forked from pool/systemd
- Import commit cb29bcc5ef2c0ee659686c5d229646a6ba98ec50 (merge of v248.5)
4a1c5f34bd basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910)
[...]
For a complete list of changes, visit:
94efce2ee5...cb29bcc5ef
- Drop 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch as it
was merged in v248.5.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1172
This commit is contained in:
parent
40db07fd11
commit
d7d502c3a5
@ -1,67 +0,0 @@
|
|||||||
From f636948448bd8a3588388d21dad737a079266392 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
||||||
Date: Wed, 23 Jun 2021 11:46:41 +0200
|
|
||||||
Subject: [PATCH 1002/1003] basic/unit-name: do not use strdupa() on a path
|
|
||||||
|
|
||||||
The path may have unbounded length, for example through a fuse mount.
|
|
||||||
|
|
||||||
CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
|
|
||||||
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
|
|
||||||
and each mountpoint is passed to mount_setup_unit(), which calls
|
|
||||||
unit_name_path_escape() underneath. A local attacker who is able to mount a
|
|
||||||
filesystem with a very long path can crash systemd and the whole system.
|
|
||||||
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1970887
|
|
||||||
|
|
||||||
The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
|
|
||||||
can't easily check the length after simplification before doing the
|
|
||||||
simplification, which in turns uses a copy of the string we can write to.
|
|
||||||
So we can't reject paths that are too long before doing the duplication.
|
|
||||||
Hence the most obvious solution is to switch back to strdup(), as before
|
|
||||||
7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
|
|
||||||
|
|
||||||
[fbui: fixes bsc#1188063]
|
|
||||||
[fbui: fixes CVE-2021-33910]
|
|
||||||
---
|
|
||||||
src/basic/unit-name.c | 13 +++++--------
|
|
||||||
1 file changed, 5 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
|
|
||||||
index 85dcba6cb7..46b24f2d9e 100644
|
|
||||||
--- a/src/basic/unit-name.c
|
|
||||||
+++ b/src/basic/unit-name.c
|
|
||||||
@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
|
|
||||||
}
|
|
||||||
|
|
||||||
int unit_name_path_escape(const char *f, char **ret) {
|
|
||||||
- char *p, *s;
|
|
||||||
+ _cleanup_free_ char *p = NULL;
|
|
||||||
+ char *s;
|
|
||||||
|
|
||||||
assert(f);
|
|
||||||
assert(ret);
|
|
||||||
|
|
||||||
- p = strdupa(f);
|
|
||||||
+ p = strdup(f);
|
|
||||||
if (!p)
|
|
||||||
return -ENOMEM;
|
|
||||||
|
|
||||||
@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) {
|
|
||||||
if (!path_is_normalized(p))
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
- /* Truncate trailing slashes */
|
|
||||||
+ /* Truncate trailing slashes and skip leading slashes */
|
|
||||||
delete_trailing_chars(p, "/");
|
|
||||||
-
|
|
||||||
- /* Truncate leading slashes */
|
|
||||||
- p = skip_leading_chars(p, "/");
|
|
||||||
-
|
|
||||||
- s = unit_name_escape(p);
|
|
||||||
+ s = unit_name_escape(skip_leading_chars(p, "/"));
|
|
||||||
}
|
|
||||||
if (!s)
|
|
||||||
return -ENOMEM;
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 20 15:51:47 UTC 2021 - Franck Bui <fbui@suse.com>
|
||||||
|
|
||||||
|
- Import commit cb29bcc5ef2c0ee659686c5d229646a6ba98ec50 (merge of v248.5)
|
||||||
|
|
||||||
|
4a1c5f34bd basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910)
|
||||||
|
[...]
|
||||||
|
|
||||||
|
For a complete list of changes, visit:
|
||||||
|
https://github.com/openSUSE/systemd/compare/94efce2ee59fca15a48ff9c232c8dd7cf930c0a0...cb29bcc5ef2c0ee659686c5d229646a6ba98ec50
|
||||||
|
|
||||||
|
- Drop 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch as it
|
||||||
|
was merged in v248.5.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Jul 20 15:25:38 UTC 2021 - Franck Bui <fbui@suse.com>
|
Tue Jul 20 15:25:38 UTC 2021 - Franck Bui <fbui@suse.com>
|
||||||
|
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
##### WARNING: please do not edit this auto generated spec file. Use the systemd.spec! #####
|
##### WARNING: please do not edit this auto generated spec file. Use the systemd.spec! #####
|
||||||
%define mini -mini
|
%define mini -mini
|
||||||
%define min_kernel_version 4.5
|
%define min_kernel_version 4.5
|
||||||
%define suse_version +suse.40.g94efce2ee5
|
%define suse_version +suse.42.gcb29bcc5ef
|
||||||
|
|
||||||
%bcond_with gnuefi
|
%bcond_with gnuefi
|
||||||
%if 0%{?bootstrap}
|
%if 0%{?bootstrap}
|
||||||
@ -58,7 +58,7 @@
|
|||||||
|
|
||||||
Name: systemd-mini
|
Name: systemd-mini
|
||||||
URL: http://www.freedesktop.org/wiki/Software/systemd
|
URL: http://www.freedesktop.org/wiki/Software/systemd
|
||||||
Version: 248.4
|
Version: 248.5
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A System and Session Manager
|
Summary: A System and Session Manager
|
||||||
License: LGPL-2.1-or-later
|
License: LGPL-2.1-or-later
|
||||||
@ -196,11 +196,7 @@ Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
|
|||||||
# temporary and should be removed as soon as a fix is merged by
|
# temporary and should be removed as soon as a fix is merged by
|
||||||
# upstream.
|
# upstream.
|
||||||
Patch100: 0001-Revert-core-prevent-excessive-proc-self-mountinfo-pa.patch
|
Patch100: 0001-Revert-core-prevent-excessive-proc-self-mountinfo-pa.patch
|
||||||
|
Patch101: 1003-basic-unit-name-adjust-comments.patch
|
||||||
# Patches for bsc#1188063/CVE-2021-33910. They will be moved to the
|
|
||||||
# git repo once the bug will become public.
|
|
||||||
Patch1002: 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch
|
|
||||||
Patch1003: 1003-basic-unit-name-adjust-comments.patch
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Systemd is a system and service manager, compatible with SysV and LSB
|
Systemd is a system and service manager, compatible with SysV and LSB
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:8cacf34cb67237b28635297628399b4945c7240dccc35efdd355b264ccd6f9e5
|
|
||||||
size 7122072
|
|
3
systemd-v248.5+suse.42.gcb29bcc5ef.tar.xz
Normal file
3
systemd-v248.5+suse.42.gcb29bcc5ef.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:d9924c8244a6ddc88c345b62356b8a992915cd9073d05271c8b0f9a487b55b87
|
||||||
|
size 7121780
|
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 20 15:51:47 UTC 2021 - Franck Bui <fbui@suse.com>
|
||||||
|
|
||||||
|
- Import commit cb29bcc5ef2c0ee659686c5d229646a6ba98ec50 (merge of v248.5)
|
||||||
|
|
||||||
|
4a1c5f34bd basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910)
|
||||||
|
[...]
|
||||||
|
|
||||||
|
For a complete list of changes, visit:
|
||||||
|
https://github.com/openSUSE/systemd/compare/94efce2ee59fca15a48ff9c232c8dd7cf930c0a0...cb29bcc5ef2c0ee659686c5d229646a6ba98ec50
|
||||||
|
|
||||||
|
- Drop 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch as it
|
||||||
|
was merged in v248.5.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Jul 20 15:25:38 UTC 2021 - Franck Bui <fbui@suse.com>
|
Tue Jul 20 15:25:38 UTC 2021 - Franck Bui <fbui@suse.com>
|
||||||
|
|
||||||
|
10
systemd.spec
10
systemd.spec
@ -24,7 +24,7 @@
|
|||||||
%define bootstrap 0
|
%define bootstrap 0
|
||||||
%define mini %nil
|
%define mini %nil
|
||||||
%define min_kernel_version 4.5
|
%define min_kernel_version 4.5
|
||||||
%define suse_version +suse.40.g94efce2ee5
|
%define suse_version +suse.42.gcb29bcc5ef
|
||||||
|
|
||||||
%bcond_with gnuefi
|
%bcond_with gnuefi
|
||||||
%if 0%{?bootstrap}
|
%if 0%{?bootstrap}
|
||||||
@ -56,7 +56,7 @@
|
|||||||
|
|
||||||
Name: systemd
|
Name: systemd
|
||||||
URL: http://www.freedesktop.org/wiki/Software/systemd
|
URL: http://www.freedesktop.org/wiki/Software/systemd
|
||||||
Version: 248.4
|
Version: 248.5
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A System and Session Manager
|
Summary: A System and Session Manager
|
||||||
License: LGPL-2.1-or-later
|
License: LGPL-2.1-or-later
|
||||||
@ -194,11 +194,7 @@ Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
|
|||||||
# temporary and should be removed as soon as a fix is merged by
|
# temporary and should be removed as soon as a fix is merged by
|
||||||
# upstream.
|
# upstream.
|
||||||
Patch100: 0001-Revert-core-prevent-excessive-proc-self-mountinfo-pa.patch
|
Patch100: 0001-Revert-core-prevent-excessive-proc-self-mountinfo-pa.patch
|
||||||
|
Patch101: 1003-basic-unit-name-adjust-comments.patch
|
||||||
# Patches for bsc#1188063/CVE-2021-33910. They will be moved to the
|
|
||||||
# git repo once the bug will become public.
|
|
||||||
Patch1002: 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch
|
|
||||||
Patch1003: 1003-basic-unit-name-adjust-comments.patch
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Systemd is a system and service manager, compatible with SysV and LSB
|
Systemd is a system and service manager, compatible with SysV and LSB
|
||||||
|
Loading…
Reference in New Issue
Block a user