3 files changed, 111 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
new file mode 100644
index 0000000000..6b499efbd8
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
@@ -0,0 +1,42 @@
+From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 01:22:07 +0900
+Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
+This makes DHCP client ignore FORCERENEW requests, as unauthenticated
+FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
+Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
+and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
+Fixes #16774.
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
+CVE: CVE-2020-13529
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+--- a/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1392,9 +1392,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force,
+         if (r != DHCP_FORCERENEW)
+                 return -ENOMSG;
+#if 0
+         log_dhcp_client(client, "FORCERENEW");
+         return 0;
+#else
+        /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
+         * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
+         * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
+        log_dhcp_client(client, "Received FORCERENEW, ignoring.");
+        return -ENOMSG;
+#endif
+ }
+ static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
new file mode 100644
index 0000000000..e92d721d3d
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
@@ -0,0 +1,67 @@
+Backport of:
+From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Jun 2021 11:46:41 +0200
+Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path
+The path may have unbounded length, for example through a fuse mount.
+CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
+ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
+and each mountpoint is passed to mount_setup_unit(), which calls
+unit_name_path_escape() underneath. A local attacker who is able to mount a
+filesystem with a very long path can crash systemd and the whole system.
+https://bugzilla.redhat.com/show_bug.cgi?id=1970887
+The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
+can't easily check the length after simplification before doing the
+simplification, which in turns uses a copy of the string we can write to.
+So we can't reject paths that are too long before doing the duplication.
+Hence the most obvious solution is to switch back to strdup(), as before
+7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
+Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
+CVE: CVE-2021-33910
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/basic/unit-name.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
+@@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, char **ret) {
+ }
+ int unit_name_path_escape(const char *f, char **ret) {
+-        char *p, *s;
+        _cleanup_free_ char *p = NULL;
+        char *s;
+         assert(f);
+         assert(ret);
+-        p = strdupa(f);
+        p = strdup(f);
+         if (!p)
+                 return -ENOMEM;
+@@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f, char **ret) {
+                 if (!path_is_normalized(p))
+                         return -EINVAL;
+-                /* Truncate trailing slashes */
+                /* Truncate trailing slashes and skip leading slashes */
+                 delete_trailing_chars(p, "/");
+-
+-                /* Truncate leading slashes */
+-                p = skip_leading_chars(p, "/");
+-
+-                s = unit_name_escape(p);
+                s = unit_name_escape(skip_leading_chars(p, "/"));
+         }
+         if (!s)
+                 return -ENOMEM;
diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index 8c95648ca0..7a7eddcd45 100644
--- a/meta/recipes-core/systemd/systemd_244.5.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -20,6 +20,8 @@ SRC_URI += "file://touchscreen.rules \
           file://99-default.preset \
           file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
           file://0003-implment-systemd-sysv-install-for-OE.patch \
+           file://CVE-2021-33910.patch \
+           file://CVE-2020-13529.patch \
           "
 # patches needed by musl

diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch new file mode 100644 index 0000000000..6b499efbd8 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
@@ -0,0 +1,42 @@
		1	From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001
		2	From: Yu Watanabe <watanabe.yu+github@gmail.com>
		3	Date: Thu, 24 Jun 2021 01:22:07 +0900
		4	Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
		5
		6	This makes DHCP client ignore FORCERENEW requests, as unauthenticated
		7	FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
		8
		9	Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
		10	and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
		11
		12	Fixes #16774.
		13
		14	Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
		15	CVE: CVE-2020-13529
		16
		17	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		18
		19	---
		20	src/libsystemd-network/sd-dhcp-client.c \| 8 ++++++++
		21	1 file changed, 8 insertions(+)
		22
		23	--- a/src/libsystemd-network/sd-dhcp-client.c
		24	+++ b/src/libsystemd-network/sd-dhcp-client.c
		25	@@ -1392,9 +1392,17 @@ static int client_handle_forcerenew(sd_dhcp_client client, DHCPMessage force,
		26	if (r != DHCP_FORCERENEW)
		27	return -ENOMSG;
		28
		29	+#if 0
		30	log_dhcp_client(client, "FORCERENEW");
		31
		32	return 0;
		33	+#else
		34	+ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
		35	+ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
		36	+ * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
		37	+ log_dhcp_client(client, "Received FORCERENEW, ignoring.");
		38	+ return -ENOMSG;
		39	+#endif
		40	}
		41
		42	static bool lease_equal(const sd_dhcp_lease a, const sd_dhcp_lease b) {


diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch new file mode 100644 index 0000000000..e92d721d3d --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
@@ -0,0 +1,67 @@
		1	Backport of:
		2
		3	From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
		4	From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
		5	Date: Wed, 23 Jun 2021 11:46:41 +0200
		6	Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path
		7
		8	The path may have unbounded length, for example through a fuse mount.
		9
		10	CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
		11	ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
		12	and each mountpoint is passed to mount_setup_unit(), which calls
		13	unit_name_path_escape() underneath. A local attacker who is able to mount a
		14	filesystem with a very long path can crash systemd and the whole system.
		15
		16	https://bugzilla.redhat.com/show_bug.cgi?id=1970887
		17
		18	The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
		19	can't easily check the length after simplification before doing the
		20	simplification, which in turns uses a copy of the string we can write to.
		21	So we can't reject paths that are too long before doing the duplication.
		22	Hence the most obvious solution is to switch back to strdup(), as before
		23	7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
		24
		25	Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
		26	CVE: CVE-2021-33910
		27
		28	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		29
		30	---
		31	src/basic/unit-name.c \| 13 +++++--------
		32	1 file changed, 5 insertions(+), 8 deletions(-)
		33
		34	--- a/src/basic/unit-name.c
		35	+++ b/src/basic/unit-name.c
		36	@@ -369,12 +369,13 @@ int unit_name_unescape(const char f, char *ret) {
		37	}
		38
		39	int unit_name_path_escape(const char f, char *ret) {
		40	- char p, s;
		41	+ _cleanup_free_ char *p = NULL;
		42	+ char *s;
		43
		44	assert(f);
		45	assert(ret);
		46
		47	- p = strdupa(f);
		48	+ p = strdup(f);
		49	if (!p)
		50	return -ENOMEM;
		51
		52	@@ -386,13 +387,9 @@ int unit_name_path_escape(const char f, char *ret) {
		53	if (!path_is_normalized(p))
		54	return -EINVAL;
		55
		56	- /* Truncate trailing slashes */
		57	+ /* Truncate trailing slashes and skip leading slashes */
		58	delete_trailing_chars(p, "/");
		59	-
		60	- /* Truncate leading slashes */
		61	- p = skip_leading_chars(p, "/");
		62	-
		63	- s = unit_name_escape(p);
		64	+ s = unit_name_escape(skip_leading_chars(p, "/"));
		65	}
		66	if (!s)
		67	return -ENOMEM;


diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb index 8c95648ca0..7a7eddcd45 100644 --- a/meta/recipes-core/systemd/systemd_244.5.bb +++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -20,6 +20,8 @@ SRC_URI += "file://touchscreen.rules \
20	file://99-default.preset \	20	file://99-default.preset \
21	file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \	21	file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
22	file://0003-implment-systemd-sysv-install-for-OE.patch \	22	file://0003-implment-systemd-sysv-install-for-OE.patch \
		23	file://CVE-2021-33910.patch \
		24	file://CVE-2020-13529.patch \
23	"	25	"
24		26
25	# patches needed by musl	27	# patches needed by musl