Ben Hutchings <[email protected]> writes: > Oh, I didn't realise that. Let's drop those then.
> This patch also needs to change the '<= 0' to '< 0', doesn't it? Ooops. Yes. Missed that. Latest patch with these changes: diff -Nru systemd-44/debian/changelog systemd-44/debian/changelog --- systemd-44/debian/changelog 2013-10-09 21:18:41.000000000 +1100 +++ systemd-44/debian/changelog 2016-10-07 17:44:20.000000000 +1100 @@ -1,3 +1,10 @@ +systemd (44-11+deb7u5) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2016-7796: don't return any error in manager_dispatch_notify_fd. + + -- Brian May <[email protected]> Fri, 07 Oct 2016 17:40:21 +1100 + systemd (44-11+deb7u4) stable-security; urgency=low * Fix CVE-2013-4327, CVE-2013-4391 and CVE-2013-4394 diff -Nru systemd-44/debian/patches/CVE-2016-7796.patch systemd-44/debian/patches/CVE-2016-7796.patch --- systemd-44/debian/patches/CVE-2016-7796.patch 1970-01-01 10:00:00.000000000 +1000 +++ systemd-44/debian/patches/CVE-2016-7796.patch 2016-10-10 08:02:20.000000000 +1100 @@ -0,0 +1,43 @@ +From f1e852245a30b60d5e6e0a487d049a04a40772fe Mon Sep 17 00:00:00 2001 +From: Franck Bui <[email protected]> +Date: Thu, 29 Sep 2016 11:59:49 +0200 +Subject: [PATCH] pid1: don't return any error in manager_dispatch_notify_fd() + +If manager_dispatch_notify_fd() fails and returns an error then the handling of +service notifications will be disabled entirely leading to a compromised system. + +For example pid1 won't be able to receive the WATCHDOG messages anymore and +will kill all services supposed to send such messages. +--- + src/core/manager.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/src/manager.c ++++ b/src/manager.c +@@ -2030,10 +2030,14 @@ + msghdr.msg_controllen = sizeof(control); + + if ((n = recvmsg(m->notify_watch.fd, &msghdr, MSG_DONTWAIT)) < 0) { +- if (errno == EAGAIN || errno == EINTR) +- break; ++ if (errno != EAGAIN && errno != EINTR) ++ log_error("Failed to receive notification message: %m"); + +- return -errno; ++ /* It's not an option to return an error here since it ++ * would disable the notification handler entirely. Services ++ * wouldn't be able to send the WATCHDOG message for ++ * example... */ ++ return 0; + } + + if (msghdr.msg_controllen < CMSG_LEN(sizeof(struct ucred)) || +@@ -2055,7 +2059,7 @@ + assert((size_t) n < sizeof(buf)); + buf[n] = 0; + if (!(tags = strv_split(buf, "\n\r"))) +- return -ENOMEM; ++ return 0; + + log_debug("Got notification message for unit %s", u->id); + diff -Nru systemd-44/debian/patches/no_error_on_zero_len.patch systemd-44/debian/patches/no_error_on_zero_len.patch --- systemd-44/debian/patches/no_error_on_zero_len.patch 1970-01-01 10:00:00.000000000 +1000 +++ systemd-44/debian/patches/no_error_on_zero_len.patch 2016-10-10 08:00:54.000000000 +1100 @@ -0,0 +1,14 @@ +--- a/src/manager.c ++++ b/src/manager.c +@@ -2029,10 +2029,7 @@ + msghdr.msg_control = &control; + msghdr.msg_controllen = sizeof(control); + +- if ((n = recvmsg(m->notify_watch.fd, &msghdr, MSG_DONTWAIT)) <= 0) { +- if (n >= 0) +- return -EIO; +- ++ if ((n = recvmsg(m->notify_watch.fd, &msghdr, MSG_DONTWAIT)) < 0) { + if (errno == EAGAIN || errno == EINTR) + break; + diff -Nru systemd-44/debian/patches/series systemd-44/debian/patches/series --- systemd-44/debian/patches/series 2013-10-08 18:38:12.000000000 +1100 +++ systemd-44/debian/patches/series 2016-10-10 07:53:28.000000000 +1100 @@ -2,3 +2,5 @@ v44..upstream-fixes_44-11 debian-changes secfixes +no_error_on_zero_len.patch +CVE-2016-7796.patch -- Brian May <[email protected]>
