Author: renodr
Date: Fri Sep 20 09:40:31 2019
New Revision: 3998
Log:
Add patches for systemd:
(since I had it completed already) - security patch for 241's CVE-2019-15718:
Unprivileged users can modify DNS settings
system-wide due to improper access controls.
Udev patch for systemd-243
Added:
trunk/systemd/systemd-241-security_patch-1.patch
trunk/systemd/systemd-243-udev_fix-1.patch
Added: trunk/systemd/systemd-241-security_patch-1.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ trunk/systemd/systemd-241-security_patch-1.patch Fri Sep 20 09:40:31
2019 (r3998)
@@ -0,0 +1,24 @@
+Submitted By: Douglas R. Reno <renodr at linuxfromscratch dot org>
+Date: 2019-09-20
+Initial Package Version: 241
+Upstream Status: Applied
+Origin: Upstream
+Description: Fixes CVE-2019-15718, a missing access control
+ vulnerability in systemd-resolved that allows
+ unprivileged users to modify DNS settings
+ system-wide.
+
+diff -Naurp systemd-241.orig/src/shared/bus-util.c
systemd-241/src/shared/bus-util.c
+--- systemd-241.orig/src/shared/bus-util.c 2019-02-14 04:11:58.000000000
-0600
++++ systemd-241/src/shared/bus-util.c 2019-09-20 11:29:32.310489796 -0500
+@@ -1696,10 +1696,6 @@ int bus_open_system_watch_bind_with_desc
+ if (r < 0)
+ return r;
+
+- r = sd_bus_set_trusted(bus, true);
+- if (r < 0)
+- return r;
+-
+ r = sd_bus_negotiate_creds(bus, true,
SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS);
+ if (r < 0)
+ return r;
Added: trunk/systemd/systemd-243-udev_fix-1.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ trunk/systemd/systemd-243-udev_fix-1.patch Fri Sep 20 09:40:31 2019
(r3998)
@@ -0,0 +1,196 @@
+Submitted By: Douglas R. Reno <renodr at linuxfromscratch dot org>
+Date: 2019-09-20
+Initial Package Version: 243
+Upstream Status: Applied
+Origin: https://github.com/systemd/systemd/issues/13518
+Description: Fixes a bug in systemd-243 where devices in the
+ evdev class of udev do not have device nodes created
+ at startup.
+
+diff -Naurp systemd-243.orig/src/udev/udev-rules.c
systemd-243/src/udev/udev-rules.c
+--- systemd-243.orig/src/udev/udev-rules.c 2019-09-03 04:27:19.000000000
-0500
++++ systemd-243/src/udev/udev-rules.c 2019-09-20 11:14:17.904506115 -0500
+@@ -43,10 +43,12 @@ typedef enum {
+ } UdevRuleOperatorType;
+
+ typedef enum {
+- MATCH_TYPE_EMPTY, /* empty string */
+- MATCH_TYPE_PLAIN, /* no special characters */
+- MATCH_TYPE_GLOB, /* shell globs ?,*,[] */
+- MATCH_TYPE_SUBSYSTEM, /* "subsystem", "bus", or "class" */
++ MATCH_TYPE_EMPTY, /* empty string */
++ MATCH_TYPE_PLAIN, /* no special characters */
++ MATCH_TYPE_PLAIN_WITH_EMPTY, /* no special characters with empty
string, e.g., "|foo" */
++ MATCH_TYPE_GLOB, /* shell globs ?,*,[] */
++ MATCH_TYPE_GLOB_WITH_EMPTY, /* shell globs ?,*,[] with empty string,
e.g., "|foo*" */
++ MATCH_TYPE_SUBSYSTEM, /* "subsystem", "bus", or "class" */
+ _MATCH_TYPE_MAX,
+ _MATCH_TYPE_INVALID = -1
+ } UdevRuleMatchType;
+@@ -431,35 +433,30 @@ static int rule_line_add_token(UdevRuleL
+
+ if (type < TK_M_TEST || type == TK_M_RESULT) {
+ /* Convert value string to nulstr. */
+- len = strlen(value);
+- if (len > 1 && (value[len - 1] == '|' ||
strstr(value, "||"))) {
+- /* In this case, just replacing '|' -> '\0'
does not work... */
+- _cleanup_free_ char *tmp = NULL;
+- char *i, *j;
+- bool v = true;
++ bool bar = true, empty = false;
++ char *a, *b;
+
+- tmp = strdup(value);
+- if (!tmp)
+- return log_oom();
+-
+- for (i = tmp, j = value; *i != '\0'; i++)
+- if (*i == '|')
+- v = true;
+- else {
+- if (v) {
+- *j++ = '\0';
+- v = false;
+- }
+- *j++ = *i;
+- }
+- j[0] = j[1] = '\0';
+- } else {
+- /* Simple conversion. */
+- char *i;
+-
+- for (i = value; *i != '\0'; i++)
+- if (*i == '|')
+- *i = '\0';
++ for (a = b = value; *a != '\0'; a++) {
++ if (*a != '|') {
++ *b++ = *a;
++ bar = false;
++ } else {
++ if (bar)
++ empty = true;
++ else
++ *b++ = '\0';
++ bar = true;
++ }
++ }
++ *b = '\0';
++ if (bar)
++ empty = true;
++
++ if (empty) {
++ if (match_type == MATCH_TYPE_GLOB)
++ match_type = MATCH_TYPE_GLOB_WITH_EMPTY;
++ if (match_type == MATCH_TYPE_PLAIN)
++ match_type = MATCH_TYPE_PLAIN_WITH_EMPTY;
+ }
+ }
+ }
+@@ -1325,7 +1322,17 @@ static bool token_match_string(UdevRuleT
+ match = isempty(str);
+ break;
+ case MATCH_TYPE_SUBSYSTEM:
+- value = "subsystem\0class\0bus\0";
++ NULSTR_FOREACH(i, "subsystem\0class\0bus\0")
++ if (streq(i, str)) {
++ match = true;
++ break;
++ }
++ break;
++ case MATCH_TYPE_PLAIN_WITH_EMPTY:
++ if (isempty(str)) {
++ match = true;
++ break;
++ }
+ _fallthrough_;
+ case MATCH_TYPE_PLAIN:
+ NULSTR_FOREACH(i, value)
+@@ -1334,6 +1341,12 @@ static bool token_match_string(UdevRuleT
+ break;
+ }
+ break;
++ case MATCH_TYPE_GLOB_WITH_EMPTY:
++ if (isempty(str)) {
++ match = true;
++ break;
++ }
++ _fallthrough_;
+ case MATCH_TYPE_GLOB:
+ NULSTR_FOREACH(i, value)
+ if ((fnmatch(i, str, 0) == 0)) {
+diff -Naurp systemd-243.orig/test/udev-test.pl systemd-243/test/udev-test.pl
+--- systemd-243.orig/test/udev-test.pl 2019-09-03 04:27:19.000000000 -0500
++++ systemd-243/test/udev-test.pl 2019-09-20 11:10:28.252116973 -0500
+@@ -1259,6 +1259,72 @@ KERNEL=="ttyACM0a|nothing", SYMLINK+="wr
+ EOF
+ },
+ {
++ desc => "test multi matches 5",
++ devpath =>
"/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda",
++ exp_name => "found",
++ not_exp_name => "bad",
++ rules => <<EOF
++KERNEL=="sda", TAG="foo"
++TAGS=="|foo", SYMLINK+="found"
++TAGS=="|aaa", SYMLINK+="bad"
++EOF
++ },
++ {
++ desc => "test multi matches 6",
++ devpath =>
"/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda",
++ exp_name => "found",
++ not_exp_name => "bad",
++ rules => <<EOF
++KERNEL=="sda", TAG=""
++TAGS=="|foo", SYMLINK+="found"
++TAGS=="aaa|bbb", SYMLINK+="bad"
++EOF
++ },
++ {
++ desc => "test multi matches 7",
++ devpath =>
"/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda",
++ exp_name => "found",
++ not_exp_name => "bad",
++ rules => <<EOF
++KERNEL=="sda", TAG="foo"
++TAGS=="foo||bar", SYMLINK+="found"
++TAGS=="aaa||bbb", SYMLINK+="bad"
++EOF
++ },
++ {
++ desc => "test multi matches 8",
++ devpath =>
"/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda",
++ exp_name => "found",
++ not_exp_name => "bad",
++ rules => <<EOF
++KERNEL=="sda", TAG=""
++TAGS=="foo||bar", SYMLINK+="found"
++TAGS=="aaa|bbb", SYMLINK+="bad"
++EOF
++ },
++ {
++ desc => "test multi matches 9",
++ devpath =>
"/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda",
++ exp_name => "found",
++ not_exp_name => "bad",
++ rules => <<EOF
++KERNEL=="sda", TAG=""
++TAGS=="foo|", SYMLINK+="found"
++TAGS=="aaa|", SYMLINK+="bad"
++EOF
++ },
++ {
++ desc => "test multi matches 10",
++ devpath =>
"/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda",
++ exp_name => "found",
++ not_exp_name => "bad",
++ rules => <<EOF
++KERNEL=="sda", TAG=""
++TAGS=="foo|", SYMLINK+="found"
++TAGS=="aaa|bbb", SYMLINK+="bad"
++EOF
++ },
++ {
+ desc => "IMPORT parent test sequence 1/2 (keep)",
+ devpath =>
"/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda",
+ exp_name => "parent",
--
http://lists.linuxfromscratch.org/listinfo/patches
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
