diff --git a/FIX-CVE-2023-31439-CVE-2023-31438-CVE-2023-31437.patch b/FIX-CVE-2023-31439-CVE-2023-31438-CVE-2023-31437.patch new file mode 100644 index 0000000000000000000000000000000000000000..de2eb8294e6738dd64745c3671b6f324dbcdd96b --- /dev/null +++ b/FIX-CVE-2023-31439-CVE-2023-31438-CVE-2023-31437.patch @@ -0,0 +1,95 @@ +diff --git a/src/libsystemd/sd-journal/journal-verify.c b/src/libsystemd/sd-journal/journal-verify.c +index ad4039d..024ce7a 100644 +--- a/src/libsystemd/sd-journal/journal-verify.c ++++ b/src/libsystemd/sd-journal/journal-verify.c +@@ -819,9 +819,9 @@ int journal_file_verify( + Object *o; + uint64_t p = 0, last_epoch = 0, last_tag_realtime = 0, last_sealed_realtime = 0; + +- uint64_t entry_seqnum = 0, entry_monotonic = 0, entry_realtime = 0; ++ uint64_t entry_seqnum = 0, entry_monotonic = 0, entry_realtime = 0, min_entry_realtime = 0, max_entry_realtime = 0; + sd_id128_t entry_boot_id = {}; /* Unnecessary initialization to appease gcc */ +- bool entry_seqnum_set = false, entry_monotonic_set = false, entry_realtime_set = false, found_main_entry_array = false; ++ bool entry_seqnum_set = false, entry_monotonic_set = false, entry_realtime_set = false, min_entry_realtime_set = false, found_main_entry_array = false; + uint64_t n_objects = 0, n_entries = 0, n_data = 0, n_fields = 0, n_data_hash_tables = 0, n_field_hash_tables = 0, n_entry_arrays = 0, n_tags = 0; + usec_t last_usec = 0; + _cleanup_close_ int data_fd = -1, entry_fd = -1, entry_array_fd = -1; +@@ -1071,6 +1071,14 @@ int journal_file_verify( + entry_realtime = le64toh(o->entry.realtime); + entry_realtime_set = true; + ++ if (max_entry_realtime < le64toh(o->entry.realtime)){ ++ max_entry_realtime = le64toh(o->entry.realtime); ++ } ++ if (!min_entry_realtime_set || min_entry_realtime > le64toh(o->entry.realtime)){ ++ min_entry_realtime = le64toh(o->entry.realtime); ++ min_entry_realtime_set = true; ++ } ++ + n_entries++; + break; + +@@ -1125,7 +1133,7 @@ int journal_file_verify( + goto fail; + } + +- if (le64toh(o->tag.epoch) < last_epoch) { ++ if (le64toh(o->tag.epoch) != last_epoch && le64toh(o->tag.epoch) != last_epoch + 1) { + error(p, + "Epoch sequence out of synchronization (%"PRIu64" < %"PRIu64")", + le64toh(o->tag.epoch), +@@ -1149,6 +1157,23 @@ int journal_file_verify( + r = -EBADMSG; + goto fail; + } ++ if (max_entry_realtime >= rt + f->fss_interval_usec) { ++ error(p, ++ "entry realtime timestamp too late with respect to tag (%"PRIu64" < %"PRIu64")", ++ max_entry_realtime, ++ rt + f->fss_interval_usec); ++ r = -EBADMSG; ++ goto fail; ++ } ++ if (min_entry_realtime_set && min_entry_realtime < rt) { ++ error(p, ++ "entry realtime timestamp too early with respect to tag out of synchronization (%"PRIu64" >= %"PRIu64")", ++ min_entry_realtime, ++ rt); ++ r = -EBADMSG; ++ goto fail; ++ } ++ min_entry_realtime_set = false; + + /* OK, now we know the epoch. So let's now set + * it, and calculate the HMAC for everything +diff --git a/src/libsystemd/sd-journal/journal-authenticate.c b/src/libsystemd/sd-journal/journal-authenticate.c +index 1cb8943..821d9a3 100644 +--- a/src/libsystemd/sd-journal/journal-authenticate.c ++++ b/src/libsystemd/sd-journal/journal-authenticate.c +@@ -34,8 +34,11 @@ int journal_file_append_tag(JournalFile *f) { + if (!JOURNAL_HEADER_SEALED(f->header)) + return 0; + +- if (!f->hmac_running) +- return 0; ++ if (!f->hmac_running) { ++ r = journal_file_hmac_start(f); ++ if (r < 0) ++ return r; ++ } + + assert(f->hmac); + +@@ -154,6 +157,12 @@ int journal_file_fsprg_evolve(JournalFile *f, uint64_t realtime) { + + FSPRG_Evolve(f->fsprg_state); + epoch = FSPRG_GetEpoch(f->fsprg_state); ++ if ( epoch < goal ) { ++ r = journal_file_append_tag(f); ++ if (r < 0) ++ return r; ++ } ++ } + } + } + diff --git a/systemd.spec b/systemd.spec index fed2eb7127e48479f17477d201df67b1a75f6f79..7f073610a4a138b4adad1851774761b317b3dfb1 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,4 +1,4 @@ -%define anolis_release 8 +%define anolis_release 9 %global __requires_exclude pkg-config %global pkgdir %{_prefix}/lib/systemd @@ -66,6 +66,7 @@ Patch0003: 0003-pam-actually-align-the-columns.patch Patch0201: use-bfq-scheduler.patch Patch0202: fedora-use-system-auth-in-pam-systemd-user.patch Patch0203: 0001-add-loongarch64-support-for-systemd.patch +Patch0204: FIX-CVE-2023-31439-CVE-2023-31438-CVE-2023-31437.patch BuildRequires: gcc gcc-c++ clang coreutils BuildRequires: libcap-devel libmount-devel libfdisk-devel libpwquality-devel @@ -1935,6 +1936,9 @@ fi %doc docs/DISTRO_PORTING.md docs/HACKING.md %changelog +* Fri Nov 10 2023 Xiaoping Liu - 252.4-9 +- Fix CVE-2023-31439 CVE-2023-31438 CVE-2023-31437 + * Tue Oct 10 2023 Wenlong Zhang - 252.4-8 - add loongarch64 support for systemd