packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!337 fix CVE-2022-3821 and fix ci failed

Browse Source 
From: @yangmingtaip 
Reviewed-by: @overweight 
Signed-off-by: @overweight
This commit is contained in:
openeuler-ci-bot 2022-11-11 01:30:13 +00:00 committed by Gitee
commit b6b37dc5c7
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 275 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
backport-cap-list-parse-numerical-capabilities.patch Normal file
View File

@ -0,0 +1,94 @@
From 417770f3033c426ca848b158d0bf057cd8ad1329 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Thu, 9 Jul 2020 23:15:47 +0200
Subject: [PATCH] basic/cap-list: parse/print numerical capabilities
We would refuse to print capabilities which were didn't have a name
for. The kernel adds new capabilities from time to time, most recently
cap_bpf. 'systmectl show -p CapabilityBoundingSet ...' would fail with
"Failed to parse bus message: Invalid argument" because
capability_set_to_string_alloc() would fail with -EINVAL. So let's
print such capabilities in hexadecimal:
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search
cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap
cap_linux_immutable cap_net_bind_service cap_net_broadcast
cap_net_admin
cap_net_raw cap_ipc_lock cap_ipc_owner 0x10 0x11 0x12 0x13 0x14 0x15
0x16
0x17 0x18 0x19 0x1a ...
For symmetry, also allow capabilities that we don't know to be
specified.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1853736.
Referencehttps://github.com/systemd/systemd/pull/16424/commits/417770f3033c426ca848b158d0bf057cd8ad1329
Conflict:adapt context
---
src/basic/cap-list.c | 10 +++++++---
src/test/test-cap-list.c | 4 +++-
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c
index 79d6a40..a975574 100644
--- a/src/basic/cap-list.c
+++ b/src/basic/cap-list.c
@@ -10,6 +10,7 @@
#include "macro.h"
#include "missing.h"
#include "parse-util.h"
+#include "stdio-util.h"
#include "util.h"
static const struct capability_name* lookup_capability(register const char *str, register GPERF_LEN_TYPE len);
@@ -37,7 +38,7 @@ int capability_from_name(const char *name) {
/* Try to parse numeric capability */
r = safe_atoi(name, &i);
if (r >= 0) {
- if (i >= 0 && (size_t) i < ELEMENTSOF(capability_names))
+ if (i >= 0 && i < 64)
return i;
else
return -EINVAL;
@@ -65,11 +66,14 @@ int capability_set_to_string_alloc(uint64_t set, char **s) {
for (i = 0; i <= cap_last_cap(); i++)
if (set & (UINT64_C(1) << i)) {
const char *p;
+ char buf[2 + 16 + 1];
size_t add;
p = capability_to_name(i);
- if (!p)
- return -EINVAL;
+ if (!p) {
+ xsprintf(buf, "0x%lx", i);
+ p = buf;
+ }
add = strlen(p);
diff --git a/src/test/test-cap-list.c b/src/test/test-cap-list.c
index 563b996..33dd246 100644
--- a/src/test/test-cap-list.c
+++ b/src/test/test-cap-list.c
@@ -31,6 +31,8 @@ static void test_cap_list(void) {
assert_se(capability_from_name("cAp_aUdIt_rEAd") == CAP_AUDIT_READ);
assert_se(capability_from_name("0") == 0);
assert_se(capability_from_name("15") == 15);
+ assert_se(capability_from_name("63") == 63);
+ assert_se(capability_from_name("64") == -EINVAL);
assert_se(capability_from_name("-1") == -EINVAL);
for (i = 0; i < capability_list_length(); i++) {
@@ -65,7 +67,7 @@ static void test_capability_set_one(uint64_t c, const char *t) {
free(t1);
assert_se(t1 = strjoin("'cap_chown cap_dac_override' \"cap_setgid cap_setuid\"", t,
- " hogehoge foobar 12345 3.14 -3 ", t));
+ " hogehoge foobar 18446744073709551616 3.14 -3 ", t));
assert_se(capability_set_from_string(t1, &c1) == 0);
assert_se(c1 == c_masked);
}
--
2.27.0

46
backport-fix-CVE-2022-3821.patch Normal file
View File

@ -0,0 +1,46 @@
From 8d2d0895229cfbe39c1c5c16e61e426812a72e8b Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 7 Jul 2022 18:27:02 +0900
Subject: [PATCH] time-util: fix buffer-over-run
Fixes #23928.
Conflict:adapt test context
Reference:https://github.com/systemd/systemd/pull/23933/commits/8d2d0895229cfbe39c1c5c16e61e426812a72e8b
---
src/basic/time-util.c | 2 +-
src/test/test-time-util.c | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/basic/time-util.c b/src/basic/time-util.c
index a9cf9c4..a0eec99 100644
--- a/src/basic/time-util.c
+++ b/src/basic/time-util.c
@@ -516,7 +516,7 @@ char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) {
t = b;
}
- n = MIN((size_t) k, l);
+ n = MIN((size_t) k, l-1);
l -= n;
p += n;
diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c
index d05bb61..0761653 100644
--- a/src/test/test-time-util.c
+++ b/src/test/test-time-util.c
@@ -241,6 +241,11 @@ static void test_format_timespan(usec_t accuracy) {
test_format_timespan_one(500 * USEC_PER_MSEC, accuracy);
test_format_timespan_one(9*USEC_PER_YEAR/5 - 23, accuracy);
test_format_timespan_one(USEC_INFINITY, accuracy);
+
+ /* See issue #23928. */
+ _cleanup_free_ char *buf;
+ assert_se(buf = new(char, 5));
+ assert_se(buf == format_timespan(buf, 5, 100005, 1000));
}
static void test_timezone_is_valid(void) {
--
2.27.0

128
backport-test-use-cap_last_cap-for-max-supported.patch Normal file
View File

@ -0,0 +1,128 @@
From ebc815cd1c647faa934a446ceea91ff4bc9dffa4 Mon Sep 17 00:00:00 2001
From: Dan Streetman <ddstreet@canonical.com>
Date: Wed, 25 Nov 2020 15:22:24 -0500
Subject: [PATCH] test: use cap_last_cap() for max supported cap number, not
capability_list_length()
This test assumes capability_list_length() is an invalid cap number,
but that isn't true if the running kernel supports more caps than we were
compiled with, which results in the test failing.
Instead use cap_last_cap() + 1.
If cap_last_cap() is 63, there are no more 'invalid' cap numbers to test with,
so the invalid cap number test part is skipped.
Reference:https://github.com/systemd/systemd/commit/ebc815cd1c647faa934a446ceea91ff4bc9dffa4
Conflict:NA
---
src/basic/cap-list.c | 3 ++
src/test/test-cap-list.c | 62 +++++++++++++++++++++-------------------
2 files changed, 36 insertions(+), 29 deletions(-)
diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c
index 1e783a6f29dd..d295a635ca9b 100644
--- a/src/basic/cap-list.c
+++ b/src/basic/cap-list.c
@@ -50,6 +50,9 @@ int capability_from_name(const char *name) {
return sc->id;
}
+/* This is the number of capability names we are *compiled* with.
+ * For the max capability number of the currently-running kernel,
+ * use cap_last_cap(). */
int capability_list_length(void) {
return (int) ELEMENTSOF(capability_names);
}
diff --git a/src/test/test-cap-list.c b/src/test/test-cap-list.c
index c5f429d05272..c4b40f34faca 100644
--- a/src/test/test-cap-list.c
+++ b/src/test/test-cap-list.c
@@ -55,7 +55,7 @@ static void test_cap_list(void) {
static void test_capability_set_one(uint64_t c, const char *t) {
_cleanup_free_ char *t1 = NULL;
- uint64_t c1, c_masked = c & ((UINT64_C(1) << capability_list_length()) - 1);
+ uint64_t c1, c_masked = c & all_capabilities();
assert_se(capability_set_to_string_alloc(c, &t1) == 0);
assert_se(streq(t1, t));
@@ -70,7 +70,7 @@ static void test_capability_set_one(uint64_t c, const char *t) {
assert_se(c1 == c_masked);
}
-static void test_capability_set(void) {
+static void test_capability_set_from_string(void) {
uint64_t c;
assert_se(capability_set_from_string(NULL, &c) == 0);
@@ -87,38 +87,42 @@ static void test_capability_set(void) {
assert_se(capability_set_from_string("0 1 2 3", &c) == 0);
assert_se(c == (UINT64_C(1) << 4) - 1);
+}
+
+static void test_capability_set_to_string(uint64_t invalid_cap_set) {
+ uint64_t c;
- test_capability_set_one(0, "");
- test_capability_set_one(
- UINT64_C(1) << CAP_DAC_OVERRIDE,
- "cap_dac_override");
- test_capability_set_one(
- UINT64_C(1) << CAP_DAC_OVERRIDE |
- UINT64_C(1) << capability_list_length(),
- "cap_dac_override");
- test_capability_set_one(
- UINT64_C(1) << capability_list_length(), "");
- test_capability_set_one(
- UINT64_C(1) << CAP_CHOWN |
- UINT64_C(1) << CAP_DAC_OVERRIDE |
- UINT64_C(1) << CAP_DAC_READ_SEARCH |
- UINT64_C(1) << CAP_FOWNER |
- UINT64_C(1) << CAP_SETGID |
- UINT64_C(1) << CAP_SETUID |
- UINT64_C(1) << CAP_SYS_PTRACE |
- UINT64_C(1) << CAP_SYS_ADMIN |
- UINT64_C(1) << CAP_AUDIT_CONTROL |
- UINT64_C(1) << CAP_MAC_OVERRIDE |
- UINT64_C(1) << CAP_SYSLOG |
- UINT64_C(1) << (capability_list_length() + 1),
- "cap_chown cap_dac_override cap_dac_read_search cap_fowner "
- "cap_setgid cap_setuid cap_sys_ptrace cap_sys_admin "
- "cap_audit_control cap_mac_override cap_syslog");
+ test_capability_set_one(invalid_cap_set, "");
+
+ c = (UINT64_C(1) << CAP_DAC_OVERRIDE | invalid_cap_set);
+ test_capability_set_one(c, "cap_dac_override");
+
+ c = (UINT64_C(1) << CAP_CHOWN |
+ UINT64_C(1) << CAP_DAC_OVERRIDE |
+ UINT64_C(1) << CAP_DAC_READ_SEARCH |
+ UINT64_C(1) << CAP_FOWNER |
+ UINT64_C(1) << CAP_SETGID |
+ UINT64_C(1) << CAP_SETUID |
+ UINT64_C(1) << CAP_SYS_PTRACE |
+ UINT64_C(1) << CAP_SYS_ADMIN |
+ UINT64_C(1) << CAP_AUDIT_CONTROL |
+ UINT64_C(1) << CAP_MAC_OVERRIDE |
+ UINT64_C(1) << CAP_SYSLOG |
+ invalid_cap_set);
+ test_capability_set_one(c, ("cap_chown cap_dac_override cap_dac_read_search cap_fowner "
+ "cap_setgid cap_setuid cap_sys_ptrace cap_sys_admin "
+ "cap_audit_control cap_mac_override cap_syslog"));
}
int main(int argc, char *argv[]) {
test_cap_list();
- test_capability_set();
+ test_capability_set_from_string();
+ test_capability_set_to_string(0);
+
+ /* once the kernel supports 63 caps, there are no 'invalid' numbers
+ * for us to test with */
+ if (cap_last_cap() < 63)
+ test_capability_set_to_string(all_capabilities() + 1);
return 0;
}

9
systemd.spec
View File

@ -16,7 +16,7 @@
Name: systemd
Url: https://www.freedesktop.org/wiki/Software/systemd
Version: 243
Release: 58
Release: 59
License: MIT and LGPLv2+ and GPLv2+
Summary: System and Service Manager
@ -186,7 +186,9 @@ Patch0138: backport-core-do-not-serialize-mounts-and-automounts-for-swit.pa
Patch0139: backport-journal-add-some-careful-overflow-checking.patch
Patch0140: backport-network-fix-an-infinite-loop.patch
Patch0141: backport-sd-device-use-right-type-for-usec_initialized.patch
Patch0142: backport-fix-CVE-2022-3821.patch
Patch0143: backport-cap-list-parse-numerical-capabilities.patch
Patch0144: backport-test-use-cap_last_cap-for-max-supported.patch
#openEuler
Patch9002: 1509-fix-journal-file-descriptors-leak-problems.patch
@ -1594,6 +1596,9 @@ fi
%exclude /usr/share/man/man3/*
%changelog
* Mon Nov 7 2022 yangmingtai <yangmingtai@huawei.com> - 243-59
- fix CVE-2022-3821 and backport patch to fix ci failed
* Tue Oct 18 2022 yangmingtai <yangmingtai@huawei.com> - 243-58
- DESC:sync community patches