fix CVE-2022-3821 and backport patch to fix ci failed

backport-cap-list-parse-numerical-capabilities.patch

@@ -0,0 +1,94 @@
+From 417770f3033c426ca848b158d0bf057cd8ad1329 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 9 Jul 2020 23:15:47 +0200
+Subject: [PATCH] basic/cap-list: parse/print numerical capabilities
+
+We would refuse to print capabilities which were didn't have a name
+for. The kernel adds new capabilities from time to time, most recently
+cap_bpf. 'systmectl show -p CapabilityBoundingSet ...' would fail with
+"Failed to parse bus message: Invalid argument" because
+capability_set_to_string_alloc() would fail with -EINVAL. So let's
+print such capabilities in hexadecimal:
+
+CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search
+  cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap
+  cap_linux_immutable cap_net_bind_service cap_net_broadcast
+cap_net_admin
+  cap_net_raw cap_ipc_lock cap_ipc_owner 0x10 0x11 0x12 0x13 0x14 0x15
+0x16
+  0x17 0x18 0x19 0x1a ...
+
+For symmetry, also allow capabilities that we don't know to be
+specified.
+
+Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1853736.
+Reference：https://github.com/systemd/systemd/pull/16424/commits/417770f3033c426ca848b158d0bf057cd8ad1329
+Conflict:adapt context
+---
+ src/basic/cap-list.c     | 10 +++++++---
+ src/test/test-cap-list.c |  4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c
+index 79d6a40..a975574 100644
+--- a/src/basic/cap-list.c
++++ b/src/basic/cap-list.c
+@@ -10,6 +10,7 @@
+ #include "macro.h"
+ #include "missing.h"
+ #include "parse-util.h"
++#include "stdio-util.h"
+ #include "util.h"
+ 
+ static const struct capability_name* lookup_capability(register const char *str, register GPERF_LEN_TYPE len);
+@@ -37,7 +38,7 @@ int capability_from_name(const char *name) {
+         /* Try to parse numeric capability */
+         r = safe_atoi(name, &i);
+         if (r >= 0) {
+-                if (i >= 0 && (size_t) i < ELEMENTSOF(capability_names))
++                if (i >= 0 && i < 64)
+                         return i;
+                 else
+                         return -EINVAL;
+@@ -65,11 +66,14 @@ int capability_set_to_string_alloc(uint64_t set, char **s) {
+         for (i = 0; i <= cap_last_cap(); i++)
+                 if (set & (UINT64_C(1) << i)) {
+                         const char *p;
++                        char buf[2 + 16 + 1];
+                         size_t add;
+ 
+                         p = capability_to_name(i);
+-                        if (!p)
+-                                return -EINVAL;
++                        if (!p) {
++                                xsprintf(buf, "0x%lx", i);
++                                p = buf;
++                        }
+ 
+                         add = strlen(p);
+ 
+diff --git a/src/test/test-cap-list.c b/src/test/test-cap-list.c
+index 563b996..33dd246 100644
+--- a/src/test/test-cap-list.c
++++ b/src/test/test-cap-list.c
+@@ -31,6 +31,8 @@ static void test_cap_list(void) {
+         assert_se(capability_from_name("cAp_aUdIt_rEAd") == CAP_AUDIT_READ);
+         assert_se(capability_from_name("0") == 0);
+         assert_se(capability_from_name("15") == 15);
++        assert_se(capability_from_name("63") == 63);
++        assert_se(capability_from_name("64") == -EINVAL);
+         assert_se(capability_from_name("-1") == -EINVAL);
+ 
+         for (i = 0; i < capability_list_length(); i++) {
+@@ -65,7 +67,7 @@ static void test_capability_set_one(uint64_t c, const char *t) {
+ 
+         free(t1);
+         assert_se(t1 = strjoin("'cap_chown cap_dac_override' \"cap_setgid cap_setuid\"", t,
+-                               " hogehoge foobar 12345 3.14 -3 ", t));
++                               " hogehoge foobar 18446744073709551616 3.14 -3 ", t));
+         assert_se(capability_set_from_string(t1, &c1) == 0);
+         assert_se(c1 == c_masked);
+ }
+-- 
+2.27.0
+

backport-fix-CVE-2022-3821.patch

@@ -0,0 +1,46 @@
+From 8d2d0895229cfbe39c1c5c16e61e426812a72e8b Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 7 Jul 2022 18:27:02 +0900
+Subject: [PATCH] time-util: fix buffer-over-run
+ 
+Fixes #23928.
+Conflict:adapt test context
+Reference:https://github.com/systemd/systemd/pull/23933/commits/8d2d0895229cfbe39c1c5c16e61e426812a72e8b
+
+---
+ src/basic/time-util.c     | 2 +-
+ src/test/test-time-util.c | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/basic/time-util.c b/src/basic/time-util.c
+index a9cf9c4..a0eec99 100644
+--- a/src/basic/time-util.c
++++ b/src/basic/time-util.c
+@@ -516,7 +516,7 @@ char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) {
+                         t = b;
+                 }
+ 
+-                n = MIN((size_t) k, l);
++                n = MIN((size_t) k, l-1);
+ 
+                 l -= n;
+                 p += n;
+diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c
+index d05bb61..0761653 100644
+--- a/src/test/test-time-util.c
++++ b/src/test/test-time-util.c
+@@ -241,6 +241,11 @@ static void test_format_timespan(usec_t accuracy) {
+         test_format_timespan_one(500 * USEC_PER_MSEC, accuracy);
+         test_format_timespan_one(9*USEC_PER_YEAR/5 - 23, accuracy);
+         test_format_timespan_one(USEC_INFINITY, accuracy);
++
++        /* See issue #23928. */
++        _cleanup_free_ char *buf;
++        assert_se(buf = new(char, 5));
++        assert_se(buf == format_timespan(buf, 5, 100005, 1000));
+ }
+ 
+ static void test_timezone_is_valid(void) {
+-- 
+2.27.0
+

backport-test-use-cap_last_cap-for-max-supported.patch

@@ -0,0 +1,128 @@
+From ebc815cd1c647faa934a446ceea91ff4bc9dffa4 Mon Sep 17 00:00:00 2001
+From: Dan Streetman <ddstreet@canonical.com>
+Date: Wed, 25 Nov 2020 15:22:24 -0500
+Subject: [PATCH] test: use cap_last_cap() for max supported cap number, not
+ capability_list_length()
+
+This test assumes capability_list_length() is an invalid cap number,
+but that isn't true if the running kernel supports more caps than we were
+compiled with, which results in the test failing.
+
+Instead use cap_last_cap() + 1.
+
+If cap_last_cap() is 63, there are no more 'invalid' cap numbers to test with,
+so the invalid cap number test part is skipped.
+
+Reference:https://github.com/systemd/systemd/commit/ebc815cd1c647faa934a446ceea91ff4bc9dffa4
+Conflict:NA
+---
+ src/basic/cap-list.c     |  3 ++
+ src/test/test-cap-list.c | 62 +++++++++++++++++++++-------------------
+ 2 files changed, 36 insertions(+), 29 deletions(-)
+
+diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c
+index 1e783a6f29dd..d295a635ca9b 100644
+--- a/src/basic/cap-list.c
++++ b/src/basic/cap-list.c
+@@ -50,6 +50,9 @@ int capability_from_name(const char *name) {
+         return sc->id;
+ }
+ 
++/* This is the number of capability names we are *compiled* with.
++ * For the max capability number of the currently-running kernel,
++ * use cap_last_cap(). */
+ int capability_list_length(void) {
+         return (int) ELEMENTSOF(capability_names);
+ }
+diff --git a/src/test/test-cap-list.c b/src/test/test-cap-list.c
+index c5f429d05272..c4b40f34faca 100644
+--- a/src/test/test-cap-list.c
++++ b/src/test/test-cap-list.c
+@@ -55,7 +55,7 @@ static void test_cap_list(void) {
+ 
+ static void test_capability_set_one(uint64_t c, const char *t) {
+         _cleanup_free_ char *t1 = NULL;
+-        uint64_t c1, c_masked = c & ((UINT64_C(1) << capability_list_length()) - 1);
++        uint64_t c1, c_masked = c & all_capabilities();
+ 
+         assert_se(capability_set_to_string_alloc(c, &t1) == 0);
+         assert_se(streq(t1, t));
+@@ -70,7 +70,7 @@ static void test_capability_set_one(uint64_t c, const char *t) {
+         assert_se(c1 == c_masked);
+ }
+ 
+-static void test_capability_set(void) {
++static void test_capability_set_from_string(void) {
+         uint64_t c;
+ 
+         assert_se(capability_set_from_string(NULL, &c) == 0);
+@@ -87,38 +87,42 @@ static void test_capability_set(void) {
+ 
+         assert_se(capability_set_from_string("0 1 2 3", &c) == 0);
+         assert_se(c == (UINT64_C(1) << 4) - 1);
++}
++
++static void test_capability_set_to_string(uint64_t invalid_cap_set) {
++        uint64_t c;
+ 
+-        test_capability_set_one(0, "");
+-        test_capability_set_one(
+-                UINT64_C(1) << CAP_DAC_OVERRIDE,
+-                "cap_dac_override");
+-        test_capability_set_one(
+-                UINT64_C(1) << CAP_DAC_OVERRIDE |
+-                UINT64_C(1) << capability_list_length(),
+-                "cap_dac_override");
+-        test_capability_set_one(
+-                UINT64_C(1) << capability_list_length(), "");
+-        test_capability_set_one(
+-                UINT64_C(1) << CAP_CHOWN |
+-                UINT64_C(1) << CAP_DAC_OVERRIDE |
+-                UINT64_C(1) << CAP_DAC_READ_SEARCH |
+-                UINT64_C(1) << CAP_FOWNER |
+-                UINT64_C(1) << CAP_SETGID |
+-                UINT64_C(1) << CAP_SETUID |
+-                UINT64_C(1) << CAP_SYS_PTRACE |
+-                UINT64_C(1) << CAP_SYS_ADMIN |
+-                UINT64_C(1) << CAP_AUDIT_CONTROL |
+-                UINT64_C(1) << CAP_MAC_OVERRIDE |
+-                UINT64_C(1) << CAP_SYSLOG |
+-                UINT64_C(1) << (capability_list_length() + 1),
+-                "cap_chown cap_dac_override cap_dac_read_search cap_fowner "
+-                "cap_setgid cap_setuid cap_sys_ptrace cap_sys_admin "
+-                "cap_audit_control cap_mac_override cap_syslog");
++        test_capability_set_one(invalid_cap_set, "");
++
++        c = (UINT64_C(1) << CAP_DAC_OVERRIDE | invalid_cap_set);
++        test_capability_set_one(c, "cap_dac_override");
++
++        c = (UINT64_C(1) << CAP_CHOWN |
++             UINT64_C(1) << CAP_DAC_OVERRIDE |
++             UINT64_C(1) << CAP_DAC_READ_SEARCH |
++             UINT64_C(1) << CAP_FOWNER |
++             UINT64_C(1) << CAP_SETGID |
++             UINT64_C(1) << CAP_SETUID |
++             UINT64_C(1) << CAP_SYS_PTRACE |
++             UINT64_C(1) << CAP_SYS_ADMIN |
++             UINT64_C(1) << CAP_AUDIT_CONTROL |
++             UINT64_C(1) << CAP_MAC_OVERRIDE |
++             UINT64_C(1) << CAP_SYSLOG |
++             invalid_cap_set);
++        test_capability_set_one(c, ("cap_chown cap_dac_override cap_dac_read_search cap_fowner "
++                                    "cap_setgid cap_setuid cap_sys_ptrace cap_sys_admin "
++                                    "cap_audit_control cap_mac_override cap_syslog"));
+ }
+ 
+ int main(int argc, char *argv[]) {
+         test_cap_list();
+-        test_capability_set();
++        test_capability_set_from_string();
++        test_capability_set_to_string(0);
++
++        /* once the kernel supports 63 caps, there are no 'invalid' numbers
++         * for us to test with */
++        if (cap_last_cap() < 63)
++                test_capability_set_to_string(all_capabilities() + 1);
+ 
+         return 0;
+ }

systemd.spec

@@ -16,7 +16,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        243
-Release:        58
+Release:        59
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager
 
@@ -186,7 +186,9 @@ Patch0138:      backport-core-do-not-serialize-mounts-and-automounts-for-swit.pa
 Patch0139:      backport-journal-add-some-careful-overflow-checking.patch
 Patch0140:      backport-network-fix-an-infinite-loop.patch
 Patch0141:      backport-sd-device-use-right-type-for-usec_initialized.patch
-
+Patch0142:      backport-fix-CVE-2022-3821.patch
+Patch0143:      backport-cap-list-parse-numerical-capabilities.patch
+Patch0144:      backport-test-use-cap_last_cap-for-max-supported.patch
 
 #openEuler
 Patch9002:      1509-fix-journal-file-descriptors-leak-problems.patch
@@ -1594,6 +1596,9 @@ fi
 %exclude /usr/share/man/man3/*
 
 %changelog
+* Mon Nov 7 2022 yangmingtai <yangmingtai@huawei.com> - 243-59
+- fix CVE-2022-3821 and backport patch to fix ci failed
+
 * Tue Oct 18 2022 yangmingtai <yangmingtai@huawei.com> - 243-58
 - DESC:sync community patches