Merge branch 'jb46829' into 'master'

[systemd] Fix for CVE-2018-16865 in systemd-journal. Fixes JB#46829 See merge request mer-core/systemd!25
sailfishos · Aug 6, 2019 · 687c32c · 687c32c
2 parents 8174069 + ca65258
commit 687c32c
Show file tree

Hide file tree

Showing 6 changed files with 271 additions and 0 deletions.
diff --git a/rpm/systemd-backport-If-the-notification-message-length-is-0-ignore-the-m.patch b/rpm/systemd-backport-If-the-notification-message-length-is-0-ignore-the-m.patch
@@ -0,0 +1,29 @@
+Backported upstream commit
+https://github.com/systemd/systemd/commit/531ac2b2349da02acc9c382849758e07eb92b020
+
+It fixes CVE-2016-7795.
+
+From 531ac2b2349da02acc9c382849758e07eb92b020 Mon Sep 17 00:00:00 2001
+From: Jorge Niedbalski <jorge.niedbalski@canonical.com>
+Date: Wed, 28 Sep 2016 18:25:50 -0300
+Subject: [PATCH] If the notification message length is 0, ignore the message
+ (#4237)
+
+Fixes #4234.
+
+Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
+
+diff -purN systemd/src/core/manager.c systemd-izh/src/core/manager.c
+--- systemd/src/core/manager.c	2019-08-05 05:38:44.059368428 -0400
++++ systemd-izh/src/core/manager.c	2019-08-05 13:04:50.260358645 -0400
+@@ -1543,6 +1543,10 @@ static int manager_dispatch_notify_fd(sd
+
+                         return -errno;
+                 }
++                if (n == 0) {
++                        log_debug("Got zero-length notification message. Ignoring.");
++                        return 0;
++                }
+
+                 CMSG_FOREACH(cmsg, &msghdr) {
+                         if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
diff --git a/rpm/systemd-backport-fuzz-decrease-DATA_SIZE_MAX.patch b/rpm/systemd-backport-fuzz-decrease-DATA_SIZE_MAX.patch
@@ -0,0 +1,39 @@
+This is the backport of the upstream commit
+https://github.com/systemd/systemd/commit/25cad95c82f4c45d6d7c872c39bbd72bc4946edb
+
+It fixes CVE-2013-4391.
+
+From 25cad95c82f4c45d6d7c872c39bbd72bc4946edb Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 12 Nov 2018 18:08:45 +0900
+Subject: [PATCH] fuzz: decrease DATA_SIZE_MAX
+
+Fixes oss-fuzz#8658.
+
+diff -purN systemd/src/journal/coredump.c systemd-izh/src/journal/coredump.c
+--- systemd/src/journal/coredump.c	2019-08-05 05:38:44.075368451 -0400
++++ systemd-izh/src/journal/coredump.c	2019-08-05 09:23:47.773816172 -0400
+@@ -59,7 +59,8 @@
+
+ /* The maximum size up to which we store the coredump in the
+  * journal */
+-#define JOURNAL_SIZE_MAX ((size_t) (767LU*1024LU*1024LU))
++/* oss-fuzz limits memory usage. */
++#define JOURNAL_SIZE_MAX ((size_t) (10LU*1024LU*1024LU))
+
+ /* Make sure to not make this larger than the maximum journal entry
+  * size. See DATA_SIZE_MAX in journald-native.c. */
+diff -purN systemd/src/journal/journald-native.h systemd-izh/src/journal/journald-native.h
+--- systemd/src/journal/journald-native.h	2019-08-05 08:19:55.982711293 -0400
++++ systemd-izh/src/journal/journald-native.h	2019-08-05 09:09:23.164321075 -0400
+@@ -25,8 +25,8 @@
+
+ /* Make sure not to make this smaller than the maximum coredump
+  * size. See COREDUMP_MAX in coredump.c */
+-#define ENTRY_SIZE_MAX (1024*1024*770u)
+-#define DATA_SIZE_MAX (1024*1024*768u)
++#define ENTRY_SIZE_MAX (1024*1024*13u)
++#define DATA_SIZE_MAX (1024*1024*11u)
+
+ bool valid_user_field(const char *p, size_t l, bool allow_protected);
+
diff --git a/rpm/systemd-backport-journal-fix-syslog_parse_identifier.patch b/rpm/systemd-backport-journal-fix-syslog_parse_identifier.patch
@@ -0,0 +1,87 @@
+This is the backport of the upstream commits
+https://github.com/systemd/systemd/commit/a6aadf4ae0bae185dc4c414d492a4a781c80ffe5
+https://github.com/systemd/systemd/commit/8595102d3ddde6d25c282f965573a6de34ab4421
+
+It fixes CVE-2018-16866.
+
+From a6aadf4ae0bae185dc4c414d492a4a781c80ffe5 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Wed, 8 Aug 2018 15:06:36 +0900
+Subject: [PATCH] journal: fix syslog_parse_identifier()
+
+Fixes #9829.
+
+From 8595102d3ddde6d25c282f965573a6de34ab4421 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Fri, 10 Aug 2018 11:07:54 +0900
+Subject: [PATCH] journal: do not remove multiple spaces after identifier in syslog message
+
+Single space is used as separator.
+C.f. discussions in #156.
+
+Fixes #9839 introduced by a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.
+
+diff -purN systemd/src/journal/journald-syslog.c systemd-izh/src/journal/journald-syslog.c
+--- systemd/src/journal/journald-syslog.c	2019-08-02 18:21:22.892939591 +0300
++++ systemd-izh/src/journal/journald-syslog.c	2019-08-05 16:54:03.176668148 +0300
+@@ -209,7 +209,7 @@ size_t syslog_parse_identifier(const cha
+         e = l;
+         l--;
+
+-        if (p[l-1] == ']') {
++        if (l > 0 && p[l-1] == ']') {
+                 size_t k = l-1;
+
+                 for (;;) {
+@@ -234,8 +234,10 @@ size_t syslog_parse_identifier(const cha
+         if (t)
+                 *identifier = t;
+
+-        if (strchr(WHITESPACE, p[e]))
++        /* Single space is used as separator */
++        if (p[e] != '\0' && strchr(WHITESPACE, p[e]))
+                 e++;
++
+         *buf = p + e;
+         return e;
+ }
+diff -purN systemd/src/journal/test-journal-syslog.c systemd-izh/src/journal/test-journal-syslog.c
+--- systemd/src/journal/test-journal-syslog.c	2019-08-02 18:21:22.892939591 +0300
++++ systemd-izh/src/journal/test-journal-syslog.c	2019-08-05 16:54:03.176668148 +0300
+@@ -22,8 +22,8 @@
+ #include "journald-syslog.h"
+ #include "macro.h"
+
+-static void test_syslog_parse_identifier(const char* str,
+-                                         const char *ident, const char*pid, int ret) {
++static void test_syslog_parse_identifier(const char *str,
++                                         const char *ident, const char *pid, const char *rest, int ret) {
+         const char *buf = str;
+         _cleanup_free_ char *ident2 = NULL, *pid2 = NULL;
+         int ret2;
+@@ -33,12 +33,22 @@ static void test_syslog_parse_identifier
+         assert_se(ret == ret2);
+         assert_se(ident == ident2 || streq_ptr(ident, ident2));
+         assert_se(pid == pid2 || streq_ptr(pid, pid2));
++        assert_se(streq(buf, rest));
+ }
+
+ int main(void) {
+-        test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11);
+-        test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6);
+-        test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0);
++        test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", "xxx", 11);
++        test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, "xxx", 6);
++        test_syslog_parse_identifier("pidu:  xxx", "pidu", NULL, " xxx", 6);
++        test_syslog_parse_identifier("pidu xxx", NULL, NULL, "pidu xxx", 0);
++        test_syslog_parse_identifier("   pidu xxx", NULL, NULL, "   pidu xxx", 0);
++        test_syslog_parse_identifier("", NULL, NULL, "", 0);
++        test_syslog_parse_identifier("  ", NULL, NULL, "  ", 0);
++        test_syslog_parse_identifier(":", "", NULL, "", 1);
++        test_syslog_parse_identifier(":  ", "", NULL, " ", 2);
++        test_syslog_parse_identifier("pidu:", "pidu", NULL, "", 5);
++        test_syslog_parse_identifier("pidu: ", "pidu", NULL, "", 6);
++        test_syslog_parse_identifier("pidu : ", NULL, NULL, "pidu : ", 0);
+
+         return 0;
+ }
diff --git a/rpm/systemd-backport-journald-set-a-limit-on-the-number-of-fields-1k.patch b/rpm/systemd-backport-journald-set-a-limit-on-the-number-of-fields-1k.patch
@@ -0,0 +1,47 @@
+This is the backport of the upstream commit
+https://github.com/systemd/systemd/commit/052c57f132f04a3cf4148f87561618da1a6908b4
+It is fixed it v241.
+
+From 052c57f132f04a3cf4148f87561618da1a6908b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 5 Dec 2018 22:45:02 +0100
+Subject: [PATCH] journald: set a limit on the number of fields (1k)
+
+We allocate a iovec entry for each field, so with many short entries,
+our memory usage and processing time can be large, even with a relatively
+small message size. Let's refuse overly long entries.
+
+CVE-2018-16865
+https://bugzilla.redhat.com/show_bug.cgi?id=1653861
+
+What from I can see, the problem is not from an alloca, despite what the CVE
+description says, but from the attack multiplication that comes from creating
+many very small iovecs: (void* + size_t) for each three bytes of input message.
+
+diff -purN systemd/src/journal/journald-native.c systemd-izh/src/journal/journald-native.c
+--- systemd/src/journal/journald-native.c	2019-08-05 05:38:44.083368462 -0400
++++ systemd-izh/src/journal/journald-native.c	2019-08-05 05:56:53.357060530 -0400
+@@ -133,6 +133,10 @@ void server_process_native_message(
+                 }
+
+                 /* A property follows */
++                if (n > ENTRY_FIELD_COUNT_MAX) {
++                        log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
++                        goto finish;
++                }
+
+                 /* n existing properties, 1 new, +1 for _TRANSPORT */
+                 if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) {
+diff -purN systemd/src/journal/journald-native.h systemd-izh/src/journal/journald-native.h
+--- systemd/src/journal/journald-native.h	2019-08-05 05:38:44.083368462 -0400
++++ systemd-izh/src/journal/journald-native.h	2019-08-05 06:00:28.253422314 -0400
+@@ -28,6 +28,9 @@
+ #define ENTRY_SIZE_MAX (1024*1024*770u)
+ #define DATA_SIZE_MAX (1024*1024*768u)
+
++/* The maximum number of fields in an entry */
++#define ENTRY_FIELD_COUNT_MAX 1024
++
+ bool valid_user_field(const char *p, size_t l, bool allow_protected);
+
+ void server_process_native_message(Server *s, const void *buffer, size_t buffer_size, const struct ucred *ucred, const struct timeval *tv, const char *label, size_t label_len);
diff --git a/rpm/systemd-backport-pam-systemd-use-secure_getenv-rather-than-getenv.patch b/rpm/systemd-backport-pam-systemd-use-secure_getenv-rather-than-getenv.patch
@@ -0,0 +1,59 @@
+This is the backport of upstream commit
+https://github.com/systemd/systemd/commit/83d4ab55336ff8a0643c6aa627b31e351a24040a
+
+It fixes CVE-2019-3842.
+
+From 83d4ab55336ff8a0643c6aa627b31e351a24040a Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 4 Feb 2019 10:23:43 +0100
+Subject: [PATCH] pam-systemd: use secure_getenv() rather than getenv()
+
+diff -purN systemd/src/login/pam_systemd.c systemd-izh/src/login/pam_systemd.c
+--- systemd/src/login/pam_systemd.c	2019-08-05 05:38:44.107368495 -0400
++++ systemd-izh/src/login/pam_systemd.c	2019-08-05 14:00:21.968726200 -0400
+@@ -284,29 +284,40 @@ _public_ PAM_EXTERN int pam_sm_open_sess
+         pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
+         pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);
+
++        /* Looks for an environment variable, preferrably in the environment block associated with the
++         * specified PAM handle, falling back to the process' block instead. Why check both? Because we want
++         * to permit configuration of session properties from unit files that invoke PAM services, so that
++         * PAM services don't have to be reworked to set systemd-specific properties, but these properties
++         * can still be set from the unit file Environment= block.
++         *
++         * We use secure_getenv() here, since we might get loaded into su/sudo, which are SUID. Ideally
++         * they'd clean up the environment before invoking foreign code (such as PAM modules), but alas they
++         * currently don't (to be precise, they clean up the environment they pass to their children, but
++         * not their own environ[]). */
++
+         seat = pam_getenv(handle, "XDG_SEAT");
+         if (isempty(seat))
+-                seat = getenv("XDG_SEAT");
++                seat = secure_getenv("XDG_SEAT");
+
+         cvtnr = pam_getenv(handle, "XDG_VTNR");
+         if (isempty(cvtnr))
+-                cvtnr = getenv("XDG_VTNR");
++                cvtnr = secure_getenv("XDG_VTNR");
+
+         type = pam_getenv(handle, "XDG_SESSION_TYPE");
+         if (isempty(type))
+-                type = getenv("XDG_SESSION_TYPE");
++                type = secure_getenv("XDG_SESSION_TYPE");
+         if (isempty(type))
+                 type = type_pam;
+
+         class = pam_getenv(handle, "XDG_SESSION_CLASS");
+         if (isempty(class))
+-                class = getenv("XDG_SESSION_CLASS");
++                class = secure_getenv("XDG_SESSION_CLASS");
+         if (isempty(class))
+                 class = class_pam;
+
+         desktop = pam_getenv(handle, "XDG_SESSION_DESKTOP");
+         if (isempty(desktop))
+-                desktop = getenv("XDG_SESSION_DESKTOP");
++                desktop = secure_getenv("XDG_SESSION_DESKTOP");
+
+         tty = strempty(tty);
+
diff --git a/rpm/systemd.spec b/rpm/systemd.spec
@@ -45,6 +45,11 @@ Patch31:        systemd-backport-rework-serialization.patch
 Patch32:        systemd-239-dhcp6-client-CVE-2018-15688-fix.patch
 Patch33:        systemd-backport-Remove-extra-BindsTo.patch
 Patch34:        systemd-234-udev-fix-some-incorrect-usages-of-CLOCK_BOOTTIME-619.patch
+Patch35:        systemd-backport-journald-set-a-limit-on-the-number-of-fields-1k.patch
+Patch36:        systemd-backport-fuzz-decrease-DATA_SIZE_MAX.patch
+Patch37:        systemd-backport-journal-fix-syslog_parse_identifier.patch
+Patch38:        systemd-backport-If-the-notification-message-length-is-0-ignore-the-m.patch
+Patch39:        systemd-backport-pam-systemd-use-secure_getenv-rather-than-getenv.patch
 
 Patch99:        systemd-225_fix_build_with_glibc228.patch
 
@@ -221,6 +226,11 @@ This package includes tests for systemd.
 # home encryption related patches
 %patch33 -p1
 %patch34 -p1
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1
+%patch38 -p1
+%patch39 -p1
 #systemd-225_fix_build_with_glibc228.patch
 %patch99 -p1