| Message ID | 20240112041206.4901-1-hprajapati@mvista.com |
|---|---|
| State | Not Applicable |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [dunfell] systemd: fix CVE-2023-7008 | expand |
On Thu, Jan 11, 2024 at 6:12 PM Hitendra Prajapati via lists.openembedded.org <hprajapati=mvista.com@lists.openembedded.org> wrote: > > Upstream-Status: Backport from https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- > .../systemd/systemd/CVE-2023-7008.patch | 40 +++++++++++++++++++ > meta/recipes-core/systemd/systemd_250.5.bb | 1 + > 2 files changed, 41 insertions(+) > create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-7008.patch > > diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch b/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch > new file mode 100644 > index 0000000000..e2296abc49 > --- /dev/null > +++ b/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch > @@ -0,0 +1,40 @@ > +From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001 > +From: Michal Sekletar <msekleta@redhat.com> > +Date: Wed, 20 Dec 2023 16:44:14 +0100 > +Subject: [PATCH] resolved: actually check authenticated flag of SOA > + transaction > + > +Fixes #25676 > + > +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1] > +CVE: CVE-2023-7008 > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + src/resolve/resolved-dns-transaction.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c > +index f937f9f7b5..7deb598400 100644 > +--- a/src/resolve/resolved-dns-transaction.c > ++++ b/src/resolve/resolved-dns-transaction.c > +@@ -2761,7 +2761,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * > + if (r == 0) > + continue; > + > +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); > ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); > + } > + > + return true; > +@@ -2788,7 +2788,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * > + /* We found the transaction that was supposed to find the SOA RR for us. It was > + * successful, but found no RR for us. This means we are not at a zone cut. In this > + * case, we require authentication if the SOA lookup was authenticated too. */ > +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); > ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); > + } > + > + return true; > +-- > +2.25.1 > + > diff --git a/meta/recipes-core/systemd/systemd_250.5.bb b/meta/recipes-core/systemd/systemd_250.5.bb > index c35557471a..889473ee1f 100644 > --- a/meta/recipes-core/systemd/systemd_250.5.bb > +++ b/meta/recipes-core/systemd/systemd_250.5.bb Did you mean this patch for kirkstone instead of dunfell? Dunfell systemd is version 244.5, not 250.5 Steve > @@ -32,6 +32,7 @@ SRC_URI += "file://touchscreen.rules \ > file://CVE-2022-4415-2.patch \ > file://0001-network-remove-only-managed-configs-on-reconfigure-o.patch \ > file://0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch \ > + file://CVE-2023-7008.patch \ > " > > # patches needed by musl > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#193569): https://lists.openembedded.org/g/openembedded-core/message/193569 > Mute This Topic: https://lists.openembedded.org/mt/103677352/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Steve, Yes, it is for kirkstone branch. Sorry for my mistake. Regards, Hitendra On 14/01/24 7:41 am, Steve Sakoman wrote: > On Thu, Jan 11, 2024 at 6:12 PM Hitendra Prajapati via > lists.openembedded.org<hprajapati=mvista.com@lists.openembedded.org> > wrote: >> Upstream-Status: Backport fromhttps://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 >> >> Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> >> --- >> .../systemd/systemd/CVE-2023-7008.patch | 40 +++++++++++++++++++ >> meta/recipes-core/systemd/systemd_250.5.bb | 1 + >> 2 files changed, 41 insertions(+) >> create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-7008.patch >> >> diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch b/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch >> new file mode 100644 >> index 0000000000..e2296abc49 >> --- /dev/null >> +++ b/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch >> @@ -0,0 +1,40 @@ >> +From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001 >> +From: Michal Sekletar<msekleta@redhat.com> >> +Date: Wed, 20 Dec 2023 16:44:14 +0100 >> +Subject: [PATCH] resolved: actually check authenticated flag of SOA >> + transaction >> + >> +Fixes #25676 >> + >> +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1] >> +CVE: CVE-2023-7008 >> +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com> >> +--- >> + src/resolve/resolved-dns-transaction.c | 4 ++-- >> + 1 file changed, 2 insertions(+), 2 deletions(-) >> + >> +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c >> +index f937f9f7b5..7deb598400 100644 >> +--- a/src/resolve/resolved-dns-transaction.c >> ++++ b/src/resolve/resolved-dns-transaction.c >> +@@ -2761,7 +2761,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * >> + if (r == 0) >> + continue; >> + >> +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); >> ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); >> + } >> + >> + return true; >> +@@ -2788,7 +2788,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * >> + /* We found the transaction that was supposed to find the SOA RR for us. It was >> + * successful, but found no RR for us. This means we are not at a zone cut. In this >> + * case, we require authentication if the SOA lookup was authenticated too. */ >> +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); >> ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); >> + } >> + >> + return true; >> +-- >> +2.25.1 >> + >> diff --git a/meta/recipes-core/systemd/systemd_250.5.bb b/meta/recipes-core/systemd/systemd_250.5.bb >> index c35557471a..889473ee1f 100644 >> --- a/meta/recipes-core/systemd/systemd_250.5.bb >> +++ b/meta/recipes-core/systemd/systemd_250.5.bb > Did you mean this patch for kirkstone instead of dunfell? Dunfell > systemd is version 244.5, not 250.5 > > Steve > >> @@ -32,6 +32,7 @@ SRC_URI +="file://touchscreen.rules \ file://CVE-2022-4415-2.patch \ >> file://0001-network-remove-only-managed-configs-on-reconfigure-o.patch >> \ >> file://0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch >> \ + file://CVE-2023-7008.patch \ " >> >> # patches needed by musl >> -- >> 2.25.1 >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#193569):https://lists.openembedded.org/g/openembedded-core/message/193569 >> Mute This Topic:https://lists.openembedded.org/mt/103677352/3620601 >> Group Owner:openembedded-core+owner@lists.openembedded.org >> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch b/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch new file mode 100644 index 0000000000..e2296abc49 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch @@ -0,0 +1,40 @@ +From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <msekleta@redhat.com> +Date: Wed, 20 Dec 2023 16:44:14 +0100 +Subject: [PATCH] resolved: actually check authenticated flag of SOA + transaction + +Fixes #25676 + +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1] +CVE: CVE-2023-7008 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/resolve/resolved-dns-transaction.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index f937f9f7b5..7deb598400 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2761,7 +2761,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + if (r == 0) + continue; + +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); + } + + return true; +@@ -2788,7 +2788,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + /* We found the transaction that was supposed to find the SOA RR for us. It was + * successful, but found no RR for us. This means we are not at a zone cut. In this + * case, we require authentication if the SOA lookup was authenticated too. */ +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); + } + + return true; +-- +2.25.1 + diff --git a/meta/recipes-core/systemd/systemd_250.5.bb b/meta/recipes-core/systemd/systemd_250.5.bb index c35557471a..889473ee1f 100644 --- a/meta/recipes-core/systemd/systemd_250.5.bb +++ b/meta/recipes-core/systemd/systemd_250.5.bb @@ -32,6 +32,7 @@ SRC_URI += "file://touchscreen.rules \ file://CVE-2022-4415-2.patch \ file://0001-network-remove-only-managed-configs-on-reconfigure-o.patch \ file://0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch \ + file://CVE-2023-7008.patch \ " # patches needed by musl
Upstream-Status: Backport from https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../systemd/systemd/CVE-2023-7008.patch | 40 +++++++++++++++++++ meta/recipes-core/systemd/systemd_250.5.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-7008.patch