From b52d3d1374234d74adea0d9babb1dedb05007d0c Mon Sep 17 00:00:00 2001 From: ut005731 Date: Fri, 1 Nov 2024 16:59:11 +0800 Subject: [PATCH] cve: fix CVE-2023-26604 --- 0855-cve-fix-CVE-2023-26604.patch | 205 ++++++++++++++ ...r-Chase-symlinks-where-possible-6293.patch | 140 ++++++++++ 0857-ci-enable-source-git-automation.patch | 259 ++++++++++++++++++ ...downgrade-message-when-we-can-t-cano.patch | 47 ++++ ...or-fix-ordering-of-sysroot-usr-mount.patch | 22 ++ ...-secure-when-under-euid-is-changed-o.patch | 181 ++++++++++++ systemd.spec | 12 +- 7 files changed, 865 insertions(+), 1 deletion(-) create mode 100644 0855-cve-fix-CVE-2023-26604.patch create mode 100644 0856-fstab-generator-Chase-symlinks-where-possible-6293.patch create mode 100644 0857-ci-enable-source-git-automation.patch create mode 100644 0858-fstab-generator-downgrade-message-when-we-can-t-cano.patch create mode 100644 0859-fstab-generator-fix-ordering-of-sysroot-usr-mount.patch create mode 100644 0860-pager-make-pager-secure-when-under-euid-is-changed-o.patch diff --git a/0855-cve-fix-CVE-2023-26604.patch b/0855-cve-fix-CVE-2023-26604.patch new file mode 100644 index 0000000..2aebfbe --- /dev/null +++ b/0855-cve-fix-CVE-2023-26604.patch @@ -0,0 +1,205 @@ +From 2e397e47bdb8ba118681c6fbdc415d0e46cd10d6 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Thu, 31 Oct 2024 14:45:39 +0800 +Subject: [PATCH] cve: fix CVE-2023-26604 + +--- + .github/regression-sniffer.yml | 1 + + man/less-variables.xml | 10 +++++++++- + man/systemctl.xml | 1 + + man/systemd.xml | 1 + + src/escape/escape.c | 2 +- + src/fstab-generator/fstab-generator.c | 4 ++-- + src/shared/pager.c | 21 ++++++++++++++++++++- + src/shared/util.c | 14 +++++++++++--- + test/TEST-81-GENERATORS/testsuite.sh | 14 ++++++++++++++ + test/test-functions | 2 +- + 10 files changed, 61 insertions(+), 9 deletions(-) + create mode 100644 .github/regression-sniffer.yml + create mode 100644 test/TEST-81-GENERATORS/testsuite.sh + +diff --git a/.github/regression-sniffer.yml b/.github/regression-sniffer.yml +new file mode 100644 +index 0000000..3824028 +--- /dev/null ++++ b/.github/regression-sniffer.yml +@@ -0,0 +1 @@ ++upstream: systemd/systemd +diff --git a/man/less-variables.xml b/man/less-variables.xml +index 0fb4d7f..d7a7695 100644 +--- a/man/less-variables.xml ++++ b/man/less-variables.xml +@@ -25,5 +25,13 @@ + less + (FRSXMK). + +- ++ ++ $SYSTEMD_LESSSECURE ++ ++ Takes a boolean argument. Overrides the $LESSSECURE environment ++ variable when invoking the pager, which controls the "secure" mode of less (which disables commands ++ such as | which allow to easily shell out to external command lines). By default ++ less secure mode is enabled, with this setting it may be disabled. ++ ++ + +diff --git a/man/systemctl.xml b/man/systemctl.xml +index 4a1aff2..ae96b9c 100644 +--- a/man/systemctl.xml ++++ b/man/systemctl.xml +@@ -1716,6 +1716,7 @@ kobject-uevent 1 systemd-udevd-kernel.socket systemd-udevd.service + + + ++ + + + +diff --git a/man/systemd.xml b/man/systemd.xml +index 30005b1..595a8a8 100644 +--- a/man/systemd.xml ++++ b/man/systemd.xml +@@ -761,6 +761,7 @@ + + + ++ + + $LISTEN_PID + $LISTEN_FDS +diff --git a/src/escape/escape.c b/src/escape/escape.c +index 766a2c2..ef1839a 100644 +--- a/src/escape/escape.c ++++ b/src/escape/escape.c +@@ -99,7 +99,7 @@ static int parse_argv(int argc, char *argv[]) { + + case ARG_TEMPLATE: + +- if (!unit_name_is_valid(optarg, true) || !unit_name_is_template(optarg)) { ++ if (!unit_name_is_valid(optarg, UNIT_NAME_TEMPLATE) || !unit_name_is_template(optarg)) { + log_error("Template name %s is not valid.", optarg); + return -EINVAL; + } +diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c +index 23b5457..4c355d3 100644 +--- a/src/fstab-generator/fstab-generator.c ++++ b/src/fstab-generator/fstab-generator.c +@@ -452,8 +452,8 @@ static int parse_fstab(bool initrd) { + continue; + } + +- where = initrd ? strappend("/sysroot/", me->mnt_dir) : strdup(me->mnt_dir); +- if (!where) ++ where = strdup(me->mnt_dir); ++ if (!where) + return log_oom(); + + if (is_path(where)) +diff --git a/src/shared/pager.c b/src/shared/pager.c +index 8635d9a..fa0acb9 100644 +--- a/src/shared/pager.c ++++ b/src/shared/pager.c +@@ -26,6 +26,7 @@ + #include + #include + ++#include "env-util.h" + #include "pager.h" + #include "util.h" + #include "macro.h" +@@ -103,7 +104,25 @@ int pager_open(bool jump_to_end) { + if (getppid() != parent_pid) + _exit(EXIT_SUCCESS); + +- if (pager) { ++ /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out ++ * privileged stuff. */ ++ r = getenv_bool("SYSTEMD_LESSSECURE"); ++ if (r == 0) { /* Remove env var if off */ ++ if (unsetenv("LESSSECURE") < 0) { ++ log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m"); ++ _exit(EXIT_FAILURE); ++ } ++ } else { ++ /* Set env var otherwise */ ++ if (r < 0) ++ log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m"); ++ ++ if (setenv("LESSSECURE", "1", 1) < 0) { ++ log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m"); ++ _exit(EXIT_FAILURE); ++ } ++ } ++ if (pager) { + execlp(pager, pager, NULL); + execl("/bin/sh", "sh", "-c", pager, NULL); + } +diff --git a/src/shared/util.c b/src/shared/util.c +index 3fb4492..2d6b6fa 100644 +--- a/src/shared/util.c ++++ b/src/shared/util.c +@@ -5967,6 +5967,7 @@ bool documentation_url_is_valid(const char *url) { + bool in_initrd(void) { + static int saved = -1; + struct statfs s; ++ int r; + + if (saved >= 0) + return saved; +@@ -5981,9 +5982,16 @@ bool in_initrd(void) { + * emptying when transititioning to the main systemd. + */ + +- saved = access("/etc/initrd-release", F_OK) >= 0 && +- statfs("/", &s) >= 0 && +- is_temporary_fs(&s); ++ r = getenv_bool("SYSTEMD_IN_INITRD"); ++ if (r < 0 && r != -ENXIO) ++ log_debug_errno(r, "Failed to parse $SYSTEMD_IN_INITRD, ignoring: %m"); ++ ++ if (r >= 0) ++ saved = r > 0; ++ else ++ saved = access("/etc/initrd-release", F_OK) >= 0 && ++ statfs("/", &s) >= 0 && ++ is_temporary_fs(&s); + + return saved; + } +diff --git a/test/TEST-81-GENERATORS/testsuite.sh b/test/TEST-81-GENERATORS/testsuite.sh +new file mode 100644 +index 0000000..9aa8604 +--- /dev/null ++++ b/test/TEST-81-GENERATORS/testsuite.sh +@@ -0,0 +1,14 @@ ++#!/usr/bin/bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++: >/failed ++ ++for script in "${0%.sh}".*.sh; do ++ echo "Running $script" ++ "./$script" ++done ++ ++touch /testok ++rm /failed +diff --git a/test/test-functions b/test/test-functions +index d5e9650..497c217 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -12,7 +12,7 @@ if ! ROOTLIBDIR=$(pkg-config --variable=systemdutildir systemd); then + ROOTLIBDIR=/usr/lib/systemd + fi + +-BASICTOOLS="test sh bash setsid loadkeys setfont login sulogin gzip sleep echo mount umount cryptsetup date dmsetup modprobe chmod chown ln sed cmp tee" ++BASICTOOLS="test sh bash setsid loadkeys setfont login sulogin gzip sleep echo mount umount cryptsetup date dmsetup modprobe chmod chown ln sed cmp tee dirname readlink mktemp fsck.ext4 fsck.ext3 fsck.ext2" + DEBUGTOOLS="df free ls stty cat ps ln ip route dmesg dhclient mkdir cp ping dhclient strace less grep id tty touch du sort hostname" + + function find_qemu_bin() { +-- +2.39.3 + diff --git a/0856-fstab-generator-Chase-symlinks-where-possible-6293.patch b/0856-fstab-generator-Chase-symlinks-where-possible-6293.patch new file mode 100644 index 0000000..e70f5ef --- /dev/null +++ b/0856-fstab-generator-Chase-symlinks-where-possible-6293.patch @@ -0,0 +1,140 @@ +From 23ef814d2b9ef8e494dfa2d382e16890afabb2a2 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Thu, 31 Oct 2024 14:45:39 +0800 +Subject: [PATCH] fstab-generator: Chase symlinks where possible + +--- + man/systemd-fstab-generator.xml | 8 +++++++ + man/systemd.mount.xml | 5 +++-- + src/fstab-generator/fstab-generator.c | 40 +++++++++++++++++++++++++++++------ + 3 files changed, 44 insertions(+), 9 deletions(-) + +diff --git a/man/systemd-fstab-generator.xml b/man/systemd-fstab-generator.xml +index bdc2dc1..6f45c68 100644 +--- a/man/systemd-fstab-generator.xml ++++ b/man/systemd-fstab-generator.xml +@@ -71,6 +71,14 @@ + for more information about special /etc/fstab + mount options this generator understands. + ++ One special topic is handling of symbolic links. Historical init ++ implementations supported symlinks in /etc/fstab. ++ Because mount units will refuse mounts where the target is a symbolic link, ++ this generator will resolve any symlinks as far as possible when processing ++ /etc/fstab in order to enhance backwards compatibility. ++ If a symlink target does not exist at the time that this generator runs, it ++ is assumed that the symlink target is the final target of the mount. ++ + systemd-fstab-generator implements + systemd.generator7. + +diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml +index 1590c44..5021db5 100644 +--- a/man/systemd.mount.xml ++++ b/man/systemd.mount.xml +@@ -295,8 +295,9 @@ + + + Where= +- Takes an absolute path of a directory of the +- mount point. If the mount point does not exist at the time of ++ Takes an absolute path of a directory for the ++ mount point; in particular, the destination cannot be a symbolic ++ link. If the mount point does not exist at the time of + mounting, it is created. This string must be reflected in the + unit filename. (See above.) This option is + mandatory. +diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c +index 23b5457..d12e368 100644 +--- a/src/fstab-generator/fstab-generator.c ++++ b/src/fstab-generator/fstab-generator.c +@@ -240,6 +240,7 @@ static int write_idle_timeout(FILE *f, const char *where, const char *opts) { + static int add_mount( + const char *what, + const char *where, ++ const char *original_where, + const char *fstype, + const char *opts, + int passno, +@@ -329,10 +330,12 @@ static int add_mount( + fprintf(f, + "\n" + "[Mount]\n" +- "What=%s\n" +- "Where=%s\n", +- what, +- where); ++ "What=%s\n", ++ what); ++ ++ if (original_where) ++ fprintf(f, "# Canonicalized from %s\n", original_where); ++ fprintf(f, "Where=%s\n", where); + + if (!isempty(fstype) && !streq(fstype, "auto")) + fprintf(f, "Type=%s\n", fstype); +@@ -436,7 +439,7 @@ static int parse_fstab(bool initrd) { + } + + while ((me = getmntent(f))) { +- _cleanup_free_ char *where = NULL, *what = NULL; ++ _cleanup_free_ char *where = NULL, *what = NULL, *canonical_where = NULL; + bool noauto, nofail; + int k; + +@@ -456,8 +459,28 @@ static int parse_fstab(bool initrd) { + if (!where) + return log_oom(); + +- if (is_path(where)) ++ if (is_path(where)) { + path_kill_slashes(where); ++ /* Follow symlinks here; see 5261ba901845c084de5a8fd06500ed09bfb0bd80 which makes sense for ++ * mount units, but causes problems since it historically worked to have symlinks in e.g. ++ * /etc/fstab. So we canonicalize here. Note that we use CHASE_NONEXISTENT to handle the case ++ * where a symlink refers to another mount target; this works assuming the sub-mountpoint ++ * target is the final directory. ++ */ ++ r = chase_symlinks(where, initrd ? "/sysroot" : NULL, ++ CHASE_PREFIX_ROOT | CHASE_NONEXISTENT, ++ &canonical_where); ++ if (r < 0) ++ /* In this case for now we continue on as if it wasn't a symlink */ ++ log_warning_errno(r, "Failed to read symlink target for %s: %m", where); ++ else { ++ if (streq(canonical_where, where)) ++ canonical_where = mfree(canonical_where); ++ else ++ log_debug("Canonicalized what=%s where=%s to %s", ++ what, where, canonical_where); ++ } ++ } + + noauto = fstab_test_yes_no_option(me->mnt_opts, "noauto\0" "auto\0"); + nofail = fstab_test_yes_no_option(me->mnt_opts, "nofail\0" "fail\0"); +@@ -482,7 +505,8 @@ static int parse_fstab(bool initrd) { + post = SPECIAL_LOCAL_FS_TARGET; + + k = add_mount(what, +- where, ++ canonical_where ?: where, ++ canonical_where ? where: NULL, + me->mnt_type, + me->mnt_opts, + me->mnt_passno, +@@ -526,6 +550,7 @@ static int add_sysroot_mount(void) { + log_debug("Found entry what=%s where=/sysroot type=%s", what, strna(arg_root_fstype)); + return add_mount(what, + "/sysroot", ++ NULL, + arg_root_fstype, + opts, + 1, +@@ -583,6 +608,7 @@ static int add_sysroot_usr_mount(void) { + log_debug("Found entry what=%s where=/sysroot/usr type=%s", what, strna(arg_usr_fstype)); + return add_mount(what, + "/sysroot/usr", ++ NULL, + arg_usr_fstype, + opts, + 1, diff --git a/0857-ci-enable-source-git-automation.patch b/0857-ci-enable-source-git-automation.patch new file mode 100644 index 0000000..3ab48a1 --- /dev/null +++ b/0857-ci-enable-source-git-automation.patch @@ -0,0 +1,259 @@ +From 91c2ca21e754893c95199fff0862178a6410c95a Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Thu, 31 Oct 2024 14:45:39 +0800 +Subject: [PATCH] ci: enable source-git automation + +--- + .github/advanced-commit-linter.yml | 25 ++++++++ + .github/auto-merge.yml | 4 ++ + .github/pull-request-validator.yml | 4 ++ + .github/tracker-validator.yml | 15 +++++ + .github/workflows/gather-metadata.yml | 28 +++++++++ + .../workflows/source-git-automation-on-demand.yml | 72 ++++++++++++++++++++++ + .github/workflows/source-git-automation.yml | 47 ++++++++++++++ + 7 files changed, 195 insertions(+) + create mode 100644 .github/advanced-commit-linter.yml + create mode 100644 .github/auto-merge.yml + create mode 100644 .github/pull-request-validator.yml + create mode 100644 .github/tracker-validator.yml + create mode 100644 .github/workflows/gather-metadata.yml + create mode 100644 .github/workflows/source-git-automation-on-demand.yml + create mode 100644 .github/workflows/source-git-automation.yml + +diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml +new file mode 100644 +index 0000000..86f0e91 +--- /dev/null ++++ b/.github/advanced-commit-linter.yml +@@ -0,0 +1,25 @@ ++policy: ++ cherry-pick: ++ upstream: ++ - github: systemd/systemd ++ exception: ++ note: ++ - rhel-only ++ - RHEL-only ++ tracker: ++ - keyword: ++ - 'Resolves: #?' ++ - 'Related: #?' ++ - 'Reverts: #?' ++ type: bugzilla ++ issue-format: ++ - '\d+$' ++ url: 'https://bugzilla.redhat.com/show_bug.cgi?id=' ++ - keyword: ++ - 'Resolves: ' ++ - 'Related: ' ++ - 'Reverts: ' ++ type: jira ++ issue-format: ++ - 'RHEL-\d+$' ++ url: 'https://issues.redhat.com/browse/' +diff --git a/.github/auto-merge.yml b/.github/auto-merge.yml +new file mode 100644 +index 0000000..a59828e +--- /dev/null ++++ b/.github/auto-merge.yml +@@ -0,0 +1,4 @@ ++labels: ++ dont-merge: dont-merge ++ manual-merge: pr/needs-manual-merge ++target-branch': ['rhel-7.9'] +diff --git a/.github/pull-request-validator.yml b/.github/pull-request-validator.yml +new file mode 100644 +index 0000000..4bb5bbe +--- /dev/null ++++ b/.github/pull-request-validator.yml +@@ -0,0 +1,4 @@ ++labels: ++ missing-review: pr/needs-review ++ changes-requested: pr/changes-requested ++ missing-failing-ci: pr/needs-ci +diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml +new file mode 100644 +index 0000000..39bc51c +--- /dev/null ++++ b/.github/tracker-validator.yml +@@ -0,0 +1,15 @@ ++labels: ++ missing-tracker: tracker/missing ++ invalid-product: tracker/invalid-product ++ invalid-component: tracker/invalid-component ++ unapproved: tracker/unapproved ++products: ++ - Red Hat Enterprise Linux 7 ++ - rhel-7.4 ++ - rhel-7.4.z ++ - rhel-7.6 ++ - rhel-7.6.z ++ - rhel-7.7 ++ - rhel-7.7.z ++ - rhel-7.9 ++ - rhel-7.9.z +diff --git a/.github/workflows/gather-metadata.yml b/.github/workflows/gather-metadata.yml +new file mode 100644 +index 0000000..1003fb3 +--- /dev/null ++++ b/.github/workflows/gather-metadata.yml +@@ -0,0 +1,28 @@ ++name: Gather Pull Request Metadata ++on: ++ pull_request: ++ types: [ opened, reopened, synchronize ] ++ branches: ++ # - master ++ - rhel-7.* ++ ++permissions: ++ contents: read ++ ++jobs: ++ gather-metadata: ++ runs-on: ubuntu-latest ++ ++ steps: ++ - name: Repository checkout ++ uses: actions/checkout@v3 ++ ++ - id: Metadata ++ name: Gather Pull Request Metadata ++ uses: redhat-plumbers-in-action/gather-pull-request-metadata@v1 ++ ++ - name: Upload artifact with gathered metadata ++ uses: actions/upload-artifact@v3 ++ with: ++ name: pr-metadata ++ path: ${{ steps.Metadata.outputs.metadata-file }} +diff --git a/.github/workflows/source-git-automation-on-demand.yml b/.github/workflows/source-git-automation-on-demand.yml +new file mode 100644 +index 0000000..f8c3a2c +--- /dev/null ++++ b/.github/workflows/source-git-automation-on-demand.yml +@@ -0,0 +1,72 @@ ++name: Source git Automation Scheduled/On Demand ++on: ++ schedule: ++ # Workflow runs every 45 minutes ++ - cron: '*/45 * * * *' ++ workflow_dispatch: ++ inputs: ++ pr-number: ++ description: 'Pull Request number/s ; when not provided, the workflow will run for all open PRs' ++ required: true ++ default: '0' ++ ++permissions: ++ contents: read ++ ++jobs: ++ # Get all open PRs ++ gather-pull-requests: ++ if: github.repository == 'redhat-plumbers/systemd-rhel7' ++ runs-on: ubuntu-latest ++ ++ outputs: ++ pr-numbers: ${{ steps.get-pr-numbers.outputs.result }} ++ pr-numbers-manual: ${{ steps.parse-manual-input.outputs.result }} ++ ++ steps: ++ - id: get-pr-numbers ++ if: inputs.pr-number == '0' ++ name: Get all open PRs ++ uses: actions/github-script@v6 ++ with: ++ # !FIXME: this is not working if there is more than 100 PRs opened ++ script: | ++ const { data: pullRequests } = await github.rest.pulls.list({ ++ owner: context.repo.owner, ++ repo: context.repo.repo, ++ state: 'open', ++ per_page: 100 ++ }); ++ return pullRequests.map(pr => pr.number); ++ ++ - id: parse-manual-input ++ if: inputs.pr-number != '0' ++ name: Parse manual input ++ run: | ++ echo "result="[ ${{ inputs.pr-number }} ]"" >> $GITHUB_OUTPUT ++ shell: bash ++ ++ validate-pr: ++ name: 'Validation of Pull Request #${{ matrix.pr-number }}' ++ needs: [ gather-pull-requests ] ++ runs-on: ubuntu-latest ++ ++ strategy: ++ fail-fast: false ++ matrix: ++ pr-number: ${{ inputs.pr-number == 0 && fromJSON(needs.gather-pull-requests.outputs.pr-numbers) || fromJSON(needs.gather-pull-requests.outputs.pr-numbers-manual) }} ++ ++ permissions: ++ # required for merging PRs ++ contents: write ++ # required for PR comments and setting labels ++ pull-requests: write ++ ++ steps: ++ - name: Source-git Automation ++ uses: redhat-plumbers-in-action/source-git-automation@v1 ++ with: ++ pr-number: ${{ matrix.pr-number }} ++ bugzilla-api-token: ${{ secrets.BUGZILLA_API_TOKEN }} ++ jira-api-token: ${{ secrets.JIRA_API_TOKEN }} ++ token: ${{ secrets.GITHUB_TOKEN }} +diff --git a/.github/workflows/source-git-automation.yml b/.github/workflows/source-git-automation.yml +new file mode 100644 +index 0000000..cf87f11 +--- /dev/null ++++ b/.github/workflows/source-git-automation.yml +@@ -0,0 +1,47 @@ ++name: Source git Automation ++on: ++ workflow_run: ++ workflows: [ Gather Pull Request Metadata ] ++ types: ++ - completed ++ ++permissions: ++ contents: read ++ ++jobs: ++ download-metadata: ++ if: > ++ github.event.workflow_run.event == 'pull_request' && ++ github.event.workflow_run.conclusion == 'success' && ++ github.repository == 'redhat-plumbers/systemd-rhel7' ++ runs-on: ubuntu-latest ++ ++ outputs: ++ pr-metadata: ${{ steps.Artifact.outputs.pr-metadata-json }} ++ ++ steps: ++ - id: Artifact ++ name: Download Artifact ++ uses: redhat-plumbers-in-action/download-artifact@v1 ++ with: ++ name: pr-metadata ++ ++ source-git-automation: ++ needs: [ download-metadata ] ++ runs-on: ubuntu-latest ++ ++ permissions: ++ # required for merging PRs ++ contents: write ++ # required for PR comments and setting labels ++ pull-requests: write ++ ++ ++ steps: ++ - name: Source-git Automation ++ uses: redhat-plumbers-in-action/source-git-automation@v1 ++ with: ++ pr-metadata: ${{ needs.download-metadata.outputs.pr-metadata }} ++ bugzilla-api-token: ${{ secrets.BUGZILLA_API_TOKEN }} ++ jira-api-token: ${{ secrets.JIRA_API_TOKEN }} ++ token: ${{ secrets.GITHUB_TOKEN }} diff --git a/0858-fstab-generator-downgrade-message-when-we-can-t-cano.patch b/0858-fstab-generator-downgrade-message-when-we-can-t-cano.patch new file mode 100644 index 0000000..2a684e1 --- /dev/null +++ b/0858-fstab-generator-downgrade-message-when-we-can-t-cano.patch @@ -0,0 +1,47 @@ +From 17b67bcc0d6fe531c042e2b55e38d3c0fdbafd18 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Thu, 31 Oct 2024 14:45:39 +0800 +Subject: [PATCH] fstab-generator: downgrade message when we can't canonicalize + +--- + src/fstab-generator/fstab-generator.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c +index bdd6e59..d06c80f 100644 +--- a/src/fstab-generator/fstab-generator.c ++++ b/src/fstab-generator/fstab-generator.c +@@ -461,25 +461,21 @@ static int parse_fstab(bool initrd) { + + if (is_path(where)) { + path_kill_slashes(where); ++ + /* Follow symlinks here; see 5261ba901845c084de5a8fd06500ed09bfb0bd80 which makes sense for + * mount units, but causes problems since it historically worked to have symlinks in e.g. + * /etc/fstab. So we canonicalize here. Note that we use CHASE_NONEXISTENT to handle the case + * where a symlink refers to another mount target; this works assuming the sub-mountpoint +- * target is the final directory. +- */ ++ * target is the final directory. */ + r = chase_symlinks(where, initrd ? "/sysroot" : NULL, + CHASE_PREFIX_ROOT | CHASE_NONEXISTENT, + &canonical_where); +- if (r < 0) +- /* In this case for now we continue on as if it wasn't a symlink */ +- log_warning_errno(r, "Failed to read symlink target for %s: %m", where); +- else { +- if (streq(canonical_where, where)) +- canonical_where = mfree(canonical_where); +- else +- log_debug("Canonicalized what=%s where=%s to %s", +- what, where, canonical_where); +- } ++ if (r < 0) /* If we can't canonicalize we continue on as if it wasn't a symlink */ ++ log_debug_errno(r, "Failed to read symlink target for %s, ignoring: %m", where); ++ else if (streq(canonical_where, where)) /* If it was fully canonicalized, suppress the change */ ++ canonical_where = mfree(canonical_where); ++ else ++ log_debug("Canonicalized what=%s where=%s to %s", what, where, canonical_where); + } + + noauto = fstab_test_yes_no_option(me->mnt_opts, "noauto\0" "auto\0"); diff --git a/0859-fstab-generator-fix-ordering-of-sysroot-usr-mount.patch b/0859-fstab-generator-fix-ordering-of-sysroot-usr-mount.patch new file mode 100644 index 0000000..21a9163 --- /dev/null +++ b/0859-fstab-generator-fix-ordering-of-sysroot-usr-mount.patch @@ -0,0 +1,22 @@ +From 6174d82d8adce502a954daeecd1bd0f109a969e8 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Thu, 31 Oct 2024 14:45:39 +0800 +Subject: [PATCH] fstab-generator: fix ordering of /sysroot/usr mount + +--- + src/fstab-generator/fstab-generator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c +index d06c80f..2376432 100644 +--- a/src/fstab-generator/fstab-generator.c ++++ b/src/fstab-generator/fstab-generator.c +@@ -611,7 +611,7 @@ static int add_sysroot_usr_mount(void) { + false, + false, + false, +- SPECIAL_INITRD_ROOT_FS_TARGET, ++ SPECIAL_INITRD_FS_TARGET, + "/proc/cmdline"); + } + diff --git a/0860-pager-make-pager-secure-when-under-euid-is-changed-o.patch b/0860-pager-make-pager-secure-when-under-euid-is-changed-o.patch new file mode 100644 index 0000000..ba967dc --- /dev/null +++ b/0860-pager-make-pager-secure-when-under-euid-is-changed-o.patch @@ -0,0 +1,181 @@ +From 9d42932531beeb71efff409f8a7c330ddbec07d0 Mon Sep 17 00:00:00 2001 +From: systemd team +Date: Fri, 1 Nov 2024 16:19:44 +0800 +Subject: [PATCH] make pager secure when under euid is changed + +--- + man/less-variables.xml | 30 ++++++++++++--- + src/shared/pager.c | 85 +++++++++++++++++++++++++++++------------- + 2 files changed, 83 insertions(+), 32 deletions(-) + +diff --git a/man/less-variables.xml b/man/less-variables.xml +index ab14aa8..00609d8 100644 +--- a/man/less-variables.xml ++++ b/man/less-variables.xml +@@ -26,12 +26,30 @@ + (FRSXMK). + + +- $SYSTEMD_LESSSECURE +- +- Takes a boolean argument. Overrides the $LESSSECURE environment +- variable when invoking the pager, which controls the "secure" mode of less (which disables commands +- such as | which allow to easily shell out to external command lines). By default +- less secure mode is enabled, with this setting it may be disabled. ++ $SYSTEMD_PAGERSECURE ++ ++ Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if ++ false, disabled. If $SYSTEMD_PAGERSECURE is not set at all, secure mode is enabled ++ if the effective UID is not the same as the owner of the login session, see geteuid2 and ++ sd_pid_get_owner_uid3. ++ In secure mode, will be set when invoking the pager, and the pager shall ++ disable commands that open or create new files or start new subprocesses. When ++ $SYSTEMD_PAGERSECURE is not set at all, pagers which are not known to implement ++ secure mode will not be used. (Currently only ++ less1 implements ++ secure mode.) ++ ++ Note: when commands are invoked with elevated privileges, for example under sudo8 or ++ pkexec1, care ++ must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the ++ pager may be enabled automatically as describe above. Setting SYSTEMD_PAGERSECURE=0 ++ or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note ++ that if the $SYSTEMD_PAGER or $PAGER variables are to be ++ honoured, $SYSTEMD_PAGERSECURE must be set too. It might be reasonable to completly ++ disable the pager using instead. + + + +diff --git a/src/shared/pager.c b/src/shared/pager.c +index fc1ccc2..0888081 100644 +--- a/src/shared/pager.c ++++ b/src/shared/pager.c +@@ -26,10 +26,13 @@ + #include + #include + ++#include "cgroup-util.h" /* cg_pid_get_owner_uid() */ ++ + #include "env-util.h" + #include "pager.h" + #include "util.h" + #include "macro.h" ++#include "strv.h" + + static pid_t pager_pid = 0; + +@@ -48,6 +51,16 @@ noreturn static void pager_fallback(void) { + _exit(EXIT_SUCCESS); + } + ++/* Custom wrapper replacing sd_pid_get_owner_uid() from sd-login.h ++ * added to avoid having to include sd-login.h that causes linking problems */ ++static int pg_pid_get_owner_uid(pid_t pid, uid_t *uid) { ++ ++ assert_return(pid >= 0, -EINVAL); ++ assert_return(uid, -EINVAL); ++ ++ return cg_pid_get_owner_uid(pid, uid); ++} ++ + int pager_open(bool jump_to_end) { + int fd[2]; + const char *pager; +@@ -83,7 +96,9 @@ int pager_open(bool jump_to_end) { + + /* In the child start the pager */ + if (pager_pid == 0) { +- const char* less_opts; ++ const char* less_opts, *exe; ++ int use_secure_mode; ++ bool trust_pager; + + dup2(fd[0], STDIN_FILENO); + safe_close_pair(fd); +@@ -106,37 +121,55 @@ int pager_open(bool jump_to_end) { + + /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out + * privileged stuff. */ +- r = getenv_bool("SYSTEMD_LESSSECURE"); +- if (r == 0) { /* Remove env var if off */ +- if (unsetenv("LESSSECURE") < 0) { +- log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m"); +- _exit(EXIT_FAILURE); +- } +- } else { +- /* Set env var otherwise */ +- if (r < 0) +- log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m"); ++ * privileged stuff. If the user set $SYSTEMD_PAGERSECURE, trust their configuration of the ++ * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE ++ * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we ++ * know to be good. */ ++ use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE"); ++ trust_pager = use_secure_mode >= 0; + +- if (setenv("LESSSECURE", "1", 1) < 0) { +- log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m"); +- _exit(EXIT_FAILURE); +- } ++ if (use_secure_mode == -ENXIO) { ++ uid_t uid; ++ ++ r = pg_pid_get_owner_uid(0, &uid); ++ if (r < 0) ++ log_debug_errno(r, "pg_pid_get_owner_uid() failed, enabling pager secure mode: %m"); ++ ++ use_secure_mode = r < 0 || uid != geteuid(); ++ ++ } else if (use_secure_mode < 0) { ++ log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m"); ++ use_secure_mode = true; + } +- if (pager) { ++ /* We generally always set variables used by less, even if we end up using a different pager. ++ * They shouldn't hurt in any case, and ideally other pagers would look at them too. */ ++ if (use_secure_mode) ++ r = setenv("LESSSECURE", "1", 1); ++ else ++ r = unsetenv("LESSSECURE"); ++ if (r < 0) { ++ log_error_errno(errno, "Failed to adjust environment variable LESSSECURE: %m"); ++ _exit(EXIT_FAILURE); ++ } ++ ++ if (trust_pager && pager) { /* The pager config might be set globally, and we cannot ++ * know if the user adjusted it to be appropriate for the ++ * secure mode. Thus, start the pager specified through ++ * envvars only when $SYSTEMD_PAGERSECURE was explicitly set ++ * as well. */ + execlp(pager, pager, NULL); + execl("/bin/sh", "sh", "-c", pager, NULL); + } + +- /* Debian's alternatives command for pagers is +- * called 'pager'. Note that we do not call +- * sensible-pagers here, since that is just a +- * shell script that implements a logic that +- * is similar to this one anyway, but is +- * Debian-specific. */ +- execlp("pager", "pager", NULL); +- +- execlp("less", "less", NULL); +- execlp("more", "more", NULL); ++ /* Debian's alternatives command for pagers is called 'pager'. Note that we do not call ++ * sensible-pagers here, since that is just a shell script that implements a logic that is ++ * similar to this one anyway, but is Debian-specific. */ ++ FOREACH_STRING(exe, "pager", "less", "more") { ++ /* Only less implements secure mode right now. */ ++ if (use_secure_mode && !streq(exe, "less")) ++ continue; ++ execlp(exe, exe, NULL); ++ } + + pager_fallback(); + /* not reached */ +-- +2.39.3 + diff --git a/systemd.spec b/systemd.spec index 0112363..546a07f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -7,7 +7,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 219 -Release: 78%{?dist}.9 +Release: 78%{?dist}.11 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: A System and Service Manager @@ -893,6 +893,12 @@ Patch0851: 0851-resolve-introduce-reference-counting-on-DnsStream.patch Patch0852: 0852-resolved-pin-stream-while-calling-callbacks-for-it.patch Patch0853: 0853-fstab-generator-Chase-symlinks-where-possible-6293.patch Patch0854: 0854-Revert-fstab-generator-Chase-symlinks-where-possible.patch +Patch0855: 0855-cve-fix-CVE-2023-26604.patch +Patch0856: 0856-fstab-generator-Chase-symlinks-where-possible-6293.patch +Patch0857: 0857-ci-enable-source-git-automation.patch +Patch0858: 0858-fstab-generator-downgrade-message-when-we-can-t-cano.patch +Patch0859: 0859-fstab-generator-fix-ordering-of-sysroot-usr-mount.patch +#Patch0860: 0860-pager-make-pager-secure-when-under-euid-is-changed-o.patch %global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);} @@ -1870,6 +1876,10 @@ fi %{_mandir}/man8/systemd-resolved.* %changelog +* Thu Oct 31 2024 zhuhongbo - 219-78.11 +- update: update to systemd-219-78.11 +- cve: fix CVE-2023-26604 + * Wed Nov 22 2023 systemd maintenance team - 219-78.9 - Revert "fstab-generator: Chase symlinks where possible (#6293)" (RHEL-17164) -- Gitee