diff --git a/SPECS/systemd/CVE-2023-7008.patch b/SPECS/systemd/CVE-2023-7008.patch new file mode 100644 index 00000000000..91ca454906c --- /dev/null +++ b/SPECS/systemd/CVE-2023-7008.patch @@ -0,0 +1,36 @@ +From cbed44badf00e62b639e1cf04955080fcc8fc35a Mon Sep 17 00:00:00 2001 +From: akhila-guruju +Date: Thu, 22 May 2025 10:35:31 +0000 +Subject: [PATCH] Address CVE-2023-7008 + +Upstream Patch reference: https://github.com/systemd/systemd-stable/commit/4ada1290584745ab6643eece9e1756a8c0e079ca + +--- + src/resolve/resolved-dns-transaction.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 2ee45ff..5507fd9 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2781,7 +2781,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + if (r == 0) + continue; + +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); + } + + return true; +@@ -2808,7 +2808,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + /* We found the transaction that was supposed to find the SOA RR for us. It was + * successful, but found no RR for us. This means we are not at a zone cut. In this + * case, we require authentication if the SOA lookup was authenticated too. */ +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); + } + + return true; +-- +2.45.2 + diff --git a/SPECS/systemd/fix-journald-audit-logging.patch b/SPECS/systemd/fix-journald-audit-logging.patch index b802ead2c6f..6acb9c371b5 100644 --- a/SPECS/systemd/fix-journald-audit-logging.patch +++ b/SPECS/systemd/fix-journald-audit-logging.patch @@ -29,4 +29,4 @@ index a8e3b175ac49..ea535a27af7f 100644 + map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, iovec, &n, n + N_IOVEC_AUDIT_FIELDS); server_dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL, NULL, LOG_NOTICE, 0); - \ No newline at end of file + diff --git a/SPECS/systemd/systemd-bootstrap.spec b/SPECS/systemd/systemd-bootstrap.spec index 73998d100ed..49ca1513b09 100644 --- a/SPECS/systemd/systemd-bootstrap.spec +++ b/SPECS/systemd/systemd-bootstrap.spec @@ -1,7 +1,7 @@ Summary: Bootstrap version of systemd. Workaround for systemd circular dependency. Name: systemd-bootstrap Version: 250.3 -Release: 12%{?dist} +Release: 13%{?dist} License: LGPLv2+ AND GPLv2+ AND MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -25,6 +25,7 @@ Patch3: CVE-2022-3821.patch Patch4: CVE-2022-45873.patch Patch5: backport-helper-util-macros.patch Patch6: CVE-2022-4415.patch +Patch7: CVE-2023-7008.patch BuildRequires: docbook-dtd-xml BuildRequires: docbook-style-xsl BuildRequires: gettext @@ -246,6 +247,9 @@ fi %{_datadir}/pkgconfig/udev.pc %changelog +* Fri May 23 2025 Akhila Guruju - 250.3-13 +- Patch CVE-2023-7008 + * Mon Mar 13 2023 Nicolas Guibourge - 250.3-12 - Add patch for CVE-2022-4415 - Add patch backport-helper-util-macros.patch to backport needed macros for CVE-2022-4415.patch diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec index 4350d82faff..c67848c2907 100644 --- a/SPECS/systemd/systemd.spec +++ b/SPECS/systemd/systemd.spec @@ -1,7 +1,7 @@ Summary: Systemd-250 Name: systemd Version: 250.3 -Release: 21%{?dist} +Release: 22%{?dist} License: LGPLv2+ AND GPLv2+ AND MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -31,6 +31,7 @@ Patch8: serve-stale-0002-resolved-Initialize-until_valid-while-storing-n Patch9: mariner-2-do-not-default-zstd-journal-files-for-backwards-compatibility.patch Patch10: mariner-2-force-use-of-lz4-for-coredump.patch Patch11: networkd-default-use-domains.patch +Patch12: CVE-2023-7008.patch BuildRequires: audit-devel BuildRequires: cryptsetup-devel BuildRequires: docbook-dtd-xml @@ -289,6 +290,9 @@ fi %files lang -f %{name}.lang %changelog +* Thu May 22 2025 Akhila Guruju - 250.3-22 +- Patch CVE-2023-7008 + * Mon Apr 08 2024 Henry Li - 250.3-21 - Add patch to allow configurability of "UseDomains=" for networkd diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index e9d059c0d69..d3baccf140e 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -554,10 +554,10 @@ sqlite-devel-3.39.2-3.cm2.aarch64.rpm sqlite-libs-3.39.2-3.cm2.aarch64.rpm swig-4.0.2-3.cm2.aarch64.rpm swig-debuginfo-4.0.2-3.cm2.aarch64.rpm -systemd-bootstrap-250.3-12.cm2.aarch64.rpm -systemd-bootstrap-debuginfo-250.3-12.cm2.aarch64.rpm -systemd-bootstrap-devel-250.3-12.cm2.aarch64.rpm -systemd-bootstrap-rpm-macros-250.3-12.cm2.noarch.rpm +systemd-bootstrap-250.3-13.cm2.aarch64.rpm +systemd-bootstrap-debuginfo-250.3-13.cm2.aarch64.rpm +systemd-bootstrap-devel-250.3-13.cm2.aarch64.rpm +systemd-bootstrap-rpm-macros-250.3-13.cm2.noarch.rpm tar-1.34-3.cm2.aarch64.rpm tar-debuginfo-1.34-3.cm2.aarch64.rpm tdnf-3.5.2-4.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 1554795384d..b49d6f6336b 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -560,10 +560,10 @@ sqlite-devel-3.39.2-3.cm2.x86_64.rpm sqlite-libs-3.39.2-3.cm2.x86_64.rpm swig-4.0.2-3.cm2.x86_64.rpm swig-debuginfo-4.0.2-3.cm2.x86_64.rpm -systemd-bootstrap-250.3-12.cm2.x86_64.rpm -systemd-bootstrap-debuginfo-250.3-12.cm2.x86_64.rpm -systemd-bootstrap-devel-250.3-12.cm2.x86_64.rpm -systemd-bootstrap-rpm-macros-250.3-12.cm2.noarch.rpm +systemd-bootstrap-250.3-13.cm2.x86_64.rpm +systemd-bootstrap-debuginfo-250.3-13.cm2.x86_64.rpm +systemd-bootstrap-devel-250.3-13.cm2.x86_64.rpm +systemd-bootstrap-rpm-macros-250.3-13.cm2.noarch.rpm tar-1.34-3.cm2.x86_64.rpm tar-debuginfo-1.34-3.cm2.x86_64.rpm tdnf-3.5.2-4.cm2.x86_64.rpm