From 48cf30181947ee1e1010763f9d4f4d1511d2a356 Mon Sep 17 00:00:00 2001 From: hongjinghao Date: Tue, 12 Dec 2023 17:16:45 +0800 Subject: [PATCH] sync patches from systemd community --- ...y-that-old-entries-are-not-sealed-wi.patch | 88 +++++++++++++++++++ ...service-don-t-unescape-instance-name.patch | 35 ++++++++ systemd.spec | 7 +- 3 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch create mode 100644 backport-units-modprobe-.service-don-t-unescape-instance-name.patch diff --git a/backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch b/backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch new file mode 100644 index 0000000..88f177f --- /dev/null +++ b/backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch @@ -0,0 +1,88 @@ +From 9627e6a72f9c5c336a285b11515bda49345e7bfe Mon Sep 17 00:00:00 2001 +From: felixdoerre +Date: Fri, 6 Oct 2023 05:18:21 +0200 +Subject: [PATCH] journalctl: verify that old entries are not sealed with too + recent key (#28885) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When verifying seals produced with forward secure sealing, the verification +currently does not check that old entries are only sealed with the key for +their epoch and not a more recent one. This missing check allows an attacker +to remove seals, and create new ones with the currently available key, and +verify will claim everything is in order, although all entries could have +been modified. + +This resolves CVE-2023-31439. + +Co-authored-by: Felix Dörre +(cherry picked from commit 3846d3aa292a6daa1916f667bdd79ebee9cb4ac4) +(cherry picked from commit ea67d4755b5d81a42a9013d6ce72c9cf7adb56b9) +(cherry picked from commit e140c1d10b04c757832adf2366ed6fbdfb2e92c9) +--- + src/libsystemd/sd-journal/journal-verify.c | 26 ++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-journal/journal-verify.c b/src/libsystemd/sd-journal/journal-verify.c +index ad4039dee0f..fe4465c5e65 100644 +--- a/src/libsystemd/sd-journal/journal-verify.c ++++ b/src/libsystemd/sd-journal/journal-verify.c +@@ -820,6 +820,7 @@ int journal_file_verify( + uint64_t p = 0, last_epoch = 0, last_tag_realtime = 0, last_sealed_realtime = 0; + + uint64_t entry_seqnum = 0, entry_monotonic = 0, entry_realtime = 0; ++ usec_t min_entry_realtime = USEC_INFINITY, max_entry_realtime = 0; + sd_id128_t entry_boot_id = {}; /* Unnecessary initialization to appease gcc */ + bool entry_seqnum_set = false, entry_monotonic_set = false, entry_realtime_set = false, found_main_entry_array = false; + uint64_t n_objects = 0, n_entries = 0, n_data = 0, n_fields = 0, n_data_hash_tables = 0, n_field_hash_tables = 0, n_entry_arrays = 0, n_tags = 0; +@@ -1071,6 +1072,9 @@ int journal_file_verify( + entry_realtime = le64toh(o->entry.realtime); + entry_realtime_set = true; + ++ max_entry_realtime = MAX(max_entry_realtime, le64toh(o->entry.realtime)); ++ min_entry_realtime = MIN(min_entry_realtime, le64toh(o->entry.realtime)); ++ + n_entries++; + break; + +@@ -1136,12 +1140,13 @@ int journal_file_verify( + + #if HAVE_GCRYPT + if (JOURNAL_HEADER_SEALED(f->header)) { +- uint64_t q, rt; ++ uint64_t q, rt, rt_end; + + debug(p, "Checking tag %"PRIu64"...", le64toh(o->tag.seqnum)); + + rt = f->fss_start_usec + le64toh(o->tag.epoch) * f->fss_interval_usec; +- if (entry_realtime_set && entry_realtime >= rt + f->fss_interval_usec) { ++ rt_end = usec_add(rt, f->fss_interval_usec); ++ if (entry_realtime_set && entry_realtime >= rt_end) { + error(p, + "tag/entry realtime timestamp out of synchronization (%"PRIu64" >= %"PRIu64")", + entry_realtime, +@@ -1149,6 +1154,23 @@ int journal_file_verify( + r = -EBADMSG; + goto fail; + } ++ if (max_entry_realtime >= rt_end) { ++ error(p, ++ "Entry realtime (%"PRIu64", %s) is too late with respect to tag (%"PRIu64", %s)", ++ max_entry_realtime, FORMAT_TIMESTAMP(max_entry_realtime), ++ rt_end, FORMAT_TIMESTAMP(rt_end)); ++ r = -EBADMSG; ++ goto fail; ++ } ++ if (min_entry_realtime < rt) { ++ error(p, ++ "Entry realtime (%"PRIu64", %s) is too early with respect to tag (%"PRIu64", %s)", ++ min_entry_realtime, FORMAT_TIMESTAMP(min_entry_realtime), ++ rt, FORMAT_TIMESTAMP(rt)); ++ r = -EBADMSG; ++ goto fail; ++ } ++ min_entry_realtime = USEC_INFINITY; + + /* OK, now we know the epoch. So let's now set + * it, and calculate the HMAC for everything diff --git a/backport-units-modprobe-.service-don-t-unescape-instance-name.patch b/backport-units-modprobe-.service-don-t-unescape-instance-name.patch new file mode 100644 index 0000000..78fe861 --- /dev/null +++ b/backport-units-modprobe-.service-don-t-unescape-instance-name.patch @@ -0,0 +1,35 @@ +From 540b3c5d53f7b5889247e9cb4aea62d3983a48b8 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Fri, 20 Oct 2023 16:25:15 +0200 +Subject: [PATCH] units: modprobe@.service: don't unescape instance name + +modprobe treats "-" and "_" interchangeably, thereby avoiding frequent +errors because some module names contain dashes and others underscores. + +Because modprobe@.service unescapes the instance name, an attempt to +start "modprobe@dm-crypt.service" will run "modprobe -abq dm/crypt", +which is doomed to fail. "modprobe@dm_crypt.service" will work as +expected. Thus unescaping the instance name has surprising side effects. +Use "%i" instead. + +(cherry picked from commit bf25cf6c49253e922524dfa0e7960f554838f18b) +(cherry picked from commit c98d0130dc8efd826cd85020337353cdbe644bb4) +(cherry picked from commit 6d5eba0814e7dfc15ebb68ca5afdabab214c9da6) + +--- + units/modprobe@.service | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/units/modprobe@.service b/units/modprobe@.service +index 85a2c08dee..fe631fffeb 100644 +--- a/units/modprobe@.service ++++ b/units/modprobe@.service +@@ -17,4 +17,4 @@ StartLimitIntervalSec=0 + + [Service] + Type=oneshot +-ExecStart=-/sbin/modprobe -abq %I ++ExecStart=-/sbin/modprobe -abq %i +-- +2.33.0 + diff --git a/systemd.spec b/systemd.spec index 5746763..55b654a 100644 --- a/systemd.spec +++ b/systemd.spec @@ -25,7 +25,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 253 -Release: 6 +Release: 7 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -58,6 +58,8 @@ Patch6004: backport-sd-event-always-initialize-sd_event.perturb.patch Patch6005: backport-sd-event-fix-error-handling.patch Patch6006: backport-core-refuse-dbus-activation-if-dbus-is-not-running.patch Patch6007: backport-core-only-refuse-Type-dbus-service-enqueuing-if-dbus.patch +Patch6008: backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch +Patch6009: backport-units-modprobe-.service-don-t-unescape-instance-name.patch Patch9008: update-rtc-with-system-clock-when-shutdown.patch Patch9009: udev-add-actions-while-rename-netif-failed.patch @@ -1576,6 +1578,9 @@ fi %{_libdir}/security/pam_systemd.so %changelog +* Tue Dec 12 2023 hongjinghao 253-7 +- backport: sync patches from systemd community + * Thu Nov 30 2023 jiahua.yu - 253-6 - init support for ppc64le