On Wed, Aug 4, 2021 at 7:54 PM Ranjitsinh Rathod <ranjitsinh.rat...@kpit.com> wrote: > > Added fix for below CVEs from below Link > http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_237-3ubuntu10.50.debian.tar.xz > > 1. CVE-2020-13529 > Upstream-Status: Backport > [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5] > > 2. CVE-2021-33910 > Upstream-Status: Backport > [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
This patch is throwing warnings on the autobuilder: WARNING: systemd-1_244.5-r0 do_patch: Fuzz detected: Applying patch CVE-2020-13529.patch patching file src/libsystemd-network/sd-dhcp-client.c Hunk #1 succeeded at 1392 with fuzz 1 (offset 87 lines). The context lines in the patches can be updated with devtool: devtool modify systemd devtool finish --force-patch-refresh systemd <layer_path> Could you fix this and send a V3 so that we have clean builds on the autobuilder? Steve > Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rat...@kpit.com> > --- > .../systemd/systemd/CVE-2020-13529.patch | 42 ++++++++++++ > .../systemd/systemd/CVE-2021-33910.patch | 67 +++++++++++++++++++ > meta/recipes-core/systemd/systemd_244.5.bb | 2 + > 3 files changed, 111 insertions(+) > create mode 100644 meta/recipes-core/systemd/systemd/CVE-2020-13529.patch > create mode 100644 meta/recipes-core/systemd/systemd/CVE-2021-33910.patch > > diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch > b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch > new file mode 100644 > index 0000000000..4c013e2532 > --- /dev/null > +++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch > @@ -0,0 +1,42 @@ > +From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001 > +From: Yu Watanabe <watanabe.yu+git...@gmail.com> > +Date: Thu, 24 Jun 2021 01:22:07 +0900 > +Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command > + > +This makes DHCP client ignore FORCERENEW requests, as unauthenticated > +FORCERENEW requests causes a security issue (TALOS-2020-1142, > CVE-2020-13529). > + > +Let's re-enable this after RFC3118 (Authentication for DHCP Messages) > +and/or RFC6704 (Forcerenew Nonce Authentication) are implemented. > + > +Fixes #16774. > + > +Upstream-Status: Backport > [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5] > +CVE: CVE-2020-13529 > + > +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rat...@kpit.com> > +--- > + src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++ > + 1 file changed, 8 insertions(+) > + > +--- a/src/libsystemd-network/sd-dhcp-client.c > ++++ b/src/libsystemd-network/sd-dhcp-client.c > +@@ -1305,9 +1305,17 @@ static int client_handle_forcerenew(sd_d > + if (r != DHCP_FORCERENEW) > + return -ENOMSG; > + > ++#if 0 > + log_dhcp_client(client, "FORCERENEW"); > + > + return 0; > ++#else > ++ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 > (Authentication for DHCP > ++ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as > unauthenticated FORCERENEW > ++ * requests causes a security issue (TALOS-2020-1142, > CVE-2020-13529). */ > ++ log_dhcp_client(client, "Received FORCERENEW, ignoring."); > ++ return -ENOMSG; > ++#endif > + } > + > + static int client_handle_ack(sd_dhcp_client *client, DHCPMessage *ack, > size_t len) { > + > diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch > b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch > new file mode 100644 > index 0000000000..be042165a0 > --- /dev/null > +++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch > @@ -0,0 +1,67 @@ > +Backport of: > + > +From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbys...@in.waw.pl> > +Date: Wed, 23 Jun 2021 11:46:41 +0200 > +Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path > + > +The path may have unbounded length, for example through a fuse mount. > + > +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and > +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo > +and each mountpoint is passed to mount_setup_unit(), which calls > +unit_name_path_escape() underneath. A local attacker who is able to mount a > +filesystem with a very long path can crash systemd and the whole system. > + > +https://bugzilla.redhat.com/show_bug.cgi?id=1970887 > + > +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we > +can't easily check the length after simplification before doing the > +simplification, which in turns uses a copy of the string we can write to. > +So we can't reject paths that are too long before doing the duplication. > +Hence the most obvious solution is to switch back to strdup(), as before > +7410616cd9dbbec97cf98d75324da5cda2b2f7a2. > + > +Upstream-Status: Backport > [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9] > +CVE: CVE-2021-33910 > + > +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rat...@kpit.com> > +--- > + src/basic/unit-name.c | 13 +++++-------- > + 1 file changed, 5 insertions(+), 8 deletions(-) > + > +--- a/src/basic/unit-name.c > ++++ b/src/basic/unit-name.c > +@@ -370,12 +370,13 @@ int unit_name_unescape(const char *f, ch > + } > + > + int unit_name_path_escape(const char *f, char **ret) { > +- char *p, *s; > ++ _cleanup_free_ char *p = NULL; > ++ char *s; > + > + assert(f); > + assert(ret); > + > +- p = strdupa(f); > ++ p = strdup(f); > + if (!p) > + return -ENOMEM; > + > +@@ -387,13 +388,9 @@ int unit_name_path_escape(const char *f, > + if (!path_is_normalized(p)) > + return -EINVAL; > + > +- /* Truncate trailing slashes */ > ++ /* Truncate trailing slashes and skip leading slashes */ > + delete_trailing_chars(p, "/"); > +- > +- /* Truncate leading slashes */ > +- p = skip_leading_chars(p, "/"); > +- > +- s = unit_name_escape(p); > ++ s = unit_name_escape(skip_leading_chars(p, "/")); > + } > + if (!s) > + return -ENOMEM; > + > diff --git a/meta/recipes-core/systemd/systemd_244.5.bb > b/meta/recipes-core/systemd/systemd_244.5.bb > index 8c95648ca0..7a7eddcd45 100644 > --- a/meta/recipes-core/systemd/systemd_244.5.bb > +++ b/meta/recipes-core/systemd/systemd_244.5.bb > @@ -20,6 +20,8 @@ SRC_URI += "file://touchscreen.rules \ > file://99-default.preset \ > > file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ > file://0003-implment-systemd-sysv-install-for-OE.patch \ > + file://CVE-2021-33910.patch \ > + file://CVE-2020-13529.patch \ > " > > # patches needed by musl > -- > 2.17.1 > > This message contains information that may be privileged or confidential and > is the property of the KPIT Technologies Ltd. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain copy, disseminate, distribute, or > use this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154576): https://lists.openembedded.org/g/openembedded-core/message/154576 Mute This Topic: https://lists.openembedded.org/mt/84679072/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-