- Import commit cb29bcc5ef2c0ee659686c5d229646a6ba98ec50 (merge of v248.5)

4a1c5f34bd basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910)
  [...]
  For a complete list of changes, visit:
  94efce2ee5...cb29bcc5ef
- Drop 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch as it
  was merged in v248.5.

OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1172
This commit is contained in:
Franck Bui 2021-07-20 16:05:37 +00:00 committed by Git OBS Bridge
parent 40db07fd11
commit d7d502c3a5
7 changed files with 37 additions and 84 deletions

View File

@ -1,67 +0,0 @@
From f636948448bd8a3588388d21dad737a079266392 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 23 Jun 2021 11:46:41 +0200
Subject: [PATCH 1002/1003] basic/unit-name: do not use strdupa() on a path
The path may have unbounded length, for example through a fuse mount.
CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
and each mountpoint is passed to mount_setup_unit(), which calls
unit_name_path_escape() underneath. A local attacker who is able to mount a
filesystem with a very long path can crash systemd and the whole system.
https://bugzilla.redhat.com/show_bug.cgi?id=1970887
The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
can't easily check the length after simplification before doing the
simplification, which in turns uses a copy of the string we can write to.
So we can't reject paths that are too long before doing the duplication.
Hence the most obvious solution is to switch back to strdup(), as before
7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
[fbui: fixes bsc#1188063]
[fbui: fixes CVE-2021-33910]
---
src/basic/unit-name.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
index 85dcba6cb7..46b24f2d9e 100644
--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
}
int unit_name_path_escape(const char *f, char **ret) {
- char *p, *s;
+ _cleanup_free_ char *p = NULL;
+ char *s;
assert(f);
assert(ret);
- p = strdupa(f);
+ p = strdup(f);
if (!p)
return -ENOMEM;
@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) {
if (!path_is_normalized(p))
return -EINVAL;
- /* Truncate trailing slashes */
+ /* Truncate trailing slashes and skip leading slashes */
delete_trailing_chars(p, "/");
-
- /* Truncate leading slashes */
- p = skip_leading_chars(p, "/");
-
- s = unit_name_escape(p);
+ s = unit_name_escape(skip_leading_chars(p, "/"));
}
if (!s)
return -ENOMEM;
--
2.26.2

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Tue Jul 20 15:51:47 UTC 2021 - Franck Bui <fbui@suse.com>
- Import commit cb29bcc5ef2c0ee659686c5d229646a6ba98ec50 (merge of v248.5)
4a1c5f34bd basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910)
[...]
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/94efce2ee59fca15a48ff9c232c8dd7cf930c0a0...cb29bcc5ef2c0ee659686c5d229646a6ba98ec50
- Drop 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch as it
was merged in v248.5.
-------------------------------------------------------------------
Tue Jul 20 15:25:38 UTC 2021 - Franck Bui <fbui@suse.com>

View File

@ -26,7 +26,7 @@
##### WARNING: please do not edit this auto generated spec file. Use the systemd.spec! #####
%define mini -mini
%define min_kernel_version 4.5
%define suse_version +suse.40.g94efce2ee5
%define suse_version +suse.42.gcb29bcc5ef
%bcond_with gnuefi
%if 0%{?bootstrap}
@ -58,7 +58,7 @@
Name: systemd-mini
URL: http://www.freedesktop.org/wiki/Software/systemd
Version: 248.4
Version: 248.5
Release: 0
Summary: A System and Session Manager
License: LGPL-2.1-or-later
@ -196,11 +196,7 @@ Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
# temporary and should be removed as soon as a fix is merged by
# upstream.
Patch100: 0001-Revert-core-prevent-excessive-proc-self-mountinfo-pa.patch
# Patches for bsc#1188063/CVE-2021-33910. They will be moved to the
# git repo once the bug will become public.
Patch1002: 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch
Patch1003: 1003-basic-unit-name-adjust-comments.patch
Patch101: 1003-basic-unit-name-adjust-comments.patch
%description
Systemd is a system and service manager, compatible with SysV and LSB

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8cacf34cb67237b28635297628399b4945c7240dccc35efdd355b264ccd6f9e5
size 7122072

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d9924c8244a6ddc88c345b62356b8a992915cd9073d05271c8b0f9a487b55b87
size 7121780

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Tue Jul 20 15:51:47 UTC 2021 - Franck Bui <fbui@suse.com>
- Import commit cb29bcc5ef2c0ee659686c5d229646a6ba98ec50 (merge of v248.5)
4a1c5f34bd basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910)
[...]
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/94efce2ee59fca15a48ff9c232c8dd7cf930c0a0...cb29bcc5ef2c0ee659686c5d229646a6ba98ec50
- Drop 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch as it
was merged in v248.5.
-------------------------------------------------------------------
Tue Jul 20 15:25:38 UTC 2021 - Franck Bui <fbui@suse.com>

View File

@ -24,7 +24,7 @@
%define bootstrap 0
%define mini %nil
%define min_kernel_version 4.5
%define suse_version +suse.40.g94efce2ee5
%define suse_version +suse.42.gcb29bcc5ef
%bcond_with gnuefi
%if 0%{?bootstrap}
@ -56,7 +56,7 @@
Name: systemd
URL: http://www.freedesktop.org/wiki/Software/systemd
Version: 248.4
Version: 248.5
Release: 0
Summary: A System and Session Manager
License: LGPL-2.1-or-later
@ -194,11 +194,7 @@ Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
# temporary and should be removed as soon as a fix is merged by
# upstream.
Patch100: 0001-Revert-core-prevent-excessive-proc-self-mountinfo-pa.patch
# Patches for bsc#1188063/CVE-2021-33910. They will be moved to the
# git repo once the bug will become public.
Patch1002: 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch
Patch1003: 1003-basic-unit-name-adjust-comments.patch
Patch101: 1003-basic-unit-name-adjust-comments.patch
%description
Systemd is a system and service manager, compatible with SysV and LSB