On Wed, Aug 4, 2021 at 7:54 PM Ranjitsinh Rathod
<[email protected]> wrote:
>
> Added fix for below CVEs from below Link
> http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_237-3ubuntu10.50.debian.tar.xz
>
> 1. CVE-2020-13529
> Upstream-Status: Backport
> [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
>
> 2. CVE-2021-33910
> Upstream-Status: Backport
> [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
This patch is throwing warnings on the autobuilder:
WARNING: systemd-1_244.5-r0 do_patch: Fuzz detected:
Applying patch CVE-2020-13529.patch
patching file src/libsystemd-network/sd-dhcp-client.c
Hunk #1 succeeded at 1392 with fuzz 1 (offset 87 lines).
The context lines in the patches can be updated with devtool:
devtool modify systemd
devtool finish --force-patch-refresh systemd <layer_path>
Could you fix this and send a V3 so that we have clean builds on the
autobuilder?
Steve
> Signed-off-by: Ranjitsinh Rathod <[email protected]>
> ---
> .../systemd/systemd/CVE-2020-13529.patch | 42 ++++++++++++
> .../systemd/systemd/CVE-2021-33910.patch | 67 +++++++++++++++++++
> meta/recipes-core/systemd/systemd_244.5.bb | 2 +
> 3 files changed, 111 insertions(+)
> create mode 100644 meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
> create mode 100644 meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
>
> diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
> b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
> new file mode 100644
> index 0000000000..4c013e2532
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
> @@ -0,0 +1,42 @@
> +From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001
> +From: Yu Watanabe <[email protected]>
> +Date: Thu, 24 Jun 2021 01:22:07 +0900
> +Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
> +
> +This makes DHCP client ignore FORCERENEW requests, as unauthenticated
> +FORCERENEW requests causes a security issue (TALOS-2020-1142,
> CVE-2020-13529).
> +
> +Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
> +and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
> +
> +Fixes #16774.
> +
> +Upstream-Status: Backport
> [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
> +CVE: CVE-2020-13529
> +
> +Signed-off-by: Ranjitsinh Rathod <[email protected]>
> +---
> + src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
> + 1 file changed, 8 insertions(+)
> +
> +--- a/src/libsystemd-network/sd-dhcp-client.c
> ++++ b/src/libsystemd-network/sd-dhcp-client.c
> +@@ -1305,9 +1305,17 @@ static int client_handle_forcerenew(sd_d
> + if (r != DHCP_FORCERENEW)
> + return -ENOMSG;
> +
> ++#if 0
> + log_dhcp_client(client, "FORCERENEW");
> +
> + return 0;
> ++#else
> ++ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118
> (Authentication for DHCP
> ++ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as
> unauthenticated FORCERENEW
> ++ * requests causes a security issue (TALOS-2020-1142,
> CVE-2020-13529). */
> ++ log_dhcp_client(client, "Received FORCERENEW, ignoring.");
> ++ return -ENOMSG;
> ++#endif
> + }
> +
> + static int client_handle_ack(sd_dhcp_client *client, DHCPMessage *ack,
> size_t len) {
> +
> diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
> b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
> new file mode 100644
> index 0000000000..be042165a0
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
> @@ -0,0 +1,67 @@
> +Backport of:
> +
> +From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <[email protected]>
> +Date: Wed, 23 Jun 2021 11:46:41 +0200
> +Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path
> +
> +The path may have unbounded length, for example through a fuse mount.
> +
> +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
> +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
> +and each mountpoint is passed to mount_setup_unit(), which calls
> +unit_name_path_escape() underneath. A local attacker who is able to mount a
> +filesystem with a very long path can crash systemd and the whole system.
> +
> +https://bugzilla.redhat.com/show_bug.cgi?id=1970887
> +
> +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
> +can't easily check the length after simplification before doing the
> +simplification, which in turns uses a copy of the string we can write to.
> +So we can't reject paths that are too long before doing the duplication.
> +Hence the most obvious solution is to switch back to strdup(), as before
> +7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
> +
> +Upstream-Status: Backport
> [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
> +CVE: CVE-2021-33910
> +
> +Signed-off-by: Ranjitsinh Rathod <[email protected]>
> +---
> + src/basic/unit-name.c | 13 +++++--------
> + 1 file changed, 5 insertions(+), 8 deletions(-)
> +
> +--- a/src/basic/unit-name.c
> ++++ b/src/basic/unit-name.c
> +@@ -370,12 +370,13 @@ int unit_name_unescape(const char *f, ch
> + }
> +
> + int unit_name_path_escape(const char *f, char **ret) {
> +- char *p, *s;
> ++ _cleanup_free_ char *p = NULL;
> ++ char *s;
> +
> + assert(f);
> + assert(ret);
> +
> +- p = strdupa(f);
> ++ p = strdup(f);
> + if (!p)
> + return -ENOMEM;
> +
> +@@ -387,13 +388,9 @@ int unit_name_path_escape(const char *f,
> + if (!path_is_normalized(p))
> + return -EINVAL;
> +
> +- /* Truncate trailing slashes */
> ++ /* Truncate trailing slashes and skip leading slashes */
> + delete_trailing_chars(p, "/");
> +-
> +- /* Truncate leading slashes */
> +- p = skip_leading_chars(p, "/");
> +-
> +- s = unit_name_escape(p);
> ++ s = unit_name_escape(skip_leading_chars(p, "/"));
> + }
> + if (!s)
> + return -ENOMEM;
> +
> diff --git a/meta/recipes-core/systemd/systemd_244.5.bb
> b/meta/recipes-core/systemd/systemd_244.5.bb
> index 8c95648ca0..7a7eddcd45 100644
> --- a/meta/recipes-core/systemd/systemd_244.5.bb
> +++ b/meta/recipes-core/systemd/systemd_244.5.bb
> @@ -20,6 +20,8 @@ SRC_URI += "file://touchscreen.rules \
> file://99-default.preset \
>
> file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
> file://0003-implment-systemd-sysv-install-for-OE.patch \
> + file://CVE-2021-33910.patch \
> + file://CVE-2020-13529.patch \
> "
>
> # patches needed by musl
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and
> is the property of the KPIT Technologies Ltd. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain copy, disseminate, distribute, or
> use this message or any part thereof. If you receive this message in error,
> please notify the sender immediately and delete all copies of this message.
> KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#154576):
https://lists.openembedded.org/g/openembedded-core/message/154576
Mute This Topic: https://lists.openembedded.org/mt/84679072/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
