!478 同步上游社区补丁

From: @hongjinghao Reviewed-by: @openeuler-basic Signed-off-by: @openeuler-basic
2023-12-12 12:52:22 +00:00 · 2023-12-12 12:52:22 +00:00 · 01708d9b82
commit 01708d9b82
parent e616cd35a3 422c4cbf67
2 changed files with 87 additions and 1 deletions
--- a/backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch
+++ b/backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch
@ -0,0 +1,82 @@
+From 9627e6a72f9c5c336a285b11515bda49345e7bfe Mon Sep 17 00:00:00 2001
+From: felixdoerre <felixdoerre@users.noreply.github.com>
+Date: Fri, 6 Oct 2023 05:18:21 +0200
+Subject: [PATCH] journalctl: verify that old entries are not sealed with too
+ recent key (#28885)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+When verifying seals produced with forward secure sealing, the verification
+currently does not check that old entries are only sealed with the key for
+their epoch and not a more recent one. This missing check allows an attacker
+to remove seals, and create new ones with the currently available key, and
+verify will claim everything is in order, although all entries could have
+been modified.
+ 
+This resolves CVE-2023-31439.
+ 
+Co-authored-by: Felix Dörre <felix.doerre@kit.edu>
+(cherry picked from commit 3846d3aa292a6daa1916f667bdd79ebee9cb4ac4)
+(cherry picked from commit ea67d4755b5d81a42a9013d6ce72c9cf7adb56b9)
+(cherry picked from commit e140c1d10b04c757832adf2366ed6fbdfb2e92c9)
+
+---
+ src/journal/journal-verify.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/journal/journal-verify.c b/src/journal/journal-verify.c
+index 344b7b0..abda50c 100644
+--- a/src/journal/journal-verify.c
+++ b/src/journal/journal-verify.c
+@@ -809,6 +809,7 @@ int journal_file_verify(
+         uint64_t p = 0, last_epoch = 0, last_tag_realtime = 0, last_sealed_realtime = 0;
+ 
+         uint64_t entry_seqnum = 0, entry_monotonic = 0, entry_realtime = 0;
+        usec_t min_entry_realtime = USEC_INFINITY, max_entry_realtime = 0;
+         sd_id128_t entry_boot_id;
+         bool entry_seqnum_set = false, entry_monotonic_set = false, entry_realtime_set = false, found_main_entry_array = false;
+         uint64_t n_weird = 0, n_objects = 0, n_entries = 0, n_data = 0, n_fields = 0, n_data_hash_tables = 0, n_field_hash_tables = 0, n_entry_arrays = 0, n_tags = 0;
+@@ -1013,6 +1014,8 @@ int journal_file_verify(
+ 
+                         entry_realtime = le64toh(o->entry.realtime);
+                         entry_realtime_set = true;
+                        max_entry_realtime = MAX(max_entry_realtime, le64toh(o->entry.realtime));
+                        min_entry_realtime = MIN(min_entry_realtime, le64toh(o->entry.realtime));
+ 
+                         n_entries++;
+                         break;
+@@ -1090,16 +1093,28 @@ int journal_file_verify(
+ 
+ #if HAVE_GCRYPT
+                         if (f->seal) {
+-                                uint64_t q, rt;
+                                uint64_t q, rt, rt_end;
+ 
+                                 debug(p, "Checking tag %"PRIu64"...", le64toh(o->tag.seqnum));
+ 
+                                 rt = f->fss_start_usec + le64toh(o->tag.epoch) * f->fss_interval_usec;
+-                                if (entry_realtime_set && entry_realtime >= rt + f->fss_interval_usec) {
+                                rt_end = usec_add(rt, f->fss_interval_usec);
+                                if (entry_realtime_set && entry_realtime >= rt_end) {
+                                         error(p, "tag/entry realtime timestamp out of synchronization");
+                                         r = -EBADMSG;
+                                         goto fail;
+                                 }
+                                if (max_entry_realtime >= rt_end) {
+                                        error(p, "Entry realtime is too late with respect to tag");
+                                        r = -EBADMSG;
+                                        goto fail;
+                                }
+                                if (min_entry_realtime < rt) {
+                                        error(p, "Entry realtime is too early with respect to tag");
+                                        r = -EBADMSG;
+                                        goto fail;
+                                }
+                                min_entry_realtime = USEC_INFINITY;
+ 
+                                 /* OK, now we know the epoch. So let's now set
+                                  * it, and calculate the HMAC for everything
+-- 
+2.33.0
+
--- a/systemd.spec
+++ b/systemd.spec
@ -16,7 +16,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        243
-Release:        67
+Release:        68
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager

@ -263,6 +263,7 @@ Patch0215:      backport-sd-bus-break-the-loop-in-bus_ensure_running-if-the-b.pa
 Patch0216:      backport-core-make-sure-we-don-t-get-confused-when-setting-TE.patch
 Patch0217:      backport-mount-setup-change-the-system-mount-propagation-to-s.patch
 Patch0218:      backport-core-transition-to-FINAL_SIGTERM-state-after-ExecSto.patch
+Patch0219:      backport-journalctl-verify-that-old-entries-are-not-sealed-wi.patch

 #openEuler
 Patch9002:      1509-fix-journal-file-descriptors-leak-problems.patch
@ -1670,6 +1671,9 @@ fi
 %exclude /usr/share/man/man3/*

 %changelog
+* Tue Dec 12 2023 hongjinghao <hongjinghao@huawei.com> - 243-68
+- backport: sync patches from systemd community
+
 * Fri Dec 8 2023 huyubiao <huyubiao@huawei.com> - 243-67
 - add backport-core-make-sure-we-don-t-get-confused-when-setting-TE.patch
      backport-mount-setup-change-the-system-mount-propagation-to-s.patch