sync patches from systemd community

(cherry picked from commit 4743d4dcf49acc4a4e7243fb238259b085bac5cd)
2023-12-12 19:41:47 +08:00 · 2023-12-12 19:41:47 +08:00 · e165bae3ed
commit e165bae3ed
parent 08babeeaa3
3 changed files with 126 additions and 1 deletions
--- a/backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch
+++ b/backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch
@ -0,0 +1,83 @@
+From 9627e6a72f9c5c336a285b11515bda49345e7bfe Mon Sep 17 00:00:00 2001
+From: felixdoerre <felixdoerre@users.noreply.github.com>
+Date: Fri, 6 Oct 2023 05:18:21 +0200
+Subject: [PATCH] journalctl: verify that old entries are not sealed with too
+ recent key (#28885)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When verifying seals produced with forward secure sealing, the verification
+currently does not check that old entries are only sealed with the key for
+their epoch and not a more recent one. This missing check allows an attacker
+to remove seals, and create new ones with the currently available key, and
+verify will claim everything is in order, although all entries could have
+been modified.
+
+This resolves CVE-2023-31439.
+
+Co-authored-by: Felix Dörre <felix.doerre@kit.edu>
+(cherry picked from commit 3846d3aa292a6daa1916f667bdd79ebee9cb4ac4)
+(cherry picked from commit ea67d4755b5d81a42a9013d6ce72c9cf7adb56b9)
+(cherry picked from commit e140c1d10b04c757832adf2366ed6fbdfb2e92c9)
+
+---
+ src/libsystemd/sd-journal/journal-verify.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/libsystemd/sd-journal/journal-verify.c b/src/libsystemd/sd-journal/journal-verify.c
+index d5b4919..7a9df10 100644
+--- a/src/libsystemd/sd-journal/journal-verify.c
+++ b/src/libsystemd/sd-journal/journal-verify.c
+@@ -811,6 +811,7 @@ int journal_file_verify(
+         uint64_t p = 0, last_epoch = 0, last_tag_realtime = 0, last_sealed_realtime = 0;
+ 
+         uint64_t entry_seqnum = 0, entry_monotonic = 0, entry_realtime = 0;
+        usec_t min_entry_realtime = USEC_INFINITY, max_entry_realtime = 0;
+         sd_id128_t entry_boot_id;
+         bool entry_seqnum_set = false, entry_monotonic_set = false, entry_realtime_set = false, found_main_entry_array = false;
+         uint64_t n_weird = 0, n_objects = 0, n_entries = 0, n_data = 0, n_fields = 0, n_data_hash_tables = 0, n_field_hash_tables = 0, n_entry_arrays = 0, n_tags = 0;
+@@ -1023,6 +1024,9 @@ int journal_file_verify(
+                         entry_realtime = le64toh(o->entry.realtime);
+                         entry_realtime_set = true;
+ 
+                        max_entry_realtime = MAX(max_entry_realtime, le64toh(o->entry.realtime));
+                        min_entry_realtime = MIN(min_entry_realtime, le64toh(o->entry.realtime));
+
+                         n_entries++;
+                         break;
+ 
+@@ -1099,16 +1103,28 @@ int journal_file_verify(
+ 
+ #if HAVE_GCRYPT
+                         if (f->seal) {
+-                                uint64_t q, rt;
+                                uint64_t q, rt, rt_end;
+ 
+                                 debug(p, "Checking tag %"PRIu64"...", le64toh(o->tag.seqnum));
+ 
+                                 rt = f->fss_start_usec + le64toh(o->tag.epoch) * f->fss_interval_usec;
+-                                if (entry_realtime_set && entry_realtime >= rt + f->fss_interval_usec) {
+                                rt_end = usec_add(rt, f->fss_interval_usec);
+                                if (entry_realtime_set && entry_realtime >= rt_end) {
+                                         error(p, "tag/entry realtime timestamp out of synchronization");
+                                         r = -EBADMSG;
+                                         goto fail;
+                                 }
+                                if (max_entry_realtime >= rt_end) {
+                                        error(p, "Entry realtime is too late with respect to tag");
+                                        r = -EBADMSG;
+                                        goto fail;
+                                }
+                                if (min_entry_realtime < rt) {
+                                        error(p, "Entry realtime is too early with respect to tag");
+                                        r = -EBADMSG;
+                                        goto fail;
+                                }
+                                min_entry_realtime = USEC_INFINITY;
+ 
+                                 /* OK, now we know the epoch. So let's now set
+                                  * it, and calculate the HMAC for everything
+-- 
+2.33.0
+
--- a/backport-units-modprobe-.service-don-t-unescape-instance-name.patch
+++ b/backport-units-modprobe-.service-don-t-unescape-instance-name.patch
@ -0,0 +1,37 @@
+From 540b3c5d53f7b5889247e9cb4aea62d3983a48b8 Mon Sep 17 00:00:00 2001
+From: Martin Wilck <mwilck@suse.com>
+Date: Fri, 20 Oct 2023 16:25:15 +0200
+Subject: [PATCH] units: modprobe@.service: don't unescape instance name
+
+modprobe treats "-" and "_" interchangeably, thereby avoiding frequent
+errors because some module names contain dashes and others underscores.
+
+Because modprobe@.service unescapes the instance name, an attempt to
+start "modprobe@dm-crypt.service" will run "modprobe -abq dm/crypt",
+which is doomed to fail. "modprobe@dm_crypt.service" will work as
+expected. Thus unescaping the instance name has surprising side effects.
+Use "%i" instead.
+
+(cherry picked from commit bf25cf6c49253e922524dfa0e7960f554838f18b)
+(cherry picked from commit c98d0130dc8efd826cd85020337353cdbe644bb4)
+(cherry picked from commit 6d5eba0814e7dfc15ebb68ca5afdabab214c9da6)
+
+Conflict:NA
+Reference:https://github.com/systemd/systemd-stable/commit/540b3c5d53f7b5889247e9cb4aea62d3983a48b8
+---
+ units/modprobe@.service | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/units/modprobe@.service b/units/modprobe@.service
+index 85a2c08dee..fe631fffeb 100644
+--- a/units/modprobe@.service
+++ b/units/modprobe@.service
+@@ -17,4 +17,4 @@ StartLimitIntervalSec=0
+ 
+ [Service]
+ Type=oneshot
+-ExecStart=-/sbin/modprobe -abq %I
+ExecStart=-/sbin/modprobe -abq %i
+-- 
+2.33.0
+
--- a/systemd.spec
+++ b/systemd.spec
@ -21,7 +21,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        249
-Release:        58
+Release:        59
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager

@ -587,6 +587,8 @@ Patch6538:      backport-core-Return-1-from-unit_add_dependency-on-success.patch
 Patch6539:      backport-core-unit-fix-notification-about-unit-dependency-cha.patch
 Patch6540:      backport-core-unit-make-JoinsNamespaceOf-implies-the-inverse-.patch
 Patch6541:      backport-core-unit-update-bidirectional-dependency-simultaneo.patch
+Patch6542:      backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch
+Patch6543:      backport-units-modprobe-.service-don-t-unescape-instance-name.patch

 Patch9001:      update-rtc-with-system-clock-when-shutdown.patch
 Patch9002:      udev-add-actions-while-rename-netif-failed.patch
@ -2083,6 +2085,9 @@ grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null &&
 %{_libdir}/security/pam_systemd.so

 %changelog
+* Tue Dec 12 2023 hongjinghao <hongjinghao@huawei.com> - 249-59
+- backport: sync patches from systemd community 
+
 * Tue Oct 31 2023 beta <beta@yfqm.date> - 249-58
 - enable libcryptsetup