Version 250.9

- Latest bugfix release with a bunch of fixes (homed, networkd, manager, resolved, documentation): rhbz#2133792, rhbz#2135778, rhbz#2152685, and also #2031810, #2121106. - CVE-2022-4415: systemd: coredump not respecting fs.suid_dumpable kernel setting
2022-12-20 19:32:04 +01:00 · 2022-12-20 19:32:04 +01:00 · 8b7a753a0a
parent e518927ce6
commit 8b7a753a0a
3 changed files with 79 additions and 3 deletions
--- a/0001-coredump-cescape-invalid-json-data-before-logging.patch
+++ b/0001-coredump-cescape-invalid-json-data-before-logging.patch
@ -0,0 +1,76 @@
+From c5d344ea8b2e8dc6951360a29c5e920199c81c65 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 13 Dec 2022 11:15:17 +0100
+Subject: [PATCH] coredump: cescape invalid json data before logging
+
+In both cases, the json string is short, so we can print it, which is useful
+for diagnosing invalid data in packages. But we need escape non-printable
+characters.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2152685
+
+I went over the rest of the codebase, and it seems that other calls to
+json_parse() don't have this problem.
+
+(cherry picked from commit c5966ab5bf43b4fb45998760beaffa6c7f9e8a9e)
+(cherry picked from commit 57ab4e2d47dd7c03113b66b78175242a597bd0dc)
+(cherry picked from commit 6208326afb592e901d5fc8cf1b09fb764e1fdb6b)
+---
+ src/coredump/coredumpctl.c | 8 +++++---
+ src/shared/elf-util.c      | 7 +++++--
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/coredump/coredumpctl.c b/src/coredump/coredumpctl.c
+index 2904de3728..efdca36f43 100644
+--- a/src/coredump/coredumpctl.c
+++ b/src/coredump/coredumpctl.c
+@@ -15,6 +15,7 @@
+ #include "bus-util.h"
+ #include "compress.h"
+ #include "def.h"
+#include "escape.h"
+ #include "fd-util.h"
+ #include "format-table.h"
+ #include "fs-util.h"
+@@ -733,9 +734,10 @@ static int print_info(FILE *file, sd_journal *j, bool need_space) {
+                 _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
+ 
+                 r = json_parse(pkgmeta_json, 0, &v, NULL, NULL);
+-                if (r < 0)
+-                        log_warning_errno(r, "json_parse on %s failed, ignoring: %m", pkgmeta_json);
+-                else {
+                if (r < 0) {
+                        _cleanup_free_ char *esc = cescape(pkgmeta_json);
+                        log_warning_errno(r, "json_parse on \"%s\" failed, ignoring: %m", strnull(esc));
+                } else {
+                         const char *module_name;
+                         JsonVariant *module_json;
+ 
+diff --git a/src/shared/elf-util.c b/src/shared/elf-util.c
+index 644fbae9ce..f9d0e5bc60 100644
+--- a/src/shared/elf-util.c
+++ b/src/shared/elf-util.c
+@@ -15,6 +15,7 @@
+ #include "dlfcn-util.h"
+ #include "elf-util.h"
+ #include "errno-util.h"
+#include "escape.h"
+ #include "fileio.h"
+ #include "fd-util.h"
+ #include "format-util.h"
+@@ -328,8 +329,10 @@ static int parse_package_metadata(const char *name, JsonVariant *id_json, Elf *e
+                                 _cleanup_(json_variant_unrefp) JsonVariant *v = NULL, *w = NULL;
+ 
+                                 r = json_parse(payload, 0, &v, NULL, NULL);
+-                                if (r < 0)
+-                                        return log_error_errno(r, "json_parse on %s failed: %m", payload);
+                                if (r < 0) {
+                                        _cleanup_free_ char *esc = cescape(payload);
+                                        return log_error_errno(r, "json_parse on \"%s\" failed: %m", strnull(esc));
+                                }
+ 
+                                 /* First pretty-print to the buffer, so that the metadata goes as
+                                  * plaintext in the journal. */
+-- 
+2.38.1
+
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (systemd-250.8.tar.gz) = 653f527f10779a31213da06f7587a3617bd4b823bd3e5a43d626c5a4a7301e4a0fb42cf1fd056d28af6d87e52f258da59d5f0d4a2d98076905f9d3fcda6d18fd
+SHA512 (systemd-250.9.tar.gz) = d3f044ec538b7e6b1ada39e21d239b376b468f0be40039be658aafcc7d9a0227381ab9541d1d994dd6e17530e3dcbf0aba722f68bbf609aa1953b9664cf6dd8e
--- a/systemd.spec
+++ b/systemd.spec
@ -30,7 +30,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 %if %{without inplace}
-Version:        250.8
+Version:        250.9
 Release:        1%{?dist}
 %else
 # determine the build information from local checkout
@ -91,7 +91,7 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
 # Any patches which are "in preparation" upstream should be listed here, rather
 # than in the next section. Packit CI will drop any patches in this range before
 # applying upstream pull requests.
-
+Patch0001:      0001-coredump-cescape-invalid-json-data-before-logging.patch

 # This is a downstream-only patch, but we don't want it in packit builds.
 # https://bugzilla.redhat.com/show_bug.cgi?id=1738828