From e165bae3ed62e2cc8fbac8f341fb39a2dd76cd4d Mon Sep 17 00:00:00 2001 From: hongjinghao Date: Tue, 12 Dec 2023 19:41:47 +0800 Subject: [PATCH] sync patches from systemd community (cherry picked from commit 4743d4dcf49acc4a4e7243fb238259b085bac5cd) --- ...y-that-old-entries-are-not-sealed-wi.patch | 83 +++++++++++++++++++ ...service-don-t-unescape-instance-name.patch | 37 +++++++++ systemd.spec | 7 +- 3 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch create mode 100644 backport-units-modprobe-.service-don-t-unescape-instance-name.patch diff --git a/backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch b/backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch new file mode 100644 index 0000000..c569780 --- /dev/null +++ b/backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch @@ -0,0 +1,83 @@ +From 9627e6a72f9c5c336a285b11515bda49345e7bfe Mon Sep 17 00:00:00 2001 +From: felixdoerre +Date: Fri, 6 Oct 2023 05:18:21 +0200 +Subject: [PATCH] journalctl: verify that old entries are not sealed with too + recent key (#28885) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When verifying seals produced with forward secure sealing, the verification +currently does not check that old entries are only sealed with the key for +their epoch and not a more recent one. This missing check allows an attacker +to remove seals, and create new ones with the currently available key, and +verify will claim everything is in order, although all entries could have +been modified. + +This resolves CVE-2023-31439. + +Co-authored-by: Felix Dörre +(cherry picked from commit 3846d3aa292a6daa1916f667bdd79ebee9cb4ac4) +(cherry picked from commit ea67d4755b5d81a42a9013d6ce72c9cf7adb56b9) +(cherry picked from commit e140c1d10b04c757832adf2366ed6fbdfb2e92c9) + +--- + src/libsystemd/sd-journal/journal-verify.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-journal/journal-verify.c b/src/libsystemd/sd-journal/journal-verify.c +index d5b4919..7a9df10 100644 +--- a/src/libsystemd/sd-journal/journal-verify.c ++++ b/src/libsystemd/sd-journal/journal-verify.c +@@ -811,6 +811,7 @@ int journal_file_verify( + uint64_t p = 0, last_epoch = 0, last_tag_realtime = 0, last_sealed_realtime = 0; + + uint64_t entry_seqnum = 0, entry_monotonic = 0, entry_realtime = 0; ++ usec_t min_entry_realtime = USEC_INFINITY, max_entry_realtime = 0; + sd_id128_t entry_boot_id; + bool entry_seqnum_set = false, entry_monotonic_set = false, entry_realtime_set = false, found_main_entry_array = false; + uint64_t n_weird = 0, n_objects = 0, n_entries = 0, n_data = 0, n_fields = 0, n_data_hash_tables = 0, n_field_hash_tables = 0, n_entry_arrays = 0, n_tags = 0; +@@ -1023,6 +1024,9 @@ int journal_file_verify( + entry_realtime = le64toh(o->entry.realtime); + entry_realtime_set = true; + ++ max_entry_realtime = MAX(max_entry_realtime, le64toh(o->entry.realtime)); ++ min_entry_realtime = MIN(min_entry_realtime, le64toh(o->entry.realtime)); ++ + n_entries++; + break; + +@@ -1099,16 +1103,28 @@ int journal_file_verify( + + #if HAVE_GCRYPT + if (f->seal) { +- uint64_t q, rt; ++ uint64_t q, rt, rt_end; + + debug(p, "Checking tag %"PRIu64"...", le64toh(o->tag.seqnum)); + + rt = f->fss_start_usec + le64toh(o->tag.epoch) * f->fss_interval_usec; +- if (entry_realtime_set && entry_realtime >= rt + f->fss_interval_usec) { ++ rt_end = usec_add(rt, f->fss_interval_usec); ++ if (entry_realtime_set && entry_realtime >= rt_end) { + error(p, "tag/entry realtime timestamp out of synchronization"); + r = -EBADMSG; + goto fail; + } ++ if (max_entry_realtime >= rt_end) { ++ error(p, "Entry realtime is too late with respect to tag"); ++ r = -EBADMSG; ++ goto fail; ++ } ++ if (min_entry_realtime < rt) { ++ error(p, "Entry realtime is too early with respect to tag"); ++ r = -EBADMSG; ++ goto fail; ++ } ++ min_entry_realtime = USEC_INFINITY; + + /* OK, now we know the epoch. So let's now set + * it, and calculate the HMAC for everything +-- +2.33.0 + diff --git a/backport-units-modprobe-.service-don-t-unescape-instance-name.patch b/backport-units-modprobe-.service-don-t-unescape-instance-name.patch new file mode 100644 index 0000000..a970d6c --- /dev/null +++ b/backport-units-modprobe-.service-don-t-unescape-instance-name.patch @@ -0,0 +1,37 @@ +From 540b3c5d53f7b5889247e9cb4aea62d3983a48b8 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Fri, 20 Oct 2023 16:25:15 +0200 +Subject: [PATCH] units: modprobe@.service: don't unescape instance name + +modprobe treats "-" and "_" interchangeably, thereby avoiding frequent +errors because some module names contain dashes and others underscores. + +Because modprobe@.service unescapes the instance name, an attempt to +start "modprobe@dm-crypt.service" will run "modprobe -abq dm/crypt", +which is doomed to fail. "modprobe@dm_crypt.service" will work as +expected. Thus unescaping the instance name has surprising side effects. +Use "%i" instead. + +(cherry picked from commit bf25cf6c49253e922524dfa0e7960f554838f18b) +(cherry picked from commit c98d0130dc8efd826cd85020337353cdbe644bb4) +(cherry picked from commit 6d5eba0814e7dfc15ebb68ca5afdabab214c9da6) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/540b3c5d53f7b5889247e9cb4aea62d3983a48b8 +--- + units/modprobe@.service | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/units/modprobe@.service b/units/modprobe@.service +index 85a2c08dee..fe631fffeb 100644 +--- a/units/modprobe@.service ++++ b/units/modprobe@.service +@@ -17,4 +17,4 @@ StartLimitIntervalSec=0 + + [Service] + Type=oneshot +-ExecStart=-/sbin/modprobe -abq %I ++ExecStart=-/sbin/modprobe -abq %i +-- +2.33.0 + diff --git a/systemd.spec b/systemd.spec index 126a672..fc313f7 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 249 -Release: 58 +Release: 59 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -587,6 +587,8 @@ Patch6538: backport-core-Return-1-from-unit_add_dependency-on-success.patch Patch6539: backport-core-unit-fix-notification-about-unit-dependency-cha.patch Patch6540: backport-core-unit-make-JoinsNamespaceOf-implies-the-inverse-.patch Patch6541: backport-core-unit-update-bidirectional-dependency-simultaneo.patch +Patch6542: backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch +Patch6543: backport-units-modprobe-.service-don-t-unescape-instance-name.patch Patch9001: update-rtc-with-system-clock-when-shutdown.patch Patch9002: udev-add-actions-while-rename-netif-failed.patch @@ -2083,6 +2085,9 @@ grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null && %{_libdir}/security/pam_systemd.so %changelog +* Tue Dec 12 2023 hongjinghao - 249-59 +- backport: sync patches from systemd community + * Tue Oct 31 2023 beta - 249-58 - enable libcryptsetup