!518 actually check authenticated flag of SOA transaction in resolved

From: @wangyuhang27 Reviewed-by: @licunlong Signed-off-by: @licunlong
2023-12-28 08:38:39 +00:00 · 2023-12-28 08:38:39 +00:00 · 86198be34c
commit 86198be34c
parent 1537c5cd89 606367f948
2 changed files with 44 additions and 1 deletions
--- a/backport-CVE-2023-7008.patch
+++ b/backport-CVE-2023-7008.patch
@ -0,0 +1,39 @@
+From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 20 Dec 2023 16:44:14 +0100
+Subject: [PATCH] resolved: actually check authenticated flag of SOA
+ transaction
+
+Fixes #25676
+
+Conflict:NA
+Reference:https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1
+---
+ src/resolve/resolved-dns-transaction.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index 696fce532a..fe88e502e7 100644
+--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
+@@ -2808,7 +2808,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+ 
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+@@ -2835,7 +2835,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         /* We found the transaction that was supposed to find the SOA RR for us. It was
+                          * successful, but found no RR for us. This means we are not at a zone cut. In this
+                          * case, we require authentication if the SOA lookup was authenticated too. */
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+-- 
+2.33.0
+
--- a/systemd.spec
+++ b/systemd.spec
@ -25,7 +25,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        253
-Release:        9
+Release:        10
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager

@ -70,6 +70,7 @@ Patch6016:      backport-hostname-Make-sure-we-pass-error-to-bus_verify_polki.pa
 Patch6017:      backport-Limit-rlim_max-in-rlimit_nofile_safe-to-nr_open.patch
 Patch6018:      backport-udev-raise-RLIMIT_NOFILE-as-high-as-we-can.patch
 Patch6019:      backport-rules-go-to-the-end-of-rules-indeed-when-dm-is-suspe.patch
+Patch6020:      backport-CVE-2023-7008.patch

 Patch9008:      update-rtc-with-system-clock-when-shutdown.patch
 Patch9009:      udev-add-actions-while-rename-netif-failed.patch
@ -1588,6 +1589,9 @@ fi
 %{_libdir}/security/pam_systemd.so

 %changelog
+* Thu Dec 28 2023 wangyuhang <wangyuhang27@huawei.com> - 253-10
+- actually check authenticated flag of SOA transaction in resolved
+
 * Thu Dec 21 2023 xujing <xujing125@huawei.com> - 253-9
 - backport: fix /boot unmounted issue when the device is suspended during boot time