[gnome-continuous-yocto/gnomeostree-3.28-rocko: 3220/8267] systemd: CVE-2016-7795
- From: Emmanuele Bassi <ebassi src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-continuous-yocto/gnomeostree-3.28-rocko: 3220/8267] systemd: CVE-2016-7795
- Date: Sun, 17 Dec 2017 00:19:39 +0000 (UTC)
commit 92d604ca28acfaf2c2a1db8332d9ed938c6bebd6
Author: Chen Qi <Qi Chen windriver com>
Date: Wed Oct 26 14:09:47 2016 +0800
systemd: CVE-2016-7795
The manager_invoke_notify_message function in systemd 231 and earlier allows
local users to cause a denial of service (assertion failure and PID 1 hang)
via a zero-length message received over a notify socket.
The patch is a backport from the latest git repo.
Please see the link below for more information.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7795
(From OE-Core rev: 543570cafa8d7f595b489d03d05f0aa4478f8539)
Signed-off-by: Chen Qi <Qi Chen windriver com>
Signed-off-by: Ross Burton <ross burton intel com>
Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>
.../systemd/systemd/CVE-2016-7795.patch | 69 ++++++++++++++++++++
meta/recipes-core/systemd/systemd_230.bb | 1 +
2 files changed, 70 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch
b/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch
new file mode 100644
index 0000000..5ecb9c3
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2016-7795.patch
@@ -0,0 +1,69 @@
+Subject: Fix CVE-2016-7795
+
+This undoes 531ac2b. I acked that patch without looking at the code
+carefully enough. There are two problems:
+- we want to process the fds anyway
+- in principle empty notification messages are valid, and we should
+ process them as usual, including logging using log_unit_debug().
+
+Upstream-Status: Backport
+CVE: CVE-2016-7795
+
+Signed-off-by: Chen Qi <Qi Chen windriver com>
+---
+ src/core/manager.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 7838f56..f165d08e 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -1589,13 +1589,12 @@ static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, ui
+ return 0;
+ }
+
+-static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, size_t n, FDSet
*fds) {
++static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, FDSet *fds) {
+ _cleanup_strv_free_ char **tags = NULL;
+
+ assert(m);
+ assert(u);
+ assert(buf);
+- assert(n > 0);
+
+ tags = strv_split(buf, "\n\r");
+ if (!tags) {
+@@ -1688,25 +1687,27 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
+ return 0;
+ }
+
++ /* The message should be a string. Here we make sure it's NUL-terminated,
++ * but only the part until first NUL will be used anyway. */
+ buf[n] = 0;
+
+ /* Notify every unit that might be interested, but try
+ * to avoid notifying the same one multiple times. */
+ u1 = manager_get_unit_by_pid_cgroup(m, ucred->pid);
+ if (u1) {
+- manager_invoke_notify_message(m, u1, ucred->pid, buf, n, fds);
++ manager_invoke_notify_message(m, u1, ucred->pid, buf, fds);
+ found = true;
+ }
+
+ u2 = hashmap_get(m->watch_pids1, PID_TO_PTR(ucred->pid));
+ if (u2 && u2 != u1) {
+- manager_invoke_notify_message(m, u2, ucred->pid, buf, n, fds);
++ manager_invoke_notify_message(m, u2, ucred->pid, buf, fds);
+ found = true;
+ }
+
+ u3 = hashmap_get(m->watch_pids2, PID_TO_PTR(ucred->pid));
+ if (u3 && u3 != u2 && u3 != u1) {
+- manager_invoke_notify_message(m, u3, ucred->pid, buf, n, fds);
++ manager_invoke_notify_message(m, u3, ucred->pid, buf, fds);
+ found = true;
+ }
+
+--
+2.8.3
+
diff --git a/meta/recipes-core/systemd/systemd_230.bb b/meta/recipes-core/systemd/systemd_230.bb
index 542f99d..f60dd60 100644
--- a/meta/recipes-core/systemd/systemd_230.bb
+++ b/meta/recipes-core/systemd/systemd_230.bb
@@ -36,6 +36,7 @@ SRC_URI += " \
file://0021-include-missing.h-for-getting-secure_getenv-definiti.patch \
file://0022-socket-util-don-t-fail-if-libc-doesn-t-support-IDN.patch \
file://udev-re-enable-mount-propagation-for-udevd.patch \
+ file://CVE-2016-7795.patch \
"
SRC_URI_append_libc-uclibc = "\
file://0002-units-Prefer-getty-to-agetty-in-console-setup-system.patch \
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]