diff --git a/0999-kernel-install-Don-t-install-BLS-kernel-images-if-de.patch b/0999-kernel-install-Don-t-install-BLS-kernel-images-if-de.patch
deleted file mode 100644
index c26ec4f..0000000
--- a/0999-kernel-install-Don-t-install-BLS-kernel-images-if-de.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From cc3fa810197881a48c3fa8a1e6a1f97f5c251581 Mon Sep 17 00:00:00 2001
-From: Javier Martinez Canillas <javierm@redhat.com>
-Date: Tue, 27 Feb 2018 21:18:55 +0100
-Subject: [PATCH 1/1] kernel-install: Don't install BLS kernel images if dest
- dir doesn't exist
-
-The script shouldn't rely on a previous script exiting with a status code
-that prevents it to be executed. Instead, should check if the destination
-directory for the BLS kernel image exists and exit otherwise.
-
-Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
----
- src/kernel-install/90-loaderentry.install | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/kernel-install/90-loaderentry.install b/src/kernel-install/90-loaderentry.install
-index 305ea8f5c97f..a271cdb8a03e 100644
---- a/src/kernel-install/90-loaderentry.install
-+++ b/src/kernel-install/90-loaderentry.install
-@@ -11,6 +11,10 @@ if ! [[ $KERNEL_INSTALL_MACHINE_ID ]]; then
- exit 0
- fi
-
-+if ! [[ -d "$BOOT_DIR_ABS" ]]; then
-+ exit 0
-+fi
-+
- MACHINE_ID=$KERNEL_INSTALL_MACHINE_ID
-
- BOOT_DIR="/$MACHINE_ID/$KERNEL_VERSION"
---
-2.14.3
-
diff --git a/sources b/sources
index df48775..9b3646e 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (systemd-84c8da5.tar.gz) = 0d46bde746afb2678dfe2ce803091f7c30517db35532256e18a960996689cfcbf3e5391a16752093e2fb3594313771056d7cc16ee0f0c0ab4d170c28466dbb3c
+SHA512 (systemd-238.tar.gz) = c0f272b022308d3bd94679184e102a8dc85de55310bda205a458ea33c77c7733e5c8c8e5b15f786ba3e0ce59e7c6a9bf0d5a0950517c6b91e0f345950129b9c8
diff --git a/systemd-typecast-usbids.patch b/systemd-typecast-usbids.patch
deleted file mode 100644
index 1ccd3ed..0000000
--- a/systemd-typecast-usbids.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 68b2813a0b6dcf8ff8f8eb36aa225ae90661e67e Mon Sep 17 00:00:00 2001
-From: Fedora systemd team <systemd-maint@redhat.com>
-Date: Thu, 22 Feb 2018 12:45:31 +0100
-Subject: [PATCH] Typecast USB IDs
-
-Signed-off-by: Fedora systemd team <systemd-maint@redhat.com>
----
- src/udev/udev-builtin-hwdb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/udev/udev-builtin-hwdb.c b/src/udev/udev-builtin-hwdb.c
-index ca7f7c2..d3556e4 100644
---- a/src/udev/udev-builtin-hwdb.c
-+++ b/src/udev/udev-builtin-hwdb.c
-@@ -77,7 +77,7 @@ static const char *modalias_usb(struct udev_device *dev, char *s, size_t size) {
- pn = strtol(p, NULL, 16);
- if (pn <= 0)
- return NULL;
-- snprintf(s, size, "usb:v%04Xp%04X*", vn, pn);
-+ snprintf(s, size, "usb:v%04Xp%04X*", (uint16_t)vn, (uint16_t)pn);
- return s;
- }
-
---
-2.16.2
-
diff --git a/systemd.spec b/systemd.spec
index fcc8ab0..73ff869 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -1,4 +1,4 @@
-%global gitcommit 84c8da5ed92282f8ef51d5d4f8e1630c37fef3e9
+#global gitcommit 10e465b5321bd53c1fc59ffab27e724535c6bc0f
%{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})}
# We ship a .pc file but don't want to have a dep on pkg-config. We
@@ -12,8 +12,8 @@
Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd
-Version: 237
-Release: 7%{?gitcommit:.git%{gitcommitshort}}%{?dist}
+Version: 238
+Release: 1%{?gitcommit:.git%{gitcommitshort}}%{?dist}
# For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+
Summary: System and Service Manager
@@ -48,10 +48,7 @@ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|
GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[67]* hwdb/parse_hwdb.py > hwdb.patch
%endif
-Patch1: systemd-typecast-usbids.patch
-
Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
-Patch0999: 0999-kernel-install-Don-t-install-BLS-kernel-images-if-de.patch
%global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
@@ -324,6 +321,8 @@ CONFIGURE_OPTS=(
-Dusers-gid=100
-Dnobody-user=nobody
-Dnobody-group=nobody
+ -Dsplit-usr=false
+ -Dsplit-bin=true
-Db_lto=false
)
@@ -342,16 +341,6 @@ fi
mkdir -p %{buildroot}/%{_sbindir}
ln -sf ../bin/udevadm %{buildroot}%{_sbindir}/udevadm
-# Create SysV compatibility symlinks. systemctl/systemd are smart
-# enough to detect in which way they are called.
-ln -s ../lib/systemd/systemd %{buildroot}%{_sbindir}/init
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/reboot
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/halt
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/poweroff
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/shutdown
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/telinit
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/runlevel
-
# Compatiblity and documentation files
touch %{buildroot}/etc/crypttab
chmod 600 %{buildroot}/etc/crypttab
@@ -712,6 +701,12 @@ fi
%files tests -f .file-list-tests
%changelog
+* Mon Mar 5 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-1
+- Update to latest version
+- This fixes a hard-to-trigger potential vulnerability (CVE-2018-6954)
+- New transfiletriggers are installed for udev hwdb and rules, the journal
+ catalog, sysctl.d, binfmt.d, sysusers.d, tmpfiles.d.
+
* Tue Feb 27 2018 Javier Martinez Canillas <javierm@redhat.com> - 234-7.git84c8da5
- Add patch to install kernel images for GRUB BootLoaderSpec support
diff --git a/triggers.systemd b/triggers.systemd
index 6640c47..e76e269 100644
--- a/triggers.systemd
+++ b/triggers.systemd
@@ -1,8 +1,10 @@
# -*- Mode: rpm-spec; indent-tabs-mode: nil -*- */
+# SPDX-License-Identifier: LGPL-2.1+
#
# This file is part of systemd.
#
# Copyright 2015 Zbigniew Jędrzejewski-Szmek
+# Copyright 2018 Neal Gompa
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
@@ -18,6 +20,8 @@
# along with systemd; If not, see <http://www.gnu.org/licenses/>.
# The contents of this are an example to be copied into systemd.spec.
+#
+# Minimum rpm version supported: 4.13.0
%transfiletriggerin -P 900900 -p <lua> -- /usr/lib/systemd/system /etc/systemd/system
-- This script will run after any package is initially installed or
@@ -25,11 +29,13 @@
-- installed, because other cases are covered by the *un scriptlets,
-- so sometimes we will reload needlessly.
-pid = posix.fork()
-if pid == 0 then
- assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
-elseif pid > 0 then
- posix.wait(pid)
+if posix.access("/run/systemd/system") then
+ pid = posix.fork()
+ if pid == 0 then
+ assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
+ elseif pid > 0 then
+ posix.wait(pid)
+ end
end
%transfiletriggerun -p <lua> -- /usr/lib/systemd/system /etc/systemd/system
@@ -46,10 +52,12 @@ end
-- file in %transfiletriggerun and execute the daemon-reload in
-- the first %filetriggerpostun.
-posix.mkdir("%{_localstatedir}/lib")
-posix.mkdir("%{_localstatedir}/lib/rpm-state")
-posix.mkdir("%{_localstatedir}/lib/rpm-state/systemd")
-io.open("%{_localstatedir}/lib/rpm-state/systemd/needs-reload", "w")
+if posix.access("/run/systemd/system") then
+ posix.mkdir("%{_localstatedir}/lib")
+ posix.mkdir("%{_localstatedir}/lib/rpm-state")
+ posix.mkdir("%{_localstatedir}/lib/rpm-state/systemd")
+ io.open("%{_localstatedir}/lib/rpm-state/systemd/needs-reload", "w")
+end
%filetriggerpostun -P 1000100 -p <lua> -- /usr/lib/systemd/system /etc/systemd/system
if posix.access("%{_localstatedir}/lib/rpm-state/systemd/needs-reload") then
@@ -62,3 +70,89 @@ if posix.access("%{_localstatedir}/lib/rpm-state/systemd/needs-reload") then
posix.wait(pid)
end
end
+
+%transfiletriggerin -P 100700 -p <lua> -- /usr/lib/sysusers.d
+-- This script will process files installed in /usr/lib/sysusers.d to create
+-- specified users automatically. The priority is set such that it
+-- will run before the tmpfiles file trigger.
+if posix.access("/run/systemd/system") then
+ pid = posix.fork()
+ if pid == 0 then
+ assert(posix.exec("%{_bindir}/systemd-sysusers"))
+ elseif pid > 0 then
+ posix.wait(pid)
+ end
+end
+
+%transfiletriggerin -P 100500 -- /usr/lib/tmpfiles.d
+-- This script will process files installed in /usr/lib/tmpfiles.d to create
+-- tmpfiles automatically. The priority is set such that it will run
+-- after the sysusers file trigger, but before any other triggers.
+if posix.access("/run/systemd/system") then
+ pid = posix.fork()
+ if pid == 0 then
+ assert(posix.exec("%{_bindir}/systemd-tmpfiles", "--create"))
+ elseif pid > 0 then
+ posix.wait(pid)
+ end
+end
+
+%transfiletriggerin -- /usr/lib/udev/hwdb.d
+-- This script will automatically invoke hwdb update if files have been
+-- installed or updated in /usr/lib/udev/hwdb.d.
+if posix.access("/run/systemd/system") then
+ pid = posix.fork()
+ if pid == 0 then
+ assert(posix.exec("%{_bindir}/systemd-hwdb", "update"))
+ elseif pid > 0 then
+ posix.wait(pid)
+ end
+end
+
+%transfiletriggerin -- /usr/lib/systemd/catalog
+-- This script will automatically invoke journal catalog update if files
+-- have been installed or updated in /usr/lib/systemd/catalog.
+if posix.access("/run/systemd/system") then
+ pid = posix.fork()
+ if pid == 0 then
+ assert(posix.exec("%{_bindir}/journalctl", "--update-catalog"))
+ elseif pid > 0 then
+ posix.wait(pid)
+ end
+end
+
+%transfiletriggerin -- /usr/lib/udev/rules.d
+-- This script will automatically update udev with new rules if files
+-- have been installed or updated in /usr/lib/udev/rules.d.
+if posix.access("/run/systemd/system") then
+ pid = posix.fork()
+ if pid == 0 then
+ assert(posix.exec("%{_bindir}/udevadm", "control", "--reload"))
+ elseif pid > 0 then
+ posix.wait(pid)
+ end
+end
+
+%transfiletriggerin -- /usr/lib/sysctl.d
+-- This script will automatically apply sysctl rules if files have been
+-- installed or updated in /usr/lib/sysctl.d.
+if posix.access("/run/systemd/system") then
+ pid = posix.fork()
+ if pid == 0 then
+ assert(posix.exec("/usr/lib/systemd/systemd-sysctl"))
+ elseif pid > 0 then
+ posix.wait(pid)
+ end
+end
+
+%transfiletriggerin -- /usr/lib/binfmt.d
+-- This script will automatically apply binfmt rules if files have been
+-- installed or updated in /usr/lib/binfmt.d.
+if posix.access("/run/systemd/system") then
+ pid = posix.fork()
+ if pid == 0 then
+ assert(posix.exec("/usr/lib/systemd/systemd-binfmt"))
+ elseif pid > 0 then
+ posix.wait(pid)
+ end
+end