2 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
new file mode 100644
index 0000000000..7b5e3e7f7a
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
@@ -0,0 +1,96 @@
+From 156a5fd297b61bce31630d7a52c15614bf784843 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sun, 31 May 2020 18:21:09 +0200
+Subject: [PATCH 1/1] basic/user-util: always use base 10 for user/group
+ numbers
+We would parse numbers with base prefixes as user identifiers. For example,
+"0x2b3bfa0" would be interpreted as UID==45334432 and "01750" would be
+interpreted as UID==1000. This parsing was used also in cases where either a
+user/group name or number may be specified. This means that names like
+0x2b3bfa0 would be ambiguous: they are a valid user name according to our
+documented relaxed rules, but they would also be parsed as numeric uids.
+This behaviour is definitely not expected by users, since tools generally only
+accept decimal numbers (e.g. id, getent passwd), while other tools only accept
+user names and thus will interpret such strings as user names without even
+attempting to convert them to numbers (su, ssh). So let's follow suit and only
+accept numbers in decimal notation. Effectively this means that we will reject
+such strings as a username/uid/groupname/gid where strict mode is used, and try
+to look up a user/group with such a name in relaxed mode.
+Since the function changed is fairly low-level and fairly widely used, this
+affects multiple tools: loginctl show-user/enable-linger/disable-linger foo',
+the third argument in sysusers.d, fourth and fifth arguments in tmpfiles.d,
+etc.
+Fixes #15985.
+---
+ src/basic/user-util.c     |  2 +-
+ src/test/test-user-util.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+--- end of commit 156a5fd297b61bce31630d7a52c15614bf784843 ---
+Add definition of safe_atou32_full() from commit b934ac3d6e7dcad114776ef30ee9098693e7ab7e
+CVE: CVE-2020-13776
+Upstream-Status: Backport [https://github.com/systemd/systemd.git]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+--- git.orig/src/basic/user-util.c
+++ git/src/basic/user-util.c
+@@ -49,7 +49,7 @@ int parse_uid(const char *s, uid_t *ret)
+         assert(s);
+ 
+         assert_cc(sizeof(uid_t) == sizeof(uint32_t));
+-        r = safe_atou32(s, &uid);
+        r = safe_atou32_full(s, 10, &uid);
+         if (r < 0)
+                 return r;
+ 
+--- git.orig/src/test/test-user-util.c
+++ git/src/test/test-user-util.c
+@@ -48,9 +48,19 @@ static void test_parse_uid(void) {
+ 
+         r = parse_uid("65535", &uid);
+         assert_se(r == -ENXIO);
+        assert_se(uid == 100);
+
+        r = parse_uid("0x1234", &uid);
+        assert_se(r == -EINVAL);
+        assert_se(uid == 100);
+
+        r = parse_uid("01234", &uid);
+        assert_se(r == 0);
+        assert_se(uid == 1234);
+ 
+         r = parse_uid("asdsdas", &uid);
+         assert_se(r == -EINVAL);
+        assert_se(uid == 1234);
+ }
+ 
+ static void test_uid_ptr(void) {
+--- git.orig/src/basic/parse-util.h
+++ git/src/basic/parse-util.h
+@@ -45,9 +45,13 @@ static inline int safe_atoux16(const cha
+ 
+ int safe_atoi16(const char *s, int16_t *ret);
+ 
+-static inline int safe_atou32(const char *s, uint32_t *ret_u) {
+static inline int safe_atou32_full(const char *s, unsigned base, uint32_t *ret_u) {
+         assert_cc(sizeof(uint32_t) == sizeof(unsigned));
+-        return safe_atou(s, (unsigned*) ret_u);
+        return safe_atou_full(s, base, (unsigned*) ret_u);
+}
+
+static inline int safe_atou32(const char *s, uint32_t *ret_u) {
+        return safe_atou32_full(s, 0, (unsigned*) ret_u);
+ }
+ 
+ static inline int safe_atoi32(const char *s, int32_t *ret_i) {
diff --git a/meta/recipes-core/systemd/systemd_243.2.bb b/meta/recipes-core/systemd/systemd_243.2.bb
index 082eb4c384..905348176c 100644
--- a/meta/recipes-core/systemd/systemd_243.2.bb
+++ b/meta/recipes-core/systemd/systemd_243.2.bb
@@ -25,6 +25,7 @@ SRC_URI += "file://touchscreen.rules \
           file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \
           file://99-default.preset \
           file://0001-Merge-branch-polkit-ref-count.patch \
+           file://CVE-2020-13776.patch \
           "
 # patches needed by musl

diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch new file mode 100644 index 0000000000..7b5e3e7f7a --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
@@ -0,0 +1,96 @@
		1	From 156a5fd297b61bce31630d7a52c15614bf784843 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
		3	Date: Sun, 31 May 2020 18:21:09 +0200
		4	Subject: [PATCH 1/1] basic/user-util: always use base 10 for user/group
		5	numbers
		6
		7	We would parse numbers with base prefixes as user identifiers. For example,
		8	"0x2b3bfa0" would be interpreted as UID==45334432 and "01750" would be
		9	interpreted as UID==1000. This parsing was used also in cases where either a
		10	user/group name or number may be specified. This means that names like
		11	0x2b3bfa0 would be ambiguous: they are a valid user name according to our
		12	documented relaxed rules, but they would also be parsed as numeric uids.
		13
		14	This behaviour is definitely not expected by users, since tools generally only
		15	accept decimal numbers (e.g. id, getent passwd), while other tools only accept
		16	user names and thus will interpret such strings as user names without even
		17	attempting to convert them to numbers (su, ssh). So let's follow suit and only
		18	accept numbers in decimal notation. Effectively this means that we will reject
		19	such strings as a username/uid/groupname/gid where strict mode is used, and try
		20	to look up a user/group with such a name in relaxed mode.
		21
		22	Since the function changed is fairly low-level and fairly widely used, this
		23	affects multiple tools: loginctl show-user/enable-linger/disable-linger foo',
		24	the third argument in sysusers.d, fourth and fifth arguments in tmpfiles.d,
		25	etc.
		26
		27	Fixes #15985.
		28	---
		29	src/basic/user-util.c \| 2 +-
		30	src/test/test-user-util.c \| 10 ++++++++++
		31	2 files changed, 11 insertions(+), 1 deletion(-)
		32
		33	--- end of commit 156a5fd297b61bce31630d7a52c15614bf784843 ---
		34
		35
		36	Add definition of safe_atou32_full() from commit b934ac3d6e7dcad114776ef30ee9098693e7ab7e
		37
		38	CVE: CVE-2020-13776
		39
		40	Upstream-Status: Backport [https://github.com/systemd/systemd.git]
		41
		42	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		43
		44
		45
		46	--- git.orig/src/basic/user-util.c
		47	+++ git/src/basic/user-util.c
		48	@@ -49,7 +49,7 @@ int parse_uid(const char s, uid_t ret)
		49	assert(s);
		50
		51	assert_cc(sizeof(uid_t) == sizeof(uint32_t));
		52	- r = safe_atou32(s, &uid);
		53	+ r = safe_atou32_full(s, 10, &uid);
		54	if (r < 0)
		55	return r;
		56
		57	--- git.orig/src/test/test-user-util.c
		58	+++ git/src/test/test-user-util.c
		59	@@ -48,9 +48,19 @@ static void test_parse_uid(void) {
		60
		61	r = parse_uid("65535", &uid);
		62	assert_se(r == -ENXIO);
		63	+ assert_se(uid == 100);
		64	+
		65	+ r = parse_uid("0x1234", &uid);
		66	+ assert_se(r == -EINVAL);
		67	+ assert_se(uid == 100);
		68	+
		69	+ r = parse_uid("01234", &uid);
		70	+ assert_se(r == 0);
		71	+ assert_se(uid == 1234);
		72
		73	r = parse_uid("asdsdas", &uid);
		74	assert_se(r == -EINVAL);
		75	+ assert_se(uid == 1234);
		76	}
		77
		78	static void test_uid_ptr(void) {
		79	--- git.orig/src/basic/parse-util.h
		80	+++ git/src/basic/parse-util.h
		81	@@ -45,9 +45,13 @@ static inline int safe_atoux16(const cha
		82
		83	int safe_atoi16(const char s, int16_t ret);
		84
		85	-static inline int safe_atou32(const char s, uint32_t ret_u) {
		86	+static inline int safe_atou32_full(const char s, unsigned base, uint32_t ret_u) {
		87	assert_cc(sizeof(uint32_t) == sizeof(unsigned));
		88	- return safe_atou(s, (unsigned*) ret_u);
		89	+ return safe_atou_full(s, base, (unsigned*) ret_u);
		90	+}
		91	+
		92	+static inline int safe_atou32(const char s, uint32_t ret_u) {
		93	+ return safe_atou32_full(s, 0, (unsigned*) ret_u);
		94	}
		95
		96	static inline int safe_atoi32(const char s, int32_t ret_i) {


diff --git a/meta/recipes-core/systemd/systemd_243.2.bb b/meta/recipes-core/systemd/systemd_243.2.bb index 082eb4c384..905348176c 100644 --- a/meta/recipes-core/systemd/systemd_243.2.bb +++ b/meta/recipes-core/systemd/systemd_243.2.bb
@@ -25,6 +25,7 @@ SRC_URI += "file://touchscreen.rules \
25	file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \	25	file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \
26	file://99-default.preset \	26	file://99-default.preset \
27	file://0001-Merge-branch-polkit-ref-count.patch \	27	file://0001-Merge-branch-polkit-ref-count.patch \
		28	file://CVE-2020-13776.patch \
28	"	29	"
29		30
30	# patches needed by musl	31	# patches needed by musl