From e36276019251e6b7cfb861b3975a7a70e890c5ed Mon Sep 17 00:00:00 2001
From: root <root@LIN-D5F0C684330.zte.intra>
Date: Thu, 16 May 2024 09:52:07 +0800
Subject: [PATCH] fix CVE-2023-7008

---
 ...y-check-authenticated-flag-of-SOA-tr.patch | 22 +++++++++++++++++++
 systemd.spec                                  |  6 ++++-
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 0005-resolved-actually-check-authenticated-flag-of-SOA-tr.patch

diff --git a/0005-resolved-actually-check-authenticated-flag-of-SOA-tr.patch b/0005-resolved-actually-check-authenticated-flag-of-SOA-tr.patch
new file mode 100644
index 0000000..659a874
--- /dev/null
+++ b/0005-resolved-actually-check-authenticated-flag-of-SOA-tr.patch
@@ -0,0 +1,22 @@
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index 0212569fb0..0306af84a2 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2800,7 +2800,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+ 
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+@@ -2827,7 +2827,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         /* We found the transaction that was supposed to find the SOA RR for us. It was
+                          * successful, but found no RR for us. This means we are not at a zone cut. In this
+                          * case, we require authentication if the SOA lookup was authenticated too. */
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
diff --git a/systemd.spec b/systemd.spec
index 7cd8281..5ce1b49 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -1,4 +1,4 @@
-%define anolis_release 9
+%define anolis_release 10
 
 %global __requires_exclude pkg-config
 %global pkgdir %{_prefix}/lib/systemd
@@ -67,6 +67,7 @@ Patch0201: use-bfq-scheduler.patch
 Patch0202: fedora-use-system-auth-in-pam-systemd-user.patch
 Patch0203: 0001-add-loongarch64-support-for-systemd.patch
 Patch0204: 0004-Update-vendor-ids-for-ieisystem-0750.patch
+Patch0205: 0005-resolved-actually-check-authenticated-flag-of-SOA-tr.patch
  
 BuildRequires: gcc gcc-c++ clang coreutils
 BuildRequires: libcap-devel libmount-devel libfdisk-devel libpwquality-devel
@@ -1936,6 +1937,9 @@ fi
 %doc docs/DISTRO_PORTING.md docs/HACKING.md
 
 %changelog
+* Wed May 15 2024 Zhenyu Wang <wang.zhenyu5@zte.com.cn> - 252.4-10
+- fix CVE-2023-7008 
+
 * Wed Jan 31 2024 wangkaiyuan <wangkaiyuan@inspur.com> - 252.4-9
 - Update vendor ids for ieisystem 0750
 
-- 
Gitee