From 4e24c90859bb3b03778b2ee29055d89331b920c2 Mon Sep 17 00:00:00 2001 From: yangmingtaip Date: Mon, 16 Aug 2021 16:04:32 +0800 Subject: [PATCH] fix CVE-2020-13529 --- ...entatively-ignore-FORCERENEW-command.patch | 38 +++++++++++++++++++ systemd.spec | 9 ++++- 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 backport-tentatively-ignore-FORCERENEW-command.patch diff --git a/backport-tentatively-ignore-FORCERENEW-command.patch b/backport-tentatively-ignore-FORCERENEW-command.patch new file mode 100644 index 0000000..2623fa2 --- /dev/null +++ b/backport-tentatively-ignore-FORCERENEW-command.patch @@ -0,0 +1,38 @@ +From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 24 Jun 2021 01:22:07 +0900 +Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command + +This makes DHCP client ignore FORCERENEW requests, as unauthenticated +FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). + +Let's re-enable this after RFC3118 (Authentication for DHCP Messages) +and/or RFC6704 (Forcerenew Nonce Authentication) are implemented. + +Fixes #16774. +--- + src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c +index 67a5a03eba6a..dc8ff19d1a24 100644 +--- a/src/libsystemd-network/sd-dhcp-client.c ++++ b/src/libsystemd-network/sd-dhcp-client.c +@@ -1380,9 +1380,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force, + if (r != DHCP_FORCERENEW) + return -ENOMSG; + ++#if 0 + log_dhcp_client(client, "FORCERENEW"); + + return 0; ++#else ++ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP ++ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW ++ * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */ ++ log_dhcp_client(client, "Received FORCERENEW, ignoring."); ++ return -ENOMSG; ++#endif + } + + static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) { diff --git a/systemd.spec b/systemd.spec index 79ff017..99666dd 100644 --- a/systemd.spec +++ b/systemd.spec @@ -16,7 +16,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 243 -Release: 39 +Release: 40 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -124,6 +124,7 @@ Patch0074: backport-udevd-don-t-kill-worker-in-manager_kill_workers-when.pa Patch0075: backport-stat-util-add-stat_inode_unmodified-helper-that-chec.patch Patch0076: backport-basic-stat-util-make-mtime-check-stricter-and-use-en.patch Patch0077: backport-udev-make-algorithm-that-selects-highest-priority-de.patch +Patch0078: backport-tentatively-ignore-FORCERENEW-command.patch #openEuler Patch9002: 1509-fix-journal-file-descriptors-leak-problems.patch @@ -1511,6 +1512,12 @@ fi %exclude /usr/share/man/man3/* %changelog +* Mon Aug 16 2021 yangmingtai - 243-40 +- Type:CVE +- ID:CVE-2020-13529 +- SUG:NA +- DESC:fix CVE-2020-13529 + * Tue Aug 10 2021 yangmingtai - 243-39 - Type:bugfix - ID:NA -- Gitee