Hi Steve,
Yes, it is for kirkstone branch.
Sorry for my mistake.
Regards,
Hitendra
On 14/01/24 7:41 am, Steve Sakoman wrote:
On Thu, Jan 11, 2024 at 6:12 PM Hitendra Prajapati via
lists.openembedded.org<hprajapati=mvista....@lists.openembedded.org>
wrote:
Upstream-Status: Backport
fromhttps://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1
Signed-off-by: Hitendra Prajapati<hprajap...@mvista.com>
---
.../systemd/systemd/CVE-2023-7008.patch | 40 +++++++++++++++++++
meta/recipes-core/systemd/systemd_250.5.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-7008.patch
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch
b/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch
new file mode 100644
index 0000000000..e2296abc49
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch
@@ -0,0 +1,40 @@
+From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar<msekl...@redhat.com>
+Date: Wed, 20 Dec 2023 16:44:14 +0100
+Subject: [PATCH] resolved: actually check authenticated flag of SOA
+ transaction
+
+Fixes #25676
+
+Upstream-Status: Backport
[https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1]
+CVE: CVE-2023-7008
+Signed-off-by: Hitendra Prajapati<hprajap...@mvista.com>
+---
+ src/resolve/resolved-dns-transaction.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c
b/src/resolve/resolved-dns-transaction.c
+index f937f9f7b5..7deb598400 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2761,7 +2761,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction
*t, DnsResourceRecord *
+ if (r == 0)
+ continue;
+
+- return FLAGS_SET(t->answer_query_flags,
SD_RESOLVED_AUTHENTICATED);
++ return FLAGS_SET(dt->answer_query_flags,
SD_RESOLVED_AUTHENTICATED);
+ }
+
+ return true;
+@@ -2788,7 +2788,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction
*t, DnsResourceRecord *
+ /* We found the transaction that was supposed to find
the SOA RR for us. It was
+ * successful, but found no RR for us. This means we
are not at a zone cut. In this
+ * case, we require authentication if the SOA lookup
was authenticated too. */
+- return FLAGS_SET(t->answer_query_flags,
SD_RESOLVED_AUTHENTICATED);
++ return FLAGS_SET(dt->answer_query_flags,
SD_RESOLVED_AUTHENTICATED);
+ }
+
+ return true;
+--
+2.25.1
+
diff --git a/meta/recipes-core/systemd/systemd_250.5.bb
b/meta/recipes-core/systemd/systemd_250.5.bb
index c35557471a..889473ee1f 100644
--- a/meta/recipes-core/systemd/systemd_250.5.bb
+++ b/meta/recipes-core/systemd/systemd_250.5.bb
Did you mean this patch for kirkstone instead of dunfell? Dunfell
systemd is version 244.5, not 250.5
Steve
@@ -32,6 +32,7 @@ SRC_URI +="file://touchscreen.rules \ file://CVE-2022-4415-2.patch \
file://0001-network-remove-only-managed-configs-on-reconfigure-o.patch
\
file://0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch
\ + file://CVE-2023-7008.patch \ "
# patches needed by musl
--
2.25.1
--
Regards,
Hitendra Prajapati
MontaVista Software LLC
Mo: +91 9998906483
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193818):
https://lists.openembedded.org/g/openembedded-core/message/193818
Mute This Topic: https://lists.openembedded.org/mt/103677352/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
