diff --git a/SOURCES/0222-ask-password-prevent-buffer-overrow-when-reading-fro.patch b/SOURCES/0222-ask-password-prevent-buffer-overrow-when-reading-fro.patch new file mode 100644 index 0000000..aa2bc12 --- /dev/null +++ b/SOURCES/0222-ask-password-prevent-buffer-overrow-when-reading-fro.patch @@ -0,0 +1,37 @@ +From 7200c0b173bec49c63ac5ecdf6d510d26e8c8271 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Mon, 13 May 2019 16:58:01 -0300 +Subject: [PATCH] ask-password: prevent buffer overrow when reading from + keyring + +When we read from keyring, a temporary buffer is allocated in order to +determine the size needed for the entire data. However, when zeroing that area, +we use the data size returned by the read instead of the lesser size allocate +for the buffer. + +That will cause memory corruption that causes systemd-cryptsetup to crash +either when a single large password is used or when multiple passwords have +already been pushed to the keyring. + +Signed-off-by: Thadeu Lima de Souza Cascardo +(cherry picked from commit 59c55e73eaee345e1ee67c23eace8895ed499693) +(cherry picked from commit c6c8e0d097d6ba12471c6112c3fd339ea40329d5) + +Resolves: #1777037 +--- + src/shared/ask-password-api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c +index 682dc754fc..764ebd08e1 100644 +--- a/src/shared/ask-password-api.c ++++ b/src/shared/ask-password-api.c +@@ -79,7 +79,7 @@ static int retrieve_key(key_serial_t serial, char ***ret) { + if (n < m) + break; + +- explicit_bzero(p, n); ++ explicit_bzero(p, m); + free(p); + m *= 2; + } diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index 2a2b664..e274b08 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -13,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 18%{?dist}.1 +Release: 18%{?dist}.2 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -271,6 +271,7 @@ Patch0218: 0218-sd-bus-adjust-indentation-of-comments.patch Patch0219: 0219-resolved-do-not-run-loop-twice.patch Patch0220: 0220-resolved-allow-access-to-Set-Link-and-Revert-methods.patch Patch0221: 0221-resolved-query-polkit-only-after-parsing-the-data.patch +Patch0222: 0222-ask-password-prevent-buffer-overrow-when-reading-fro.patch %ifarch %{ix86} x86_64 aarch64 @@ -890,6 +891,9 @@ fi %files tests -f .file-list-tests %changelog +* Fri Nov 29 2019 systemd maintenance team - 239-18.2 +- ask-password: prevent buffer overrow when reading from keyring (#1777037) + * Tue Nov 05 2019 Lukas Nykryn - 239-18.1 - journal: rely on _cleanup_free_ to free a temporary string used in client_context_read_cgroup (#1767716)