Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package systemd for openSUSE:Factory checked
in at 2021-07-22 22:42:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/systemd (Old)
and /work/SRC/openSUSE:Factory/.systemd.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "systemd"
Thu Jul 22 22:42:41 2021 rev:332 rq:907311 version:248.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/systemd/systemd-mini.changes 2021-07-04
22:10:19.053426445 +0200
+++ /work/SRC/openSUSE:Factory/.systemd.new.1899/systemd-mini.changes
2021-07-22 22:43:03.231223781 +0200
@@ -1,0 +2,17 @@
+Thu Jul 8 18:04:31 UTC 2021 - Franck Bui <f...@suse.com>
+
+- Added patches to fix CVE-2021-33910 (bsc#1188063)
+
+ Added 1001-unit-name-generate-a-clear-error-code-when-convertin.patch
+ Added 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch
+ Added 1003-basic-unit-name-adjust-comments.patch
+
+ These patches will be moved to the git repo once the bug will become
+ public.
+
+-------------------------------------------------------------------
+Mon Jul 5 09:03:07 UTC 2021 - Franck Bui <f...@suse.com>
+
+- systemd-hwdb-update.service should be shipped by the udev package
+
+-------------------------------------------------------------------
systemd.changes: same change
New:
----
1001-unit-name-generate-a-clear-error-code-when-convertin.patch
1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch
1003-basic-unit-name-adjust-comments.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ systemd-mini.spec ++++++
--- /var/tmp/diff_new_pack.vqTwo9/_old 2021-07-22 22:43:04.055222707 +0200
+++ /var/tmp/diff_new_pack.vqTwo9/_new 2021-07-22 22:43:04.059222702 +0200
@@ -197,6 +197,12 @@
# upstream.
Patch100: 0001-Revert-core-prevent-excessive-proc-self-mountinfo-pa.patch
+# Patches for bsc#1188063/CVE-2021-33910. They will be moved to the
+# git repo once the bug will become public.
+Patch1001: 1001-unit-name-generate-a-clear-error-code-when-convertin.patch
+Patch1002: 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch
+Patch1003: 1003-basic-unit-name-adjust-comments.patch
+
%description
Systemd is a system and service manager, compatible with SysV and LSB
init scripts for Linux. systemd provides aggressive parallelization
@@ -1209,7 +1215,9 @@
%endif
%exclude %{_prefix}/lib/systemd/systemd-udevd
%exclude %{_unitdir}/systemd-udev*.*
+%exclude %{_unitdir}/systemd-hwdb*.*
%exclude %{_unitdir}/*.target.wants/systemd-udev*.*
+%exclude %{_unitdir}/*.target.wants/systemd-hwdb*.*
%exclude %{_unitdir}/initrd-udevadm-cleanup-db.service
%exclude %{_unitdir}/kmod-static-nodes.service
%exclude %{_unitdir}/systemd-nspawn@.service
@@ -1562,11 +1570,13 @@
%{_unitdir}/kmod-static-nodes.service
%{_unitdir}/systemd-udev*.service
%{_unitdir}/systemd-udevd*.socket
+%{_unitdir}/systemd-hwdb*.*
%{_unitdir}/initrd-udevadm-cleanup-db.service
%dir %{_unitdir}/sysinit.target.wants
%{_unitdir}/sysinit.target.wants/systemd-udev*.service
%dir %{_unitdir}/sockets.target.wants
%{_unitdir}/sockets.target.wants/systemd-udev*.socket
+%{_unitdir}/*.target.wants/systemd-hwdb*.*
%{_prefix}/lib/systemd/network/99-default.link
%{_datadir}/pkgconfig/udev.pc
++++++ systemd.spec ++++++
--- /var/tmp/diff_new_pack.vqTwo9/_old 2021-07-22 22:43:04.091222659 +0200
+++ /var/tmp/diff_new_pack.vqTwo9/_new 2021-07-22 22:43:04.095222655 +0200
@@ -195,6 +195,12 @@
# upstream.
Patch100: 0001-Revert-core-prevent-excessive-proc-self-mountinfo-pa.patch
+# Patches for bsc#1188063/CVE-2021-33910. They will be moved to the
+# git repo once the bug will become public.
+Patch1001: 1001-unit-name-generate-a-clear-error-code-when-convertin.patch
+Patch1002: 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch
+Patch1003: 1003-basic-unit-name-adjust-comments.patch
+
%description
Systemd is a system and service manager, compatible with SysV and LSB
init scripts for Linux. systemd provides aggressive parallelization
@@ -1207,7 +1213,9 @@
%endif
%exclude %{_prefix}/lib/systemd/systemd-udevd
%exclude %{_unitdir}/systemd-udev*.*
+%exclude %{_unitdir}/systemd-hwdb*.*
%exclude %{_unitdir}/*.target.wants/systemd-udev*.*
+%exclude %{_unitdir}/*.target.wants/systemd-hwdb*.*
%exclude %{_unitdir}/initrd-udevadm-cleanup-db.service
%exclude %{_unitdir}/kmod-static-nodes.service
%exclude %{_unitdir}/systemd-nspawn@.service
@@ -1560,11 +1568,13 @@
%{_unitdir}/kmod-static-nodes.service
%{_unitdir}/systemd-udev*.service
%{_unitdir}/systemd-udevd*.socket
+%{_unitdir}/systemd-hwdb*.*
%{_unitdir}/initrd-udevadm-cleanup-db.service
%dir %{_unitdir}/sysinit.target.wants
%{_unitdir}/sysinit.target.wants/systemd-udev*.service
%dir %{_unitdir}/sockets.target.wants
%{_unitdir}/sockets.target.wants/systemd-udev*.socket
+%{_unitdir}/*.target.wants/systemd-hwdb*.*
%{_prefix}/lib/systemd/network/99-default.link
%{_datadir}/pkgconfig/udev.pc
++++++ 1001-unit-name-generate-a-clear-error-code-when-convertin.patch ++++++
>From 83f392a392067d61be24eb720ff0cf1da7f1892b Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lenn...@poettering.net>
Date: Tue, 1 Jun 2021 19:43:55 +0200
Subject: [PATCH 1001/1003] unit-name: generate a clear error code when
converting an overly long fs path to a unit name
(cherry picked from commit 9d5acfab20c5f1177d877d0bec18063c0a6c5929)
[fbui: adjust context]
---
src/basic/unit-name.c | 6 ++++++
src/test/test-unit-name.c | 4 ++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
index 532f8fa048..85dcba6cb7 100644
--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
@@ -528,6 +528,9 @@ int unit_name_from_path(const char *path, const char
*suffix, char **ret) {
if (!s)
return -ENOMEM;
+ if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive
error for this specific condition */
+ return -ENAMETOOLONG;
+
/* Refuse this if this got too long or for some other reason didn't
result in a valid name */
if (!unit_name_is_valid(s, UNIT_NAME_PLAIN))
return -EINVAL;
@@ -559,6 +562,9 @@ int unit_name_from_path_instance(const char *prefix, const
char *path, const cha
if (!s)
return -ENOMEM;
+ if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive
error for this specific condition */
+ return -ENAMETOOLONG;
+
/* Refuse this if this got too long or for some other reason didn't
result in a valid name */
if (!unit_name_is_valid(s, UNIT_NAME_INSTANCE))
return -EINVAL;
diff --git a/src/test/test-unit-name.c b/src/test/test-unit-name.c
index ece78aa548..c0b79715e1 100644
--- a/src/test/test-unit-name.c
+++ b/src/test/test-unit-name.c
@@ -130,7 +130,7 @@ static void test_unit_name_from_path(void) {
test_unit_name_from_path_one("///", ".mount", "-.mount", 0);
test_unit_name_from_path_one("/foo/../bar", ".mount", NULL, -EINVAL);
test_unit_name_from_path_one("/foo/./bar", ".mount", NULL, -EINVAL);
-
test_unit_name_from_path_one("/waldoaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
".mount", NULL, -EINVAL);
+
test_unit_name_from_path_one("/waldoaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
".mount", NULL, -ENAMETOOLONG);
}
static void test_unit_name_from_path_instance_one(const char *pattern, const
char *path, const char *suffix, const char *expected, int ret) {
@@ -160,7 +160,7 @@ static void test_unit_name_from_path_instance(void) {
test_unit_name_from_path_instance_one("waldo", "..", ".mount", NULL,
-EINVAL);
test_unit_name_from_path_instance_one("waldo", "/foo", ".waldi", NULL,
-EINVAL);
test_unit_name_from_path_instance_one("wa--ldo", "/--", ".mount",
"wa--ldo@\\x2d\\x2d.mount", 0);
-
test_unit_name_from_path_instance_one("waldoaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"/waldo", ".mount", NULL, -EINVAL);
+
test_unit_name_from_path_instance_one("waldoaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"/waldo", ".mount", NULL, -ENAMETOOLONG);
}
static void test_unit_name_to_path_one(const char *unit, const char *path, int
ret) {
--
2.26.2
++++++ 1002-basic-unit-name-do-not-use-strdupa-on-a-path.patch ++++++
>From f636948448bd8a3588388d21dad737a079266392 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbys...@in.waw.pl>
Date: Wed, 23 Jun 2021 11:46:41 +0200
Subject: [PATCH 1002/1003] basic/unit-name: do not use strdupa() on a path
The path may have unbounded length, for example through a fuse mount.
CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
and each mountpoint is passed to mount_setup_unit(), which calls
unit_name_path_escape() underneath. A local attacker who is able to mount a
filesystem with a very long path can crash systemd and the whole system.
https://bugzilla.redhat.com/show_bug.cgi?id=1970887
The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
can't easily check the length after simplification before doing the
simplification, which in turns uses a copy of the string we can write to.
So we can't reject paths that are too long before doing the duplication.
Hence the most obvious solution is to switch back to strdup(), as before
7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
[fbui: fixes bsc#1188063]
[fbui: fixes CVE-2021-33910]
---
src/basic/unit-name.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
index 85dcba6cb7..46b24f2d9e 100644
--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
}
int unit_name_path_escape(const char *f, char **ret) {
- char *p, *s;
+ _cleanup_free_ char *p = NULL;
+ char *s;
assert(f);
assert(ret);
- p = strdupa(f);
+ p = strdup(f);
if (!p)
return -ENOMEM;
@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) {
if (!path_is_normalized(p))
return -EINVAL;
- /* Truncate trailing slashes */
+ /* Truncate trailing slashes and skip leading slashes */
delete_trailing_chars(p, "/");
-
- /* Truncate leading slashes */
- p = skip_leading_chars(p, "/");
-
- s = unit_name_escape(p);
+ s = unit_name_escape(skip_leading_chars(p, "/"));
}
if (!s)
return -ENOMEM;
--
2.26.2
++++++ 1003-basic-unit-name-adjust-comments.patch ++++++
>From 9731d5204357d43204ca83155f5b552594b843bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbys...@in.waw.pl>
Date: Wed, 23 Jun 2021 11:52:56 +0200
Subject: [PATCH 1003/1003] basic/unit-name: adjust comments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We already checked for "too long" right above???
---
src/basic/unit-name.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
index 46b24f2d9e..c5850949ae 100644
--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
@@ -528,7 +528,7 @@ int unit_name_from_path(const char *path, const char
*suffix, char **ret) {
if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive
error for this specific condition */
return -ENAMETOOLONG;
- /* Refuse this if this got too long or for some other reason didn't
result in a valid name */
+ /* Refuse if this for some other reason didn't result in a valid name
*/
if (!unit_name_is_valid(s, UNIT_NAME_PLAIN))
return -EINVAL;
@@ -562,7 +562,7 @@ int unit_name_from_path_instance(const char *prefix, const
char *path, const cha
if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive
error for this specific condition */
return -ENAMETOOLONG;
- /* Refuse this if this got too long or for some other reason didn't
result in a valid name */
+ /* Refuse if this for some other reason didn't result in a valid name
*/
if (!unit_name_is_valid(s, UNIT_NAME_INSTANCE))
return -EINVAL;
--
2.26.2
