!861 Fix CVE-2023-7008

From: @zhang-yao-2022 Reviewed-by: @xujing99 Signed-off-by: @xujing99
2025-04-28 06:13:59 +00:00 · 2025-04-28 06:13:59 +00:00 · 4da536d9e0
commit 4da536d9e0
parent 7e4b362b71 6c7d63db50
2 changed files with 44 additions and 1 deletions
--- a/backport-CVE-2023-7008.patch
+++ b/backport-CVE-2023-7008.patch
@ -0,0 +1,39 @@
+From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 20 Dec 2023 16:44:14 +0100
+Subject: [PATCH] resolved: actually check authenticated flag of SOA
+ transaction
+
+Fixes #25676
+
+Conflict:NA
+Reference:https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1
+---
+ src/resolve/resolved-dns-transaction.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index 696fce532a..fe88e502e7 100644
+--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
+@@ -2808,7 +2808,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+ 
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+@@ -2835,7 +2835,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         /* We found the transaction that was supposed to find the SOA RR for us. It was
+                          * successful, but found no RR for us. This means we are not at a zone cut. In this
+                          * case, we require authentication if the SOA lookup was authenticated too. */
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+-- 
+2.33.0
+
--- a/systemd.spec
+++ b/systemd.spec
@ -25,7 +25,7 @@
 Name:           systemd
 Url:            https://systemd.io/
 Version:        255
-Release:        40
+Release:        41
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager

@ -102,6 +102,7 @@ Patch6648:      backport-shutdown-close-DM-block-device-before-issuing-DM_DEV.pa
 Patch6649:      backport-execute-free-syscall_log-hashmap-when-done.patch
 Patch6650:      backport-logind-let-system-wide-idle-begin-at-the-time-logind.patch
 Patch6651:      backport-core-fix-assert-when-AddDependencyUnitFiles-is-calle.patch
+Patch6652:      backport-CVE-2023-7008.patch

 Patch9008:      update-rtc-with-system-clock-when-shutdown.patch
 Patch9009:      udev-add-actions-while-rename-netif-failed.patch
@ -1688,6 +1689,9 @@ fi
 %{_unitdir}/veritysetup.target

 %changelog
+* Mon Apr 28 2025 zhangyao <zhangyao108@huawei.com> - 255-41
+- actually check authenticated flag of SOA transaction in resolved
+
 * Fri Apr 18 2025 wangyuhang <wangyuhang27@huawei.com> - 255-40
 - sync patch from systemd community