[meta][dunfell][PATCH] systemd: Add fix for CVE-2020-13529 and CVE-2021-33910

[meta][dunfell][PATCH] systemd: Add fix for CVE-2020-13529 and CVE-2021-33910

[ranjitsinh.rathod]

Added fix for below CVEs
1. CVE-2020-13529
2. CVE-2021-33910
Link: http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_237-3ubuntu10.50.debian.tar.xz

Upstream-Status: Pending

Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
---
 .../systemd/systemd/CVE-2020-13529.patch      | 37 +++++++++++
 .../systemd/systemd/CVE-2021-33910.patch      | 62 +++++++++++++++++++
 meta/recipes-core/systemd/systemd_244.5.bb    |  2 +
 3 files changed, 101 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2021-33910.patch

diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
new file mode 100644
index 0000000000..80ae2bd883
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
@@ -0,0 +1,37 @@
+From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 01:22:07 +0900
+Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
+
+This makes DHCP client ignore FORCERENEW requests, as unauthenticated
+FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
+
+Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
+and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
+
+Fixes #16774.
+---
+ src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/src/libsystemd-network/sd-dhcp-client.c
++++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1305,9 +1305,17 @@ static int client_handle_forcerenew(sd_d
+         if (r != DHCP_FORCERENEW)
+                 return -ENOMSG;
+
++#if 0
+         log_dhcp_client(client, "FORCERENEW");
+
+         return 0;
++#else
++        /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
++         * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
++         * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
++        log_dhcp_client(client, "Received FORCERENEW, ignoring.");
++        return -ENOMSG;
++#endif
+ }
+
+ static int client_handle_ack(sd_dhcp_client *client, DHCPMessage *ack, size_t len) {
+
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
new file mode 100644
index 0000000000..9932962749
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
@@ -0,0 +1,62 @@
+Backport of:
+
+From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Jun 2021 11:46:41 +0200
+Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path
+
+The path may have unbounded length, for example through a fuse mount.
+
+CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
+ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
+and each mountpoint is passed to mount_setup_unit(), which calls
+unit_name_path_escape() underneath. A local attacker who is able to mount a
+filesystem with a very long path can crash systemd and the whole system.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1970887
+
+The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
+can't easily check the length after simplification before doing the
+simplification, which in turns uses a copy of the string we can write to.
+So we can't reject paths that are too long before doing the duplication.
+Hence the most obvious solution is to switch back to strdup(), as before
+7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
+---
+ src/basic/unit-name.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/src/basic/unit-name.c
++++ b/src/basic/unit-name.c
+@@ -370,12 +370,13 @@ int unit_name_unescape(const char *f, ch
+ }
+
+ int unit_name_path_escape(const char *f, char **ret) {
+-        char *p, *s;
++        _cleanup_free_ char *p = NULL;
++        char *s;
+
+         assert(f);
+         assert(ret);
+
+-        p = strdupa(f);
++        p = strdup(f);
+         if (!p)
+                 return -ENOMEM;
+
+@@ -387,13 +388,9 @@ int unit_name_path_escape(const char *f,
+                 if (!path_is_normalized(p))
+                         return -EINVAL;
+
+-                /* Truncate trailing slashes */
++                /* Truncate trailing slashes and skip leading slashes */
+                 delete_trailing_chars(p, "/");
+-
+-                /* Truncate leading slashes */
+-                p = skip_leading_chars(p, "/");
+-
+-                s = unit_name_escape(p);
++                s = unit_name_escape(skip_leading_chars(p, "/"));
+         }
+         if (!s)
+                 return -ENOMEM;
+
diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index 8c95648ca0..7a7eddcd45 100644
--- a/meta/recipes-core/systemd/systemd_244.5.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -20,6 +20,8 @@ SRC_URI += "file://touchscreen.rules \
            file://99-default.preset \
            file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
            file://0003-implment-systemd-sysv-install-for-OE.patch \
+           file://CVE-2021-33910.patch \
+           file://CVE-2020-13529.patch \
            "

 # patches needed by musl
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

Re: [OE-core] [meta][dunfell][PATCH] systemd: Add fix for CVE-2020-13529 and CVE-2021-33910

[Steve Sakoman]

On Wed, Aug 4, 2021 at 5:40 AM Ranjitsinh Rathod
<ranjitsinh.rathod@kpit.com> wrote:
>
> Added fix for below CVEs
> 1. CVE-2020-13529
> 2. CVE-2021-33910
> Link: http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_237-3ubuntu10.50.debian.tar.xz
>
> Upstream-Status: Pending

This needs to be in the patch files, along with a CVE: tag and your
signed-off-by.

See the "Patch name convention and commit message" section at:
https://wiki.yoctoproject.org/wiki/Security

Thanks for helping with CVEs!

Steve

>
> Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> ---
>  .../systemd/systemd/CVE-2020-13529.patch      | 37 +++++++++++
>  .../systemd/systemd/CVE-2021-33910.patch      | 62 +++++++++++++++++++
>  meta/recipes-core/systemd/systemd_244.5.bb    |  2 +
>  3 files changed, 101 insertions(+)
>  create mode 100644 meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
>  create mode 100644 meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
>
> diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
> new file mode 100644
> index 0000000000..80ae2bd883
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
> @@ -0,0 +1,37 @@
> +From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001
> +From: Yu Watanabe <watanabe.yu+github@gmail.com>
> +Date: Thu, 24 Jun 2021 01:22:07 +0900
> +Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
> +
> +This makes DHCP client ignore FORCERENEW requests, as unauthenticated
> +FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
> +
> +Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
> +and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
> +
> +Fixes #16774.
> +---
> + src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
> + 1 file changed, 8 insertions(+)
> +
> +--- a/src/libsystemd-network/sd-dhcp-client.c
> ++++ b/src/libsystemd-network/sd-dhcp-client.c
> +@@ -1305,9 +1305,17 @@ static int client_handle_forcerenew(sd_d
> +         if (r != DHCP_FORCERENEW)
> +                 return -ENOMSG;
> +
> ++#if 0
> +         log_dhcp_client(client, "FORCERENEW");
> +
> +         return 0;
> ++#else
> ++        /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
> ++         * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
> ++         * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
> ++        log_dhcp_client(client, "Received FORCERENEW, ignoring.");
> ++        return -ENOMSG;
> ++#endif
> + }
> +
> + static int client_handle_ack(sd_dhcp_client *client, DHCPMessage *ack, size_t len) {
> +
> diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
> new file mode 100644
> index 0000000000..9932962749
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
> @@ -0,0 +1,62 @@
> +Backport of:
> +
> +From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
> +Date: Wed, 23 Jun 2021 11:46:41 +0200
> +Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path
> +
> +The path may have unbounded length, for example through a fuse mount.
> +
> +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
> +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
> +and each mountpoint is passed to mount_setup_unit(), which calls
> +unit_name_path_escape() underneath. A local attacker who is able to mount a
> +filesystem with a very long path can crash systemd and the whole system.
> +
> +https://bugzilla.redhat.com/show_bug.cgi?id=1970887
> +
> +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
> +can't easily check the length after simplification before doing the
> +simplification, which in turns uses a copy of the string we can write to.
> +So we can't reject paths that are too long before doing the duplication.
> +Hence the most obvious solution is to switch back to strdup(), as before
> +7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
> +---
> + src/basic/unit-name.c | 13 +++++--------
> + 1 file changed, 5 insertions(+), 8 deletions(-)
> +
> +--- a/src/basic/unit-name.c
> ++++ b/src/basic/unit-name.c
> +@@ -370,12 +370,13 @@ int unit_name_unescape(const char *f, ch
> + }
> +
> + int unit_name_path_escape(const char *f, char **ret) {
> +-        char *p, *s;
> ++        _cleanup_free_ char *p = NULL;
> ++        char *s;
> +
> +         assert(f);
> +         assert(ret);
> +
> +-        p = strdupa(f);
> ++        p = strdup(f);
> +         if (!p)
> +                 return -ENOMEM;
> +
> +@@ -387,13 +388,9 @@ int unit_name_path_escape(const char *f,
> +                 if (!path_is_normalized(p))
> +                         return -EINVAL;
> +
> +-                /* Truncate trailing slashes */
> ++                /* Truncate trailing slashes and skip leading slashes */
> +                 delete_trailing_chars(p, "/");
> +-
> +-                /* Truncate leading slashes */
> +-                p = skip_leading_chars(p, "/");
> +-
> +-                s = unit_name_escape(p);
> ++                s = unit_name_escape(skip_leading_chars(p, "/"));
> +         }
> +         if (!s)
> +                 return -ENOMEM;
> +
> diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
> index 8c95648ca0..7a7eddcd45 100644
> --- a/meta/recipes-core/systemd/systemd_244.5.bb
> +++ b/meta/recipes-core/systemd/systemd_244.5.bb
> @@ -20,6 +20,8 @@ SRC_URI += "file://touchscreen.rules \
>             file://99-default.preset \
>             file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
>             file://0003-implment-systemd-sysv-install-for-OE.patch \
> +           file://CVE-2021-33910.patch \
> +           file://CVE-2020-13529.patch \
>             "
>
>  # patches needed by musl
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>