(r == -EINVAL);
161+ else {
162 assert_se(r >= 0);
163 assert_se(r == (int) strv_length(seats));
164- assert_se(t = strv_join(seats, " "));
165- strv_free(seats);
166- log_info("sd_uid_get_seats("UID_FMT", …) → [%i] \"%s\"", u2, r, t);
167- free(t);
168-
169- assert_se(r == sd_uid_get_seats(u2, false, NULL));
170 }
171+ seats = strv_free(seats);
172+ free(t);
173+
174+ assert_se(r == sd_uid_get_seats(u2, false, NULL));
175
176 if (session) {
177 r = sd_session_is_active(session);
178@@ -109,7 +120,7 @@ static void test_login(void) {
179 log_info("sd_session_is_remote(\"%s\") → %s", session, yes_no(r));
180
181 r = sd_session_get_state(session, &state);
182- assert_se(r >= 0);
183+ assert_se(r == 0);
184 log_info("sd_session_get_state(\"%s\") → \"%s\"", session, state);
185
186 assert_se(sd_session_get_uid(session, &u) >= 0);
187@@ -123,16 +134,16 @@ static void test_login(void) {
188 log_info("sd_session_get_class(\"%s\") → \"%s\"", session, class);
189
190 r = sd_session_get_display(session, &display);
191- assert_se(r >= 0 || r == -ENODATA);
192+ assert_se(IN_SET(r, 0, -ENODATA));
193 log_info("sd_session_get_display(\"%s\") → \"%s\"", session, strna(display));
194
195 r = sd_session_get_remote_user(session, &remote_user);
196- assert_se(r >= 0 || r == -ENODATA);
197+ assert_se(IN_SET(r, 0, -ENODATA));
198 log_info("sd_session_get_remote_user(\"%s\") → \"%s\"",
199 session, strna(remote_user));
200
201 r = sd_session_get_remote_host(session, &remote_host);
202- assert_se(r >= 0 || r == -ENODATA);
203+ assert_se(IN_SET(r, 0, -ENODATA));
204 log_info("sd_session_get_remote_host(\"%s\") → \"%s\"",
205 session, strna(remote_host));
206
207@@ -161,7 +172,7 @@ static void test_login(void) {
208 assert_se(r == -ENODATA);
209 }
210
211- assert_se(sd_uid_get_state(u, &state2) >= 0);
212+ assert_se(sd_uid_get_state(u, &state2) == 0);
213 log_info("sd_uid_get_state("UID_FMT", …) → %s", u, state2);
214 }
215
216@@ -173,11 +184,11 @@ static void test_login(void) {
217 assert_se(sd_uid_is_on_seat(u, 0, seat) > 0);
218
219 r = sd_seat_get_active(seat, &session2, &u2);
220- assert_se(r >= 0);
221+ assert_se(r == 0);
222 log_info("sd_seat_get_active(\"%s\", …) → \"%s\", "UID_FMT, seat, session2, u2);
223
224 r = sd_uid_is_on_seat(u, 1, seat);
225- assert_se(r >= 0);
226+ assert_se(IN_SET(r, 0, 1));
227 assert_se(!!r == streq(session, session2));
228
229 r = sd_seat_get_sessions(seat, &sessions, &uids, &n);
230@@ -185,8 +196,8 @@ static void test_login(void) {
231 assert_se(r == (int) strv_length(sessions));
232 assert_se(t = strv_join(sessions, " "));
233 strv_free(sessions);
234- log_info("sd_seat_get_sessions(\"%s\", …) → %i, \"%s\", [%i] {%s}",
235- seat, r, t, n, format_uids(&buf, uids, n));
236+ log_info("sd_seat_get_sessions(\"%s\", …) → %s, \"%s\", [%u] {%s}",
237+ seat, e(r), t, n, format_uids(&buf, uids, n));
238 free(t);
239
240 assert_se(sd_seat_get_sessions(seat, NULL, NULL, NULL) == r);
241@@ -204,7 +215,7 @@ static void test_login(void) {
242
243 r = sd_seat_get_active(NULL, &t, NULL);
244 assert_se(IN_SET(r, 0, -ENODATA));
245- log_info("sd_seat_get_active(NULL, …) (active session on current seat) → %s", strnull(t));
246+ log_info("sd_seat_get_active(NULL, …) (active session on current seat) → %s / \"%s\"", e(r), strnull(t));
247 free(t);
248
249 r = sd_get_sessions(&sessions);
250@@ -244,13 +255,11 @@ static void test_login(void) {
251
252 static void test_monitor(void) {
253 sd_login_monitor *m = NULL;
254- unsigned n;
255 int r;
256
257- r = sd_login_monitor_new("session", &m);
258- assert_se(r >= 0);
259+ assert_se(sd_login_monitor_new("session", &m) == 0);
260
261- for (n = 0; n < 5; n++) {
262+ for (unsigned n = 0; n < 5; n++) {
263 struct pollfd pollfd = {};
264 usec_t timeout, nw;
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch
new file mode 100644
index 0000000000..f02f62b772
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch
@@ -0,0 +1,182 @@
1From 0a42426d797406b4b01a0d9c13bb759c2629d108 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
3Date: Wed, 7 Oct 2020 11:15:05 +0200
4Subject: [PATCH] pager: make pager secure when under euid is changed or
5 explicitly requested
6
7The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about
8less now), and we automatically enable secure mode in certain cases, but not
9otherwise.
10
11This approach is more nuanced, but should provide a better experience for
12users:
13
14- Previusly we would set LESSSECURE=1 and trust the pager to make use of
15 it. But this has an effect only on less. We need to not start pagers which
16 are insecure when in secure mode. In particular more is like that and is a
17 very popular pager.
18
19- We don't enable secure mode always, which means that those other pagers can
20 reasonably used.
21
22- We do the right thing by default, but the user has ultimate control by
23 setting SYSTEMD_PAGERSECURE.
24
25Fixes #5666.
26
27v2:
28- also check $PKEXEC_UID
29
30v3:
31- use 'sd_pid_get_owner_uid() != geteuid()' as the condition
32
33CVE: CVE-2023-26604
34Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/0a42426d797406b4b01a0d9c13bb759c2629d108]
35Comments: Hunk refreshed
36Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
37---
38 man/less-variables.xml | 30 +++++++++++++++----
39 src/shared/pager.c | 63 ++++++++++++++++++++++++++-------------
40 2 files changed, 66 insertions(+), 27 deletions(-)
41
42diff --git a/man/less-variables.xml b/man/less-variables.xml
43index c52511c..049e9f7 100644
44--- a/man/less-variables.xml
45+++ b/man/less-variables.xml
46@@ -65,12 +65,30 @@
47 </varlistentry>
48
49 <varlistentry id='lesssecure'>
50- <term><varname>$SYSTEMD_LESSSECURE</varname></term>
51-
52- <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment
53- variable when invoking the pager, which controls the "secure" mode of less (which disables commands
54- such as <literal>|</literal> which allow to easily shell out to external command lines). By default
55- less secure mode is enabled, with this setting it may be disabled.</para></listitem>
56+ <term><varname>$SYSTEMD_PAGERSECURE</varname></term>
57+
58+ <listitem><para>Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if
59+ false, disabled. If <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, secure mode is enabled
60+ if the effective UID is not the same as the owner of the login session, see <citerefentry
61+ project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
62+ <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
63+ In secure mode, <option>LESSSECURE=1</option> will be set when invoking the pager, and the pager shall
64+ disable commands that open or create new files or start new subprocesses. When
65+ <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, pagers which are not known to implement
66+ secure mode will not be used. (Currently only
67+ <citerefentry><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> implements
68+ secure mode.)</para>
69+
70+ <para>Note: when commands are invoked with elevated privileges, for example under <citerefentry
71+ project='man-pages'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
72+ <citerefentry
73+ project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, care
74+ must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the
75+ pager may be enabled automatically as describe above. Setting <varname>SYSTEMD_PAGERSECURE=0</varname>
76+ or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note
77+ that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to be
78+ honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too. It might be reasonable to completly
79+ disable the pager using <option>--no-pager</option> instead.</para></listitem>
80 </varlistentry>
81
82 <varlistentry id='colors'>
83diff --git a/src/shared/pager.c b/src/shared/pager.c
84index a3b6576..a72d9ea 100644
85--- a/src/shared/pager.c
86+++ b/src/shared/pager.c
87@@ -8,6 +8,8 @@
88 #include <sys/prctl.h>
89 #include <unistd.h>
90
91+#include "sd-login.h"
92+
93 #include "copy.h"
94 #include "env-util.h"
95 #include "fd-util.h"
96@@ -164,25 +166,42 @@ int pager_open(PagerFlags flags) {
97 }
98
99 /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out
100- * privileged stuff. */
101- r = getenv_bool("SYSTEMD_LESSSECURE");
102- if (r == 0) { /* Remove env var if off */
103- if (unsetenv("LESSSECURE") < 0) {
104- log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m");
105- _exit(EXIT_FAILURE);
106- }
107- } else {
108- /* Set env var otherwise */
109+ * privileged stuff. If the user set $SYSTEMD_PAGERSECURE, trust their configuration of the
110+ * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE
111+ * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we
112+ * know to be good. */
113+ int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE");
114+ bool trust_pager = use_secure_mode >= 0;
115+ if (use_secure_mode == -ENXIO) {
116+ uid_t uid;
117+
118+ r = sd_pid_get_owner_uid(0, &uid);
119 if (r < 0)
120- log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m");
121+ log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m");
122
123- if (setenv("LESSSECURE", "1", 1) < 0) {
124- log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m");
125- _exit(EXIT_FAILURE);
126- }
127+ use_secure_mode = r < 0 || uid != geteuid();
128+
129+ } else if (use_secure_mode < 0) {
130+ log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m");
131+ use_secure_mode = true;
132 }
133
134- if (pager_args) {
135+ /* We generally always set variables used by less, even if we end up using a different pager.
136+ * They shouldn't hurt in any case, and ideally other pagers would look at them too. */
137+ if (use_secure_mode)
138+ r = setenv("LESSSECURE", "1", 1);
139+ else
140+ r = unsetenv("LESSSECURE");
141+ if (r < 0) {
142+ log_error_errno(errno, "Failed to adjust environment variable LESSSECURE: %m");
143+ _exit(EXIT_FAILURE);
144+ }
145+
146+ if (trust_pager && pager_args) { /* The pager config might be set globally, and we cannot
147+ * know if the user adjusted it to be appropriate for the
148+ * secure mode. Thus, start the pager specified through
149+ * envvars only when $SYSTEMD_PAGERSECURE was explicitly set
150+ * as well. */
151 r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false);
152 if (r < 0) {
153 log_error_errno(r, "Failed to write pager name to socket: %m");
154@@ -194,13 +213,14 @@ int pager_open(PagerFlags flags) {
155 "Failed to execute '%s', using fallback pagers: %m", pager_args[0]);
156 }
157
158- /* Debian's alternatives command for pagers is
159- * called 'pager'. Note that we do not call
160- * sensible-pagers here, since that is just a
161- * shell script that implements a logic that
162- * is similar to this one anyway, but is
163- * Debian-specific. */
164+ /* Debian's alternatives command for pagers is called 'pager'. Note that we do not call
165+ * sensible-pagers here, since that is just a shell script that implements a logic that is
166+ * similar to this one anyway, but is Debian-specific. */
167 FOREACH_STRING(exe, "pager", "less", "more") {
168+ /* Only less implements secure mode right now. */
169+ if (use_secure_mode && !streq(exe, "less"))
170+ continue;
171+
172 r = loop_write(exe_name_pipe[1], exe, strlen(exe) + 1, false);
173 if (r < 0) {
174 log_error_errno(r, "Failed to write pager name to socket: %m");
175@@ -211,6 +231,7 @@ int pager_open(PagerFlags flags) {
176 "Failed to execute '%s', using next fallback pager: %m", exe);
177 }
178
179+ /* Our builtin is also very secure. */
180 r = loop_write(exe_name_pipe[1], "(built-in)", strlen("(built-in)") + 1, false);
181 if (r < 0) {
182 log_error_errno(r, "Failed to write pager name to socket: %m");
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch
new file mode 100644
index 0000000000..bc6b0a91c2
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch
@@ -0,0 +1,32 @@
1From b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c Mon Sep 17 00:00:00 2001
2From: Lennart Poettering <lennart@poettering.net>
3Date: Thu, 15 Oct 2020 10:54:48 +0200
4Subject: [PATCH] pager: lets check SYSTEMD_PAGERSECURE with secure_getenv()
5
6I can't think of any real vulnerability about this, but it still feels
7better to check a variable with "secure" in its name with
8secure_getenv() rather than plain getenv().
9
10Paranoia FTW!
11
12CVE: CVE-2023-26604
13Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17359/commits/b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c]
14Comments: Hunk refreshed
15Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
16---
17 src/shared/pager.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/src/shared/pager.c b/src/shared/pager.c
21index a72d9ea..250519c 100644
22--- a/src/shared/pager.c
23+++ b/src/shared/pager.c
24@@ -170,7 +170,7 @@ int pager_open(PagerFlags flags) {
25 * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE
26 * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we
27 * know to be good. */
28- int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE");
29+ int use_secure_mode = getenv_bool_secure("SYSTEMD_PAGERSECURE");
30 bool trust_pager = use_secure_mode >= 0;
31 if (use_secure_mode == -ENXIO) {
32 uid_t uid;
diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index 8dd59f7636..bd66d82932 100644
--- a/meta/recipes-core/systemd/systemd_244.5.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -35,6 +35,10 @@ SRC_URI += "file://touchscreen.rules \
35 file://CVE-2021-3997-2.patch \ 35 file://CVE-2021-3997-2.patch \
36 file://CVE-2021-3997-3.patch \ 36 file://CVE-2021-3997-3.patch \
37 file://CVE-2022-3821.patch \ 37 file://CVE-2022-3821.patch \
38 file://CVE-2023-26604-1.patch \
39 file://CVE-2023-26604-2.patch \
40 file://CVE-2023-26604-3.patch \
41 file://CVE-2023-26604-4.patch \
38 " 42 "
39 43
40# patches needed by musl 44# patches needed by musl
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-22 20:30:14 +0000