diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2024-01-16 10:16:18 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-01-16 04:10:03 -1000 |
commit | 545fc081f16a63e5b012d4636deee98a788753bb (patch) | |
tree | 51b28e0a122449cec8ab634686b95e2b62e173ae /meta/recipes-core/systemd | |
parent | f46c9105d4253153a5986f2b307273e43ee98c33 (diff) | |
download | openembedded-core-contrib-545fc081f16a63e5b012d4636deee98a788753bb.tar.gz |
systemd: fix CVE-2023-7008
Upstream-Status: Backport from https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-core/systemd')
-rw-r--r-- | meta/recipes-core/systemd/systemd/CVE-2023-7008.patch | 40 | ||||
-rw-r--r-- | meta/recipes-core/systemd/systemd_250.5.bb | 1 |
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch b/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch new file mode 100644 index 0000000000..e2296abc49 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2023-7008.patch @@ -0,0 +1,40 @@ +From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <msekleta@redhat.com> +Date: Wed, 20 Dec 2023 16:44:14 +0100 +Subject: [PATCH] resolved: actually check authenticated flag of SOA + transaction + +Fixes #25676 + +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1] +CVE: CVE-2023-7008 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/resolve/resolved-dns-transaction.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index f937f9f7b5..7deb598400 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2761,7 +2761,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + if (r == 0) + continue; + +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); + } + + return true; +@@ -2788,7 +2788,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + /* We found the transaction that was supposed to find the SOA RR for us. It was + * successful, but found no RR for us. This means we are not at a zone cut. In this + * case, we require authentication if the SOA lookup was authenticated too. */ +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); + } + + return true; +-- +2.25.1 + diff --git a/meta/recipes-core/systemd/systemd_250.5.bb b/meta/recipes-core/systemd/systemd_250.5.bb index c35557471a..889473ee1f 100644 --- a/meta/recipes-core/systemd/systemd_250.5.bb +++ b/meta/recipes-core/systemd/systemd_250.5.bb @@ -32,6 +32,7 @@ SRC_URI += "file://touchscreen.rules \ file://CVE-2022-4415-2.patch \ file://0001-network-remove-only-managed-configs-on-reconfigure-o.patch \ file://0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch \ + file://CVE-2023-7008.patch \ " # patches needed by musl |