From: "Steve Sakoman" <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 02/17] systemd: Add fix for CVE-2020-13529 and CVE-2021-33910
Date: Fri, 13 Aug 2021 04:29:44 -1000 [thread overview]
Message-ID: <dcdd3c14beee89dc49261aeb4d7783cbb3fbeb89.1628863869.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1628863869.git.steve@sakoman.com>
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Added fix for below CVEs from below Link
http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_237-3ubuntu10.50.debian.tar.xz
1. CVE-2020-13529
Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
Hunk #1 refreshed to resolve patch-fuzz
2. CVE-2021-33910
Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../systemd/systemd/CVE-2020-13529.patch | 42 ++++++++++++
.../systemd/systemd/CVE-2021-33910.patch | 67 +++++++++++++++++++
meta/recipes-core/systemd/systemd_244.5.bb | 2 +
3 files changed, 111 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
new file mode 100644
index 0000000000..6b499efbd8
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
@@ -0,0 +1,42 @@
+From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 01:22:07 +0900
+Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
+
+This makes DHCP client ignore FORCERENEW requests, as unauthenticated
+FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
+
+Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
+and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
+
+Fixes #16774.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
+CVE: CVE-2020-13529
+
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/src/libsystemd-network/sd-dhcp-client.c
++++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1392,9 +1392,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force,
+ if (r != DHCP_FORCERENEW)
+ return -ENOMSG;
+
++#if 0
+ log_dhcp_client(client, "FORCERENEW");
+
+ return 0;
++#else
++ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
++ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
++ * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
++ log_dhcp_client(client, "Received FORCERENEW, ignoring.");
++ return -ENOMSG;
++#endif
+ }
+
+ static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
new file mode 100644
index 0000000000..e92d721d3d
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
@@ -0,0 +1,67 @@
+Backport of:
+
+From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Jun 2021 11:46:41 +0200
+Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path
+
+The path may have unbounded length, for example through a fuse mount.
+
+CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
+ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
+and each mountpoint is passed to mount_setup_unit(), which calls
+unit_name_path_escape() underneath. A local attacker who is able to mount a
+filesystem with a very long path can crash systemd and the whole system.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1970887
+
+The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
+can't easily check the length after simplification before doing the
+simplification, which in turns uses a copy of the string we can write to.
+So we can't reject paths that are too long before doing the duplication.
+Hence the most obvious solution is to switch back to strdup(), as before
+7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
+CVE: CVE-2021-33910
+
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/basic/unit-name.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/src/basic/unit-name.c
++++ b/src/basic/unit-name.c
+@@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, char **ret) {
+ }
+
+ int unit_name_path_escape(const char *f, char **ret) {
+- char *p, *s;
++ _cleanup_free_ char *p = NULL;
++ char *s;
+
+ assert(f);
+ assert(ret);
+
+- p = strdupa(f);
++ p = strdup(f);
+ if (!p)
+ return -ENOMEM;
+
+@@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f, char **ret) {
+ if (!path_is_normalized(p))
+ return -EINVAL;
+
+- /* Truncate trailing slashes */
++ /* Truncate trailing slashes and skip leading slashes */
+ delete_trailing_chars(p, "/");
+-
+- /* Truncate leading slashes */
+- p = skip_leading_chars(p, "/");
+-
+- s = unit_name_escape(p);
++ s = unit_name_escape(skip_leading_chars(p, "/"));
+ }
+ if (!s)
+ return -ENOMEM;
diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index 8c95648ca0..7a7eddcd45 100644
--- a/meta/recipes-core/systemd/systemd_244.5.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -20,6 +20,8 @@ SRC_URI += "file://touchscreen.rules \
file://99-default.preset \
file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0003-implment-systemd-sysv-install-for-OE.patch \
+ file://CVE-2021-33910.patch \
+ file://CVE-2020-13529.patch \
"
# patches needed by musl
--
2.25.1
next prev parent reply other threads:[~2021-08-13 14:31 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 01/17] aspell: fix CVE-2019-25051 Steve Sakoman
2021-08-13 14:29 ` Steve Sakoman [this message]
2021-08-13 14:29 ` [OE-core][dunfell 03/17] glibc: Document and whitelist CVE-2021-35942 Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 04/17] libsolv: fix CVE-2021-3200 Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 05/17] ruby: 2.7.3 -> 2.7.4 Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 06/17] license: Exclude COPYING.MIT from pseudo Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 07/17] image: Drop COMPRESS_CMD Steve Sakoman
2021-08-13 21:56 ` Richard Purdie
2021-08-13 22:00 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 08/17] kernel-yocto: Simplify no git repo case in do_kernel_checkout Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 09/17] runqemu: Fix typo in error message Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 10/17] cve-check: add include/exclude layers Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 11/17] cve-check: fix comments Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 12/17] cve-check: update link to NVD website for CVE details Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 13/17] cve-check: improve comment about CVE patch file names Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 14/17] cve-check: remove deprecated CVE_CHECK_CVE_WHITELIST Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 15/17] e2fsprogs: ensure small images have 256-byte inodes Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 16/17] wic: don't forcibly pass -T default Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 17/17] sstate.bbclass: fix error handling when sstate mirrors is ro Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dcdd3c14beee89dc49261aeb4d7783cbb3fbeb89.1628863869.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox