From 606367f948a014fa5688f6efbce103de18e30689 Mon Sep 17 00:00:00 2001
From: wangyuhang <wangyuhang27@huawei.com>
Date: Wed, 27 Dec 2023 16:05:44 +0800
Subject: [PATCH] actually check authenticated flag of SOA transaction in
 resolved

---
 backport-CVE-2023-7008.patch | 39 ++++++++++++++++++++++++++++++++++++
 systemd.spec                 |  6 +++++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-7008.patch

diff --git a/backport-CVE-2023-7008.patch b/backport-CVE-2023-7008.patch
new file mode 100644
index 0000000..1d626c8
--- /dev/null
+++ b/backport-CVE-2023-7008.patch
@@ -0,0 +1,39 @@
+From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 20 Dec 2023 16:44:14 +0100
+Subject: [PATCH] resolved: actually check authenticated flag of SOA
+ transaction
+
+Fixes #25676
+
+Conflict:NA
+Reference:https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1
+---
+ src/resolve/resolved-dns-transaction.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index 696fce532a..fe88e502e7 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2808,7 +2808,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+ 
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+@@ -2835,7 +2835,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         /* We found the transaction that was supposed to find the SOA RR for us. It was
+                          * successful, but found no RR for us. This means we are not at a zone cut. In this
+                          * case, we require authentication if the SOA lookup was authenticated too. */
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+-- 
+2.33.0
+
diff --git a/systemd.spec b/systemd.spec
index 362197b..652d242 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -25,7 +25,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        253
-Release:        9
+Release:        10
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager
 
@@ -70,6 +70,7 @@ Patch6016:      backport-hostname-Make-sure-we-pass-error-to-bus_verify_polki.pa
 Patch6017:      backport-Limit-rlim_max-in-rlimit_nofile_safe-to-nr_open.patch
 Patch6018:      backport-udev-raise-RLIMIT_NOFILE-as-high-as-we-can.patch
 Patch6019:      backport-rules-go-to-the-end-of-rules-indeed-when-dm-is-suspe.patch
+Patch6020:      backport-CVE-2023-7008.patch
 
 Patch9008:      update-rtc-with-system-clock-when-shutdown.patch
 Patch9009:      udev-add-actions-while-rename-netif-failed.patch
@@ -1588,6 +1589,9 @@ fi
 %{_libdir}/security/pam_systemd.so
 
 %changelog
+* Thu Dec 28 2023 wangyuhang <wangyuhang27@huawei.com> - 253-10
+- actually check authenticated flag of SOA transaction in resolved
+
 * Thu Dec 21 2023 xujing <xujing125@huawei.com> - 253-9
 - backport: fix /boot unmounted issue when the device is suspended during boot time