[PATCH] systemd: fix CVE-2019-6454

[PATCH] systemd: fix CVE-2019-6454

[George McCollister]

Apply patches from systemd_239-7ubuntu10.8 to fix CVE-2019-6454.
CVE-2019-6454 is an issue in which systemd (PID1) can be crashed with a
specially formed D-Bus message.

For information see:
https://usn.ubuntu.com/3891-1/
https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb

Signed-off-by: George McCollister <george.mccollister@gmail.com>
---
 .../systemd/systemd/CVE-2019-6454.patch       | 210 ++++++++++++++++++
 ...eive-an-invalid-dbus-message-ignore-.patch |  61 +++++
 meta/recipes-core/systemd/systemd_239.bb      |   2 +
 3 files changed, 273 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
 create mode 100644 meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch

diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
new file mode 100644
index 0000000000..80170dac0f
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
@@ -0,0 +1,210 @@
+Description: sd-bus: enforce a size limit for dbus paths, and don't allocate
+ them on the stacka
+Forwarded: no
+
+Patch from: systemd_239-7ubuntu10.8
+
+For information see:
+https://usn.ubuntu.com/3891-1/
+https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
+
+CVE: CVE-2019-6454
+Upstream-Status: Backport
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+
+--- a/src/libsystemd/sd-bus/bus-internal.c
++++ b/src/libsystemd/sd-bus/bus-internal.c
+@@ -45,7 +45,7 @@
+         if (slash)
+                 return false;
+
+-        return true;
++        return (q - p) <= BUS_PATH_SIZE_MAX;
+ }
+
+ char* object_path_startswith(const char *a, const char *b) {
+--- a/src/libsystemd/sd-bus/bus-internal.h
++++ b/src/libsystemd/sd-bus/bus-internal.h
+@@ -333,6 +333,10 @@
+
+ #define BUS_MESSAGE_SIZE_MAX (128*1024*1024)
+ #define BUS_AUTH_SIZE_MAX (64*1024)
++/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
++ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
++ * to not clash unnecessarily with real-life applications. */
++#define BUS_PATH_SIZE_MAX (64*1024)
+
+ #define BUS_CONTAINER_DEPTH 128
+
+--- a/src/libsystemd/sd-bus/bus-objects.c
++++ b/src/libsystemd/sd-bus/bus-objects.c
+@@ -1134,7 +1134,8 @@
+                 const char *path,
+                 sd_bus_error *error) {
+
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+
+         assert(bus);
+@@ -1150,7 +1151,12 @@
+                 return 0;
+
+         /* Second, add fallback vtables registered for any of the prefixes */
+-        prefix = alloca(strlen(path) + 1);
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
+                 if (r < 0)
+@@ -1346,6 +1352,7 @@
+ }
+
+ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
++        _cleanup_free_ char *prefix = NULL;
+         int r;
+         size_t pl;
+         bool found_object = false;
+@@ -1370,9 +1377,12 @@
+         assert(m->member);
+
+         pl = strlen(m->path);
+-        do {
+-                char prefix[pl+1];
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
+
++        do {
+                 bus->nodes_modified = false;
+
+                 r = object_find_and_run(bus, m, m->path, false, &found_object);
+@@ -1499,9 +1509,15 @@
+
+         n = hashmap_get(bus->nodes, path);
+         if (!n) {
+-                char *prefix;
++                _cleanup_free_ char *prefix = NULL;
++                size_t pl;
++
++                pl = strlen(path);
++                assert(pl <= BUS_PATH_SIZE_MAX);
++                prefix = new(char, pl + 1);
++                if (!prefix)
++                        return -ENOMEM;
+
+-                prefix = alloca(strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         n = hashmap_get(bus->nodes, prefix);
+                         if (n)
+@@ -2091,8 +2107,9 @@
+                 char **names) {
+
+         BUS_DONT_DESTROY(bus);
++        _cleanup_free_ char *prefix = NULL;
+         bool found_interface = false;
+-        char *prefix;
++        size_t pl;
+         int r;
+
+         assert_return(bus, -EINVAL);
+@@ -2111,6 +2128,12 @@
+         if (names && names[0] == NULL)
+                 return 0;
+
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++
+         do {
+                 bus->nodes_modified = false;
+
+@@ -2120,7 +2143,6 @@
+                 if (bus->nodes_modified)
+                         continue;
+
+-                prefix = alloca(strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names);
+                         if (r != 0)
+@@ -2252,7 +2274,8 @@
+
+ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+
+         assert(bus);
+@@ -2297,7 +2320,12 @@
+         if (bus->nodes_modified)
+                 return 0;
+
+-        prefix = alloca(strlen(path) + 1);
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2436,7 +2464,8 @@
+
+ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+
+         assert(bus);
+@@ -2468,7 +2497,12 @@
+         if (bus->nodes_modified)
+                 return 0;
+
+-        prefix = alloca(strlen(path) + 1);
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2618,7 +2652,8 @@
+                 const char *path,
+                 const char *interface) {
+
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+
+         assert(bus);
+@@ -2632,7 +2667,12 @@
+         if (bus->nodes_modified)
+                 return 0;
+
+-        prefix = alloca(strlen(path) + 1);
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
+                 if (r != 0)
diff --git a/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch b/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
new file mode 100644
index 0000000000..57311faa60
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
@@ -0,0 +1,61 @@
+Description: sd-bus: if we receive an invalid dbus message, ignore and
+ proceeed
+ .
+ dbus-daemon might have a slightly different idea of what a valid msg is
+ than us (for example regarding valid msg and field sizes). Let's hence
+ try to proceed if we can and thus drop messages rather than fail the
+ connection if we fail to validate a message.
+ .
+ Hopefully the differences in what is considered valid are not visible
+ for real-life usecases, but are specific to exploit attempts only.
+Author: Lennart Poettering <lennart@poettering.net>
+Forwarded: other,https://github.com/systemd/systemd/pull/11708/
+
+Patch from: systemd_239-7ubuntu10.8
+
+For information see:
+https://usn.ubuntu.com/3891-1/
+https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
+
+CVE: CVE-2019-6454
+Upstream-Status: Backport
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+
+diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
+index 30d6455b6f..441b4a816f 100644
+--- a/src/libsystemd/sd-bus/bus-socket.c
++++ b/src/libsystemd/sd-bus/bus-socket.c
+@@ -1072,7 +1072,7 @@ static int bus_socket_read_message_need(sd_bus *bus, size_t *need) {
+ }
+
+ static int bus_socket_make_message(sd_bus *bus, size_t size) {
+-        sd_bus_message *t;
++        sd_bus_message *t = NULL;
+         void *b;
+         int r;
+
+@@ -1097,7 +1097,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
+                                     bus->fds, bus->n_fds,
+                                     NULL,
+                                     &t);
+-        if (r < 0) {
++        if (r == -EBADMSG)
++                log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description));
++        else if (r < 0) {
+                 free(b);
+                 return r;
+         }
+@@ -1108,7 +1110,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
+         bus->fds = NULL;
+         bus->n_fds = 0;
+
+-        bus->rqueue[bus->rqueue_size++] = t;
++        if (t)
++                bus->rqueue[bus->rqueue_size++] = t;
+
+         return 1;
+ }
+--
+2.17.1
+
diff --git a/meta/recipes-core/systemd/systemd_239.bb b/meta/recipes-core/systemd/systemd_239.bb
index e2dfe639b3..922ba3b57d 100644
--- a/meta/recipes-core/systemd/systemd_239.bb
+++ b/meta/recipes-core/systemd/systemd_239.bb
@@ -41,6 +41,8 @@ SRC_URI += "file://touchscreen.rules \
            file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \
            file://0025-journald-set-a-limit-on-the-number-of-fields.patch \
            file://0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
+           file://CVE-2019-6454.patch \
+           file://sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch \
            "
 
 # patches made for musl are only applied on TCLIBC is musl
-- 
2.20.1

Re: [PATCH] systemd: fix CVE-2019-6454

[Alexander Kanavin]

On Fri, 22 Feb 2019 at 17:55, George McCollister
<george.mccollister@gmail.com> wrote:
> Apply patches from systemd_239-7ubuntu10.8 to fix CVE-2019-6454.
> CVE-2019-6454 is an issue in which systemd (PID1) can be crashed with a
> specially formed D-Bus message.
> +
> +For information see:
> +https://usn.ubuntu.com/3891-1/
> +https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
> +
> +CVE: CVE-2019-6454
> +Upstream-Status: Backport

It would be better to update systemd to latest upstream release, are
you able to do this?

Alex

Re: [PATCH] systemd: fix CVE-2019-6454

[George McCollister]

I believe this was discussed before and the recommendation was to wait
until 241 to be release. In any case I currently have no interest in
upgrading it. My main motivation is to patch this CVE in sumo but
maintainers seem to want it in master first (even though different
version of the patches are required).

-George

On Fri, Feb 22, 2019 at 11:04 AM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> On Fri, 22 Feb 2019 at 17:55, George McCollister
> <george.mccollister@gmail.com> wrote:
> > Apply patches from systemd_239-7ubuntu10.8 to fix CVE-2019-6454.
> > CVE-2019-6454 is an issue in which systemd (PID1) can be crashed with a
> > specially formed D-Bus message.
> > +
> > +For information see:
> > +https://usn.ubuntu.com/3891-1/
> > +https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
> > +
> > +CVE: CVE-2019-6454
> > +Upstream-Status: Backport
>
> It would be better to update systemd to latest upstream release, are
> you able to do this?
>
> Alex

Re: [PATCH] systemd: fix CVE-2019-6454

[Alexander Kanavin]

On Fri, 22 Feb 2019 at 18:13, George McCollister
<george.mccollister@gmail.com> wrote:
>
> I believe this was discussed before and the recommendation was to wait
> until 241 to be release. In any case I currently have no interest in
> upgrading it. My main motivation is to patch this CVE in sumo but
> maintainers seem to want it in master first (even though different
> version of the patches are required).

241 has been released:
https://github.com/systemd/systemd/releases

It's fine if you don't want to do the upgrade, just wanted to correct
that point.

Alex

Re: [PATCH] systemd: fix CVE-2019-6454

[George McCollister]

I missed that some how.

Thanks for correcting me.
-George

On Fri, Feb 22, 2019 at 11:18 AM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> On Fri, 22 Feb 2019 at 18:13, George McCollister
> <george.mccollister@gmail.com> wrote:
> >
> > I believe this was discussed before and the recommendation was to wait
> > until 241 to be release. In any case I currently have no interest in
> > upgrading it. My main motivation is to patch this CVE in sumo but
> > maintainers seem to want it in master first (even though different
> > version of the patches are required).
>
> 241 has been released:
> https://github.com/systemd/systemd/releases
>
> It's fine if you don't want to do the upgrade, just wanted to correct
> that point.
>
> Alex

Re: [PATCH] systemd: fix CVE-2019-6454

[akuster808]

George,

On 2/22/19 9:22 AM, George McCollister wrote:
> I missed that some how.
>
> Thanks for correcting me.

thanks for the patch. it should apply to Thud so it wont go to waste.

- armin
> -George
>
> On Fri, Feb 22, 2019 at 11:18 AM Alexander Kanavin
> <alex.kanavin@gmail.com> wrote:
>> On Fri, 22 Feb 2019 at 18:13, George McCollister
>> <george.mccollister@gmail.com> wrote:
>>> I believe this was discussed before and the recommendation was to wait
>>> until 241 to be release. In any case I currently have no interest in
>>> upgrading it. My main motivation is to patch this CVE in sumo but
>>> maintainers seem to want it in master first (even though different
>>> version of the patches are required).
>> 241 has been released:
>> https://github.com/systemd/systemd/releases
>>
>> It's fine if you don't want to do the upgrade, just wanted to correct
>> that point.
>>
>> Alex

Re: [PATCH] systemd: fix CVE-2019-6454

[Richard Purdie]

On Sat, 2019-02-23 at 16:08 -0800, akuster808 wrote:
> George,
> 
> On 2/22/19 9:22 AM, George McCollister wrote:
> > I missed that some how.
> > 
> > Thanks for correcting me.
> 
> thanks for the patch. it should apply to Thud so it wont go to waste.

I was thinking of applying it to master until we get the upgrade which
helps with the backporting...

Cheers,

Richard

[PATCH] systemd: fix CVE-2019-6454

[Marcus Cooper]

The original fix was deleted when systemd was bumped from v239 to v241,
however not all of the patches have made it into the latest version.

Refactor the original patch to contain the missing changes.

Signed-off-by: Marcus Cooper <marcusc@axis.com>
---
 .../systemd/systemd/CVE-2019-6454.patch            | 216 +++++++++++++++++++++
 meta/recipes-core/systemd/systemd_241.bb           |   1 +
 2 files changed, 217 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-6454.patch

diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
new file mode 100644
index 0000000000..b84809ef17
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
@@ -0,0 +1,216 @@
+Description: sd-bus: enforce a size limit for dbus paths, and don't allocate
+ them on the stacka
+Forwarded: no
+
+Patch from: systemd_239-7ubuntu10.8
+
+For information see:
+https://usn.ubuntu.com/3891-1/
+https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
+
+CVE: CVE-2019-6454
+Upstream-Status: Backport
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+
+diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c
+index 40acae2133..598b7f110c 100644
+--- a/src/libsystemd/sd-bus/bus-internal.c
++++ b/src/libsystemd/sd-bus/bus-internal.c
+@@ -43,7 +43,7 @@ bool object_path_is_valid(const char *p) {
+         if (slash)
+                 return false;
+ 
+-        return true;
++        return (q - p) <= BUS_PATH_SIZE_MAX;
+ }
+ 
+ char* object_path_startswith(const char *a, const char *b) {
+diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h
+index f208b294d8..a8d61bf72a 100644
+--- a/src/libsystemd/sd-bus/bus-internal.h
++++ b/src/libsystemd/sd-bus/bus-internal.h
+@@ -332,6 +332,10 @@ struct sd_bus {
+ 
+ #define BUS_MESSAGE_SIZE_MAX (128*1024*1024)
+ #define BUS_AUTH_SIZE_MAX (64*1024)
++/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
++ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
++ * to not clash unnecessarily with real-life applications. */
++#define BUS_PATH_SIZE_MAX (64*1024)
+ 
+ #define BUS_CONTAINER_DEPTH 128
+ 
+diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c
+index 58329f3fe7..54b977418e 100644
+--- a/src/libsystemd/sd-bus/bus-objects.c
++++ b/src/libsystemd/sd-bus/bus-objects.c
+@@ -1133,7 +1133,8 @@ static int object_manager_serialize_path_and_fallbacks(
+                 const char *path,
+                 sd_bus_error *error) {
+ 
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -1149,7 +1150,12 @@ static int object_manager_serialize_path_and_fallbacks(
+                 return 0;
+ 
+         /* Second, add fallback vtables registered for any of the prefixes */
+-        prefix = newa(char, strlen(path) + 1);
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
+                 if (r < 0)
+@@ -1345,6 +1351,7 @@ static int object_find_and_run(
+ }
+ 
+ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
++        _cleanup_free_ char *prefix = NULL;
+         int r;
+         size_t pl;
+         bool found_object = false;
+@@ -1369,9 +1376,12 @@ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
+         assert(m->member);
+ 
+         pl = strlen(m->path);
+-        do {
+-                char prefix[pl+1];
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
+ 
++        do {
+                 bus->nodes_modified = false;
+ 
+                 r = object_find_and_run(bus, m, m->path, false, &found_object);
+@@ -1498,9 +1508,15 @@ static int bus_find_parent_object_manager(sd_bus *bus, struct node **out, const
+ 
+         n = hashmap_get(bus->nodes, path);
+         if (!n) {
+-                char *prefix;
++                _cleanup_free_ char *prefix = NULL;
++                size_t pl;
++
++                pl = strlen(path);
++                assert(pl <= BUS_PATH_SIZE_MAX);
++                prefix = new(char, pl + 1);
++                if (!prefix)
++                        return -ENOMEM;
+ 
+-                prefix = newa(char, strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         n = hashmap_get(bus->nodes, prefix);
+                         if (n)
+@@ -2083,8 +2099,9 @@ _public_ int sd_bus_emit_properties_changed_strv(
+                 const char *interface,
+                 char **names) {
+ 
++        _cleanup_free_ char *prefix = NULL;
+         bool found_interface = false;
+-        char *prefix;
++        size_t pl;
+         int r;
+ 
+         assert_return(bus, -EINVAL);
+@@ -2105,6 +2122,12 @@ _public_ int sd_bus_emit_properties_changed_strv(
+ 
+         BUS_DONT_DESTROY(bus);
+ 
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++
+         do {
+                 bus->nodes_modified = false;
+ 
+@@ -2114,7 +2137,6 @@ _public_ int sd_bus_emit_properties_changed_strv(
+                 if (bus->nodes_modified)
+                         continue;
+ 
+-                prefix = newa(char, strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names);
+                         if (r != 0)
+@@ -2246,7 +2268,8 @@ static int object_added_append_all_prefix(
+ 
+ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2291,7 +2314,12 @@ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *p
+         if (bus->nodes_modified)
+                 return 0;
+ 
+-        prefix = newa(char, strlen(path) + 1);
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2430,7 +2458,8 @@ static int object_removed_append_all_prefix(
+ 
+ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2462,7 +2491,12 @@ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char
+         if (bus->nodes_modified)
+                 return 0;
+ 
+-        prefix = newa(char, strlen(path) + 1);
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2612,7 +2646,8 @@ static int interfaces_added_append_one(
+                 const char *path,
+                 const char *interface) {
+ 
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2626,7 +2661,12 @@ static int interfaces_added_append_one(
+         if (bus->nodes_modified)
+                 return 0;
+ 
+-        prefix = newa(char, strlen(path) + 1);
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
+                 if (r != 0)
diff --git a/meta/recipes-core/systemd/systemd_241.bb b/meta/recipes-core/systemd/systemd_241.bb
index 1052b3df8c..8ceec3f83f 100644
--- a/meta/recipes-core/systemd/systemd_241.bb
+++ b/meta/recipes-core/systemd/systemd_241.bb
@@ -24,6 +24,7 @@ SRC_URI += "file://touchscreen.rules \
            file://0005-rules-watch-metadata-changes-in-ide-devices.patch \
            file://0001-meson-declare-version.h-as-dep-for-various-targets-t.patch \
            file://0001-meson-declare-version.h-as-dependency-for-systemd.patch \
+           file://CVE-2019-6454.patch \
            "
 
 # patches needed by musl
-- 
2.11.0