From: Chen Qi <qi.c...@windriver.com> Backport patch to fix the following CVE.
CVE: CVE-2018-15688 Signed-off-by: Chen Qi <qi.c...@windriver.com> Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org> Cherry-picked from thud 13591d7224393dc0ae529a03cdf74aceb3540ce9 Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- ...sure-we-have-enough-space-for-the-DHCP6-o.patch | 39 ++++++++++++++++++++++ meta/recipes-core/systemd/systemd_237.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch diff --git a/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch b/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch new file mode 100644 index 0000000000..0c912f25df --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch @@ -0,0 +1,39 @@ +From a2622b8398ba026faf481f5eddeb53231d9de4a7 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lenn...@poettering.net> +Date: Fri, 19 Oct 2018 12:12:33 +0200 +Subject: [PATCH] dhcp6: make sure we have enough space for the DHCP6 option + header + +Fixes a vulnerability originally discovered by Felix Wilhelm from +Google. + +CVE-2018-15688 +LP: #1795921 +https://bugzilla.redhat.com/show_bug.cgi?id=1639067 + +(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892) + +CVE: CVE-2018-15688 +Upstream-Status: Backport + +Signed-off-by: Chen Qi <qi.c...@windriver.com> +--- + src/libsystemd-network/dhcp6-option.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c +index c4b402b..dcbaad0 100644 +--- a/src/libsystemd-network/dhcp6-option.c ++++ b/src/libsystemd-network/dhcp6-option.c +@@ -103,7 +103,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) { + return -EINVAL; + } + +- if (*buflen < len) ++ if (*buflen < offsetof(DHCP6Option, data) + len) + return -ENOBUFS; + + ia_hdr = *buf; +-- +2.7.4 + diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb index cae9bccc60..87793dd3af 100644 --- a/meta/recipes-core/systemd/systemd_237.bb +++ b/meta/recipes-core/systemd/systemd_237.bb @@ -56,6 +56,7 @@ SRC_URI += "file://touchscreen.rules \ file://0035-Define-glibc-compatible-basename-for-non-glibc-syste.patch \ file://0001-core-when-deserializing-state-always-use-read_line-L.patch \ file://0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch \ + file://0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch \ " SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch" -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core