diff --git a/backport-cap-list-parse-numerical-capabilities.patch b/backport-cap-list-parse-numerical-capabilities.patch new file mode 100644 index 0000000..da558de --- /dev/null +++ b/backport-cap-list-parse-numerical-capabilities.patch @@ -0,0 +1,94 @@ +From 417770f3033c426ca848b158d0bf057cd8ad1329 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 9 Jul 2020 23:15:47 +0200 +Subject: [PATCH] basic/cap-list: parse/print numerical capabilities + +We would refuse to print capabilities which were didn't have a name +for. The kernel adds new capabilities from time to time, most recently +cap_bpf. 'systmectl show -p CapabilityBoundingSet ...' would fail with +"Failed to parse bus message: Invalid argument" because +capability_set_to_string_alloc() would fail with -EINVAL. So let's +print such capabilities in hexadecimal: + +CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search + cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap + cap_linux_immutable cap_net_bind_service cap_net_broadcast +cap_net_admin + cap_net_raw cap_ipc_lock cap_ipc_owner 0x10 0x11 0x12 0x13 0x14 0x15 +0x16 + 0x17 0x18 0x19 0x1a ... + +For symmetry, also allow capabilities that we don't know to be +specified. + +Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1853736. +Reference:https://github.com/systemd/systemd/pull/16424/commits/417770f3033c426ca848b158d0bf057cd8ad1329 +Conflict:adapt context +--- + src/basic/cap-list.c | 10 +++++++--- + src/test/test-cap-list.c | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c +index 79d6a40..a975574 100644 +--- a/src/basic/cap-list.c ++++ b/src/basic/cap-list.c +@@ -10,6 +10,7 @@ + #include "macro.h" + #include "missing.h" + #include "parse-util.h" ++#include "stdio-util.h" + #include "util.h" + + static const struct capability_name* lookup_capability(register const char *str, register GPERF_LEN_TYPE len); +@@ -37,7 +38,7 @@ int capability_from_name(const char *name) { + /* Try to parse numeric capability */ + r = safe_atoi(name, &i); + if (r >= 0) { +- if (i >= 0 && (size_t) i < ELEMENTSOF(capability_names)) ++ if (i >= 0 && i < 64) + return i; + else + return -EINVAL; +@@ -65,11 +66,14 @@ int capability_set_to_string_alloc(uint64_t set, char **s) { + for (i = 0; i <= cap_last_cap(); i++) + if (set & (UINT64_C(1) << i)) { + const char *p; ++ char buf[2 + 16 + 1]; + size_t add; + + p = capability_to_name(i); +- if (!p) +- return -EINVAL; ++ if (!p) { ++ xsprintf(buf, "0x%lx", i); ++ p = buf; ++ } + + add = strlen(p); + +diff --git a/src/test/test-cap-list.c b/src/test/test-cap-list.c +index 563b996..33dd246 100644 +--- a/src/test/test-cap-list.c ++++ b/src/test/test-cap-list.c +@@ -31,6 +31,8 @@ static void test_cap_list(void) { + assert_se(capability_from_name("cAp_aUdIt_rEAd") == CAP_AUDIT_READ); + assert_se(capability_from_name("0") == 0); + assert_se(capability_from_name("15") == 15); ++ assert_se(capability_from_name("63") == 63); ++ assert_se(capability_from_name("64") == -EINVAL); + assert_se(capability_from_name("-1") == -EINVAL); + + for (i = 0; i < capability_list_length(); i++) { +@@ -65,7 +67,7 @@ static void test_capability_set_one(uint64_t c, const char *t) { + + free(t1); + assert_se(t1 = strjoin("'cap_chown cap_dac_override' \"cap_setgid cap_setuid\"", t, +- " hogehoge foobar 12345 3.14 -3 ", t)); ++ " hogehoge foobar 18446744073709551616 3.14 -3 ", t)); + assert_se(capability_set_from_string(t1, &c1) == 0); + assert_se(c1 == c_masked); + } +-- +2.27.0 + diff --git a/backport-fix-CVE-2022-3821.patch b/backport-fix-CVE-2022-3821.patch new file mode 100644 index 0000000..6bce6f6 --- /dev/null +++ b/backport-fix-CVE-2022-3821.patch @@ -0,0 +1,46 @@ +From 8d2d0895229cfbe39c1c5c16e61e426812a72e8b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 7 Jul 2022 18:27:02 +0900 +Subject: [PATCH] time-util: fix buffer-over-run + +Fixes #23928. +Conflict:adapt test context +Reference:https://github.com/systemd/systemd/pull/23933/commits/8d2d0895229cfbe39c1c5c16e61e426812a72e8b + +--- + src/basic/time-util.c | 2 +- + src/test/test-time-util.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/basic/time-util.c b/src/basic/time-util.c +index a9cf9c4..a0eec99 100644 +--- a/src/basic/time-util.c ++++ b/src/basic/time-util.c +@@ -516,7 +516,7 @@ char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) { + t = b; + } + +- n = MIN((size_t) k, l); ++ n = MIN((size_t) k, l-1); + + l -= n; + p += n; +diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c +index d05bb61..0761653 100644 +--- a/src/test/test-time-util.c ++++ b/src/test/test-time-util.c +@@ -241,6 +241,11 @@ static void test_format_timespan(usec_t accuracy) { + test_format_timespan_one(500 * USEC_PER_MSEC, accuracy); + test_format_timespan_one(9*USEC_PER_YEAR/5 - 23, accuracy); + test_format_timespan_one(USEC_INFINITY, accuracy); ++ ++ /* See issue #23928. */ ++ _cleanup_free_ char *buf; ++ assert_se(buf = new(char, 5)); ++ assert_se(buf == format_timespan(buf, 5, 100005, 1000)); + } + + static void test_timezone_is_valid(void) { +-- +2.27.0 + diff --git a/backport-test-use-cap_last_cap-for-max-supported.patch b/backport-test-use-cap_last_cap-for-max-supported.patch new file mode 100644 index 0000000..02f9f53 --- /dev/null +++ b/backport-test-use-cap_last_cap-for-max-supported.patch @@ -0,0 +1,128 @@ +From ebc815cd1c647faa934a446ceea91ff4bc9dffa4 Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Wed, 25 Nov 2020 15:22:24 -0500 +Subject: [PATCH] test: use cap_last_cap() for max supported cap number, not + capability_list_length() + +This test assumes capability_list_length() is an invalid cap number, +but that isn't true if the running kernel supports more caps than we were +compiled with, which results in the test failing. + +Instead use cap_last_cap() + 1. + +If cap_last_cap() is 63, there are no more 'invalid' cap numbers to test with, +so the invalid cap number test part is skipped. + +Reference:https://github.com/systemd/systemd/commit/ebc815cd1c647faa934a446ceea91ff4bc9dffa4 +Conflict:NA +--- + src/basic/cap-list.c | 3 ++ + src/test/test-cap-list.c | 62 +++++++++++++++++++++------------------- + 2 files changed, 36 insertions(+), 29 deletions(-) + +diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c +index 1e783a6f29dd..d295a635ca9b 100644 +--- a/src/basic/cap-list.c ++++ b/src/basic/cap-list.c +@@ -50,6 +50,9 @@ int capability_from_name(const char *name) { + return sc->id; + } + ++/* This is the number of capability names we are *compiled* with. ++ * For the max capability number of the currently-running kernel, ++ * use cap_last_cap(). */ + int capability_list_length(void) { + return (int) ELEMENTSOF(capability_names); + } +diff --git a/src/test/test-cap-list.c b/src/test/test-cap-list.c +index c5f429d05272..c4b40f34faca 100644 +--- a/src/test/test-cap-list.c ++++ b/src/test/test-cap-list.c +@@ -55,7 +55,7 @@ static void test_cap_list(void) { + + static void test_capability_set_one(uint64_t c, const char *t) { + _cleanup_free_ char *t1 = NULL; +- uint64_t c1, c_masked = c & ((UINT64_C(1) << capability_list_length()) - 1); ++ uint64_t c1, c_masked = c & all_capabilities(); + + assert_se(capability_set_to_string_alloc(c, &t1) == 0); + assert_se(streq(t1, t)); +@@ -70,7 +70,7 @@ static void test_capability_set_one(uint64_t c, const char *t) { + assert_se(c1 == c_masked); + } + +-static void test_capability_set(void) { ++static void test_capability_set_from_string(void) { + uint64_t c; + + assert_se(capability_set_from_string(NULL, &c) == 0); +@@ -87,38 +87,42 @@ static void test_capability_set(void) { + + assert_se(capability_set_from_string("0 1 2 3", &c) == 0); + assert_se(c == (UINT64_C(1) << 4) - 1); ++} ++ ++static void test_capability_set_to_string(uint64_t invalid_cap_set) { ++ uint64_t c; + +- test_capability_set_one(0, ""); +- test_capability_set_one( +- UINT64_C(1) << CAP_DAC_OVERRIDE, +- "cap_dac_override"); +- test_capability_set_one( +- UINT64_C(1) << CAP_DAC_OVERRIDE | +- UINT64_C(1) << capability_list_length(), +- "cap_dac_override"); +- test_capability_set_one( +- UINT64_C(1) << capability_list_length(), ""); +- test_capability_set_one( +- UINT64_C(1) << CAP_CHOWN | +- UINT64_C(1) << CAP_DAC_OVERRIDE | +- UINT64_C(1) << CAP_DAC_READ_SEARCH | +- UINT64_C(1) << CAP_FOWNER | +- UINT64_C(1) << CAP_SETGID | +- UINT64_C(1) << CAP_SETUID | +- UINT64_C(1) << CAP_SYS_PTRACE | +- UINT64_C(1) << CAP_SYS_ADMIN | +- UINT64_C(1) << CAP_AUDIT_CONTROL | +- UINT64_C(1) << CAP_MAC_OVERRIDE | +- UINT64_C(1) << CAP_SYSLOG | +- UINT64_C(1) << (capability_list_length() + 1), +- "cap_chown cap_dac_override cap_dac_read_search cap_fowner " +- "cap_setgid cap_setuid cap_sys_ptrace cap_sys_admin " +- "cap_audit_control cap_mac_override cap_syslog"); ++ test_capability_set_one(invalid_cap_set, ""); ++ ++ c = (UINT64_C(1) << CAP_DAC_OVERRIDE | invalid_cap_set); ++ test_capability_set_one(c, "cap_dac_override"); ++ ++ c = (UINT64_C(1) << CAP_CHOWN | ++ UINT64_C(1) << CAP_DAC_OVERRIDE | ++ UINT64_C(1) << CAP_DAC_READ_SEARCH | ++ UINT64_C(1) << CAP_FOWNER | ++ UINT64_C(1) << CAP_SETGID | ++ UINT64_C(1) << CAP_SETUID | ++ UINT64_C(1) << CAP_SYS_PTRACE | ++ UINT64_C(1) << CAP_SYS_ADMIN | ++ UINT64_C(1) << CAP_AUDIT_CONTROL | ++ UINT64_C(1) << CAP_MAC_OVERRIDE | ++ UINT64_C(1) << CAP_SYSLOG | ++ invalid_cap_set); ++ test_capability_set_one(c, ("cap_chown cap_dac_override cap_dac_read_search cap_fowner " ++ "cap_setgid cap_setuid cap_sys_ptrace cap_sys_admin " ++ "cap_audit_control cap_mac_override cap_syslog")); + } + + int main(int argc, char *argv[]) { + test_cap_list(); +- test_capability_set(); ++ test_capability_set_from_string(); ++ test_capability_set_to_string(0); ++ ++ /* once the kernel supports 63 caps, there are no 'invalid' numbers ++ * for us to test with */ ++ if (cap_last_cap() < 63) ++ test_capability_set_to_string(all_capabilities() + 1); + + return 0; + } diff --git a/systemd.spec b/systemd.spec index ca6e1b4..95c6f37 100644 --- a/systemd.spec +++ b/systemd.spec @@ -16,7 +16,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 243 -Release: 58 +Release: 59 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -186,7 +186,9 @@ Patch0138: backport-core-do-not-serialize-mounts-and-automounts-for-swit.pa Patch0139: backport-journal-add-some-careful-overflow-checking.patch Patch0140: backport-network-fix-an-infinite-loop.patch Patch0141: backport-sd-device-use-right-type-for-usec_initialized.patch - +Patch0142: backport-fix-CVE-2022-3821.patch +Patch0143: backport-cap-list-parse-numerical-capabilities.patch +Patch0144: backport-test-use-cap_last_cap-for-max-supported.patch #openEuler Patch9002: 1509-fix-journal-file-descriptors-leak-problems.patch @@ -1594,6 +1596,9 @@ fi %exclude /usr/share/man/man3/* %changelog +* Mon Nov 7 2022 yangmingtai - 243-59 +- fix CVE-2022-3821 and backport patch to fix ci failed + * Tue Oct 18 2022 yangmingtai - 243-58 - DESC:sync community patches