Accepting request 109922 from Base:System
- Add 0001-util-never-follow-symlinks-in-rm_rf_children.patch: fix
CVE-2012-1174 (bnc#752281).
- Update to version 43:
+ Support optional initialization of the machine ID from the KVM
or container configured UUID.
+ Support immediate reboots with "systemctl reboot -ff"
+ Show /etc/os-release data in systemd-analyze output
+ Many bugfixes for the journal, including endianess fixes and
ensuring that disk space enforcement works
+ non-UTF8 strings are refused if used in configuration and unit
files.
+ Register Mimo USB Screens as suitable for automatic seat
configuration
+ Reorder configuration file lookup order. /etc now always
overrides /run.
+ manpages for journal utilities.
- Drop fix-c++-compat.patch, no-tmpfs-fsck.patch,
systemd-journald-fix-endianess-bug.patch.
- Requires util-linux >= 2.21 (needed to fix fsck on tmpfs).
old: openSUSE:Factory/systemd
new: Base:System/systemd rev NoneIndex: systemd-gtk.changes
===================================================================
--- systemd-gtk.changes (revision 92)
+++ systemd-gtk.changes (revision 260)
@@ -1,4 +1,31 @@
-------------------------------------------------------------------
+Mon Mar 19 10:11:23 UTC 2012 - fcrozat@suse.com
+
+- Add 0001-util-never-follow-symlinks-in-rm_rf_children.patch: fix
+ CVE-2012-1174 (bnc#752281).
+
+-------------------------------------------------------------------
+Fri Mar 16 09:21:54 UTC 2012 - fcrozat@suse.com
+
+- Update to version 43:
+ + Support optional initialization of the machine ID from the KVM
+ or container configured UUID.
+ + Support immediate reboots with "systemctl reboot -ff"
+ + Show /etc/os-release data in systemd-analyze output
+ + Many bugfixes for the journal, including endianess fixes and
+ ensuring that disk space enforcement works
+ + non-UTF8 strings are refused if used in configuration and unit
+ files.
+ + Register Mimo USB Screens as suitable for automatic seat
+ configuration
+ + Reorder configuration file lookup order. /etc now always
+ overrides /run.
+ + manpages for journal utilities.
+- Drop fix-c++-compat.patch, no-tmpfs-fsck.patch,
+ systemd-journald-fix-endianess-bug.patch.
+- Requires util-linux >= 2.21 (needed to fix fsck on tmpfs).
+
+-------------------------------------------------------------------
Mon Mar 12 08:50:36 UTC 2012 - fcrozat@suse.com
- Add fix-c++-compat.patch: fix C++ compatibility error in header.
Index: systemd-gtk.spec
===================================================================
--- systemd-gtk.spec (revision 92)
+++ systemd-gtk.spec (revision 260)
@@ -18,7 +18,7 @@
Name: systemd-gtk
Url: http://www.freedesktop.org/wiki/Software/systemd
-Version: 43
+Version: 44
Release: 0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: audit-devel
Index: systemd.changes
===================================================================
--- systemd.changes (revision 92)
+++ systemd.changes (revision 260)
@@ -1,4 +1,31 @@
-------------------------------------------------------------------
+Mon Mar 19 10:11:23 UTC 2012 - fcrozat@suse.com
+
+- Add 0001-util-never-follow-symlinks-in-rm_rf_children.patch: fix
+ CVE-2012-1174 (bnc#752281).
+
+-------------------------------------------------------------------
+Fri Mar 16 09:21:54 UTC 2012 - fcrozat@suse.com
+
+- Update to version 43:
+ + Support optional initialization of the machine ID from the KVM
+ or container configured UUID.
+ + Support immediate reboots with "systemctl reboot -ff"
+ + Show /etc/os-release data in systemd-analyze output
+ + Many bugfixes for the journal, including endianess fixes and
+ ensuring that disk space enforcement works
+ + non-UTF8 strings are refused if used in configuration and unit
+ files.
+ + Register Mimo USB Screens as suitable for automatic seat
+ configuration
+ + Reorder configuration file lookup order. /etc now always
+ overrides /run.
+ + manpages for journal utilities.
+- Drop fix-c++-compat.patch, no-tmpfs-fsck.patch,
+ systemd-journald-fix-endianess-bug.patch.
+- Requires util-linux >= 2.21 (needed to fix fsck on tmpfs).
+
+-------------------------------------------------------------------
Mon Mar 12 08:50:36 UTC 2012 - fcrozat@suse.com
- Add fix-c++-compat.patch: fix C++ compatibility error in header.
Index: systemd.spec
===================================================================
--- systemd.spec (revision 92)
+++ systemd.spec (revision 260)
@@ -20,7 +20,7 @@
Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd
-Version: 43
+Version: 44
Release: 0
Summary: A System and Session Manager
License: GPL-2.0+
@@ -52,7 +52,7 @@
Requires: pam-config >= 0.79-5
Requires: systemd-presets-branding
Requires: udev >= 172
-Requires: util-linux >= 2.19
+Requires: util-linux >= 2.21
Recommends: dbus-1-python
Conflicts: filesystem < 11.5
Conflicts: mkinitrd < 2.7.0
@@ -86,9 +86,7 @@
# Never add any patches to this package without the upstream commit id
# in the patch. Any patches added here without a very good reason to make
# an exception will be silently removed with the next version update.
-Patch21: no-tmpfs-fsck.patch
-Patch40: systemd-journald-fix-endianess-bug.patch
-Patch41: fix-c++-compat.patch
+Patch40: 0001-util-never-follow-symlinks-in-rm_rf_children.patch
%description
Systemd is a system and service manager, compatible with SysV and LSB
@@ -139,7 +137,6 @@
%patch15 -p1
%patch16 -p1
%patch19 -p1
-%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
@@ -149,7 +146,6 @@
%patch38 -p1
%patch39 -p1
%patch40 -p1
-%patch41 -p1
%build
autoreconf -fiv
Index: 0001-util-never-follow-symlinks-in-rm_rf_children.patch
===================================================================
--- 0001-util-never-follow-symlinks-in-rm_rf_children.patch (added)
+++ 0001-util-never-follow-symlinks-in-rm_rf_children.patch (revision 260)
@@ -0,0 +1,32 @@
+From 5ebff5337594d690b322078c512eb222d34aaa82 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Fri, 2 Mar 2012 10:39:10 +0100
+Subject: [PATCH] util: never follow symlinks in rm_rf_children()
+
+The function checks if the entry is a directory before recursing, but
+there is a window between the check and the open, during which the
+directory could be replaced with a symlink.
+
+CVE-2012-1174
+https://bugzilla.redhat.com/show_bug.cgi?id=803358
+---
+ src/util.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index 20cbc2b..dfc1dc6 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -3593,7 +3593,8 @@ static int rm_rf_children(int fd, bool only_dirs, bool honour_sticky) {
+ if (is_dir) {
+ int subdir_fd;
+
+- if ((subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)) < 0) {
++ subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW);
++ if (subdir_fd < 0) {
+ if (ret == 0 && errno != ENOENT)
+ ret = -errno;
+ continue;
+--
+1.7.7
+
Index: systemd-44.tar.xz
===================================================================
Binary files systemd-44.tar.xz (revision 260) added
Index: fix-c++-compat.patch
===================================================================
--- fix-c++-compat.patch (revision 92)
+++ fix-c++-compat.patch (deleted)
@@ -1,25 +0,0 @@
-From e09a9a35a1fdb4e849e63bdaf47d936c272b5e82 Mon Sep 17 00:00:00 2001
-From: Lennart Poettering <lennart@poettering.net>
-Date: Mon, 5 Mar 2012 15:16:10 +0100
-Subject: [PATCH] sd-login: c++ compatibility
-
----
- src/systemd/sd-login.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/src/systemd/sd-login.h b/src/systemd/sd-login.h
-index 2f3c90c..6e99cfc 100644
---- a/src/systemd/sd-login.h
-+++ b/src/systemd/sd-login.h
-@@ -94,7 +94,7 @@ int sd_session_get_service(const char *session, char **service);
- int sd_session_get_type(const char *session, char **type);
-
- /* Determine the class of this session, i.e. one of "user", "greeter" or "lock-screen". */
--int sd_session_get_class(const char *session, char **class);
-+int sd_session_get_class(const char *session, char **clazz);
-
- /* Determine the X11 display of this session. */
- int sd_session_get_display(const char *session, char **display);
---
-1.7.7
-
Index: no-tmpfs-fsck.patch
===================================================================
--- no-tmpfs-fsck.patch (revision 92)
+++ no-tmpfs-fsck.patch (deleted)
@@ -1,22 +0,0 @@
-From cca125c2758b48ba8f1afdc4b5751b104f0bd809 Mon Sep 17 00:00:00 2001
-From: Frederic Crozat <fcrozat@suse.com>
-Date: Thu, 27 Oct 2011 15:36:57 +0200
-Subject: [PATCH] mount: do not try to fsck tmpfs mountpoint with non-null
- passno.
-
----
- src/mount.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-Index: systemd-39/src/mount.c
-===================================================================
---- systemd-39.orig/src/mount.c
-+++ systemd-39/src/mount.c
-@@ -428,6 +428,7 @@ static int mount_add_device_links(Mount
-
- if (p->passno > 0 &&
- !mount_is_bind(p) &&
-+ !streq(p->fstype,"tmpfs") &&
- UNIT(m)->manager->running_as == MANAGER_SYSTEM &&
- !path_equal(m->where, "/")) {
- char *name;
Index: systemd-43.tar.xz
===================================================================
Binary files systemd-43.tar.xz (revision 92) deleted
Index: systemd-journald-fix-endianess-bug.patch
===================================================================
--- systemd-journald-fix-endianess-bug.patch (revision 92)
+++ systemd-journald-fix-endianess-bug.patch (deleted)
@@ -1,25 +0,0 @@
-From 8dc6b88fd2dad113d7dab776d623d7b301e4b754 Mon Sep 17 00:00:00 2001
-From: Dirk Eibach <eibach@gdsys.de>
-Date: Wed, 29 Feb 2012 12:45:46 +0100
-Subject: [PATCH] systemd-journald: fix endianess bug
-
----
- src/journal/journal-file.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
-index 20ca3f6..275caea 100644
---- a/src/journal/journal-file.c
-+++ b/src/journal/journal-file.c
-@@ -238,7 +238,7 @@ static int journal_file_allocate(JournalFile *f, uint64_t offset, uint64_t size)
- if (fstat(f->fd, &f->last_stat) < 0)
- return -errno;
-
-- f->header->arena_size = new_size - htole64(f->header->arena_offset);
-+ f->header->arena_size = htole64(new_size - le64toh(f->header->arena_offset));
-
- return 0;
- }
---
-1.7.7
-
OBS-URL: https://build.opensuse.org/request/show/109922
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/systemd?expand=0&rev=93
2012-03-20 12:04:45 +01:00
|
|
|
From 5ebff5337594d690b322078c512eb222d34aaa82 Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: Michal Schmidt <mschmidt@redhat.com>
|
|
|
|
|
Date: Fri, 2 Mar 2012 10:39:10 +0100
|
|
|
|
|
Subject: [PATCH] util: never follow symlinks in rm_rf_children()
|
|
|
|
|
|
|
|
|
|
The function checks if the entry is a directory before recursing, but
|
|
|
|
|
there is a window between the check and the open, during which the
|
|
|
|
|
directory could be replaced with a symlink.
|
|
|
|
|
|
|
|
|
|
CVE-2012-1174
|
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=803358
|
|
|
|
|
---
|
|
|
|
|
src/util.c | 3 ++-
|
|
|
|
|
1 files changed, 2 insertions(+), 1 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/src/util.c b/src/util.c
|
|
|
|
|
index 20cbc2b..dfc1dc6 100644
|
|
|
|
|
--- a/src/util.c
|
|
|
|
|
+++ b/src/util.c
|
|
|
|
|
@@ -3593,7 +3593,8 @@ static int rm_rf_children(int fd, bool only_dirs, bool honour_sticky) {
|
|
|
|
|
if (is_dir) {
|
|
|
|
|
int subdir_fd;
|
|
|
|
|
|
|
|
|
|
- if ((subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)) < 0) {
|
|
|
|
|
+ subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW);
|
|
|
|
|
+ if (subdir_fd < 0) {
|
|
|
|
|
if (ret == 0 && errno != ENOENT)
|
|
|
|
|
ret = -errno;
|
|
|
|
|
continue;
|
|
|
|
|
--
|
|
|
|
|
1.7.7
|
|
|
|
|
|
2012-04-03 17:38:59 +02:00
|
|
|
From c9d8629baa09f853fbcc44972c9748e70562270c Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: Lennart Poettering <lennart@poettering.net>
|
|
|
|
|
Date: Thu, 22 Mar 2012 01:43:36 +0100
|
|
|
|
|
Subject: [PATCH] logind: extend comment about X11 socket symlink
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
src/login/logind-session.c | 4 ++++
|
|
|
|
|
1 files changed, 4 insertions(+), 0 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/src/login/logind-session.c b/src/login/logind-session.c
|
|
|
|
|
index af9c12d..4e0af86 100644
|
|
|
|
|
--- a/src/login/logind-session.c
|
|
|
|
|
+++ b/src/login/logind-session.c
|
|
|
|
|
@@ -391,6 +391,10 @@ static int session_link_x11_socket(Session *s) {
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+ /* Note that this cannot be in a subdir to avoid
|
|
|
|
|
+ * vulnerabilities since we are privileged but the runtime
|
|
|
|
|
+ * path is owned by the user */
|
|
|
|
|
+
|
|
|
|
|
t = strappend(s->user->runtime_path, "/X11-display");
|
|
|
|
|
if (!t) {
|
|
|
|
|
log_error("Out of memory");
|
|
|
|
|
--
|
|
|
|
|
1.7.7
|
|
|
|
|
|