diff --git a/1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch b/1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch deleted file mode 100644 index a6f54db..0000000 --- a/1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch +++ /dev/null @@ -1,67 +0,0 @@ -From f636948448bd8a3588388d21dad737a079266392 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 23 Jun 2021 11:46:41 +0200 -Subject: [PATCH 1002/1003] basic/unit-name: do not use strdupa() on a path - -The path may have unbounded length, for example through a fuse mount. - -CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and -ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo -and each mountpoint is passed to mount_setup_unit(), which calls -unit_name_path_escape() underneath. A local attacker who is able to mount a -filesystem with a very long path can crash systemd and the whole system. - -https://bugzilla.redhat.com/show_bug.cgi?id=1970887 - -The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we -can't easily check the length after simplification before doing the -simplification, which in turns uses a copy of the string we can write to. -So we can't reject paths that are too long before doing the duplication. -Hence the most obvious solution is to switch back to strdup(), as before -7410616cd9dbbec97cf98d75324da5cda2b2f7a2. - -[fbui: fixes bsc#1188063] -[fbui: fixes CVE-2021-33910] ---- - src/basic/unit-name.c | 13 +++++-------- - 1 file changed, 5 insertions(+), 8 deletions(-) - -diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c -index 85dcba6cb7..46b24f2d9e 100644 ---- a/src/basic/unit-name.c -+++ b/src/basic/unit-name.c -@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) { - } - - int unit_name_path_escape(const char *f, char **ret) { -- char *p, *s; -+ _cleanup_free_ char *p = NULL; -+ char *s; - - assert(f); - assert(ret); - -- p = strdupa(f); -+ p = strdup(f); - if (!p) - return -ENOMEM; - -@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) { - if (!path_is_normalized(p)) - return -EINVAL; - -- /* Truncate trailing slashes */ -+ /* Truncate trailing slashes and skip leading slashes */ - delete_trailing_chars(p, "/"); -- -- /* Truncate leading slashes */ -- p = skip_leading_chars(p, "/"); -- -- s = unit_name_escape(p); -+ s = unit_name_escape(skip_leading_chars(p, "/")); - } - if (!s) - return -ENOMEM; --- -2.26.2 - diff --git a/systemd-mini.changes b/systemd-mini.changes index 53767ea..21c85b4 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Jul 20 15:51:47 UTC 2021 - Franck Bui + +- Import commit cb29bcc5ef2c0ee659686c5d229646a6ba98ec50 (merge of v248.5) + + 4a1c5f34bd basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910) + [...] + + For a complete list of changes, visit: + https://github.com/openSUSE/systemd/compare/94efce2ee59fca15a48ff9c232c8dd7cf930c0a0...cb29bcc5ef2c0ee659686c5d229646a6ba98ec50 + +- Drop 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch as it + was merged in v248.5. + ------------------------------------------------------------------- Tue Jul 20 15:25:38 UTC 2021 - Franck Bui diff --git a/systemd-mini.spec b/systemd-mini.spec index 6cf06ec..90ca6d3 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -26,7 +26,7 @@ ##### WARNING: please do not edit this auto generated spec file. Use the systemd.spec! ##### %define mini -mini %define min_kernel_version 4.5 -%define suse_version +suse.40.g94efce2ee5 +%define suse_version +suse.42.gcb29bcc5ef %bcond_with gnuefi %if 0%{?bootstrap} @@ -58,7 +58,7 @@ Name: systemd-mini URL: http://www.freedesktop.org/wiki/Software/systemd -Version: 248.4 +Version: 248.5 Release: 0 Summary: A System and Session Manager License: LGPL-2.1-or-later @@ -196,11 +196,7 @@ Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch # temporary and should be removed as soon as a fix is merged by # upstream. Patch100: 0001-Revert-core-prevent-excessive-proc-self-mountinfo-pa.patch - -# Patches for bsc#1188063/CVE-2021-33910. They will be moved to the -# git repo once the bug will become public. -Patch1002: 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch -Patch1003: 1003-basic-unit-name-adjust-comments.patch +Patch101: 1003-basic-unit-name-adjust-comments.patch %description Systemd is a system and service manager, compatible with SysV and LSB diff --git a/systemd-v248.4+suse.40.g94efce2ee5.tar.xz b/systemd-v248.4+suse.40.g94efce2ee5.tar.xz deleted file mode 100644 index d2145af..0000000 --- a/systemd-v248.4+suse.40.g94efce2ee5.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8cacf34cb67237b28635297628399b4945c7240dccc35efdd355b264ccd6f9e5 -size 7122072 diff --git a/systemd-v248.5+suse.42.gcb29bcc5ef.tar.xz b/systemd-v248.5+suse.42.gcb29bcc5ef.tar.xz new file mode 100644 index 0000000..788dd3f --- /dev/null +++ b/systemd-v248.5+suse.42.gcb29bcc5ef.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d9924c8244a6ddc88c345b62356b8a992915cd9073d05271c8b0f9a487b55b87 +size 7121780 diff --git a/systemd.changes b/systemd.changes index 53767ea..21c85b4 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Jul 20 15:51:47 UTC 2021 - Franck Bui + +- Import commit cb29bcc5ef2c0ee659686c5d229646a6ba98ec50 (merge of v248.5) + + 4a1c5f34bd basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910) + [...] + + For a complete list of changes, visit: + https://github.com/openSUSE/systemd/compare/94efce2ee59fca15a48ff9c232c8dd7cf930c0a0...cb29bcc5ef2c0ee659686c5d229646a6ba98ec50 + +- Drop 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch as it + was merged in v248.5. + ------------------------------------------------------------------- Tue Jul 20 15:25:38 UTC 2021 - Franck Bui diff --git a/systemd.spec b/systemd.spec index 6d6ac75..6cdd8b8 100644 --- a/systemd.spec +++ b/systemd.spec @@ -24,7 +24,7 @@ %define bootstrap 0 %define mini %nil %define min_kernel_version 4.5 -%define suse_version +suse.40.g94efce2ee5 +%define suse_version +suse.42.gcb29bcc5ef %bcond_with gnuefi %if 0%{?bootstrap} @@ -56,7 +56,7 @@ Name: systemd URL: http://www.freedesktop.org/wiki/Software/systemd -Version: 248.4 +Version: 248.5 Release: 0 Summary: A System and Session Manager License: LGPL-2.1-or-later @@ -194,11 +194,7 @@ Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch # temporary and should be removed as soon as a fix is merged by # upstream. Patch100: 0001-Revert-core-prevent-excessive-proc-self-mountinfo-pa.patch - -# Patches for bsc#1188063/CVE-2021-33910. They will be moved to the -# git repo once the bug will become public. -Patch1002: 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch -Patch1003: 1003-basic-unit-name-adjust-comments.patch +Patch101: 1003-basic-unit-name-adjust-comments.patch %description Systemd is a system and service manager, compatible with SysV and LSB