Skip to content

[Medium] Patch systemd-bootstrap for CVE-2023-7008 #13883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: 3.0-dev
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions SPECS/systemd-bootstrap/CVE-2023-7008.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
From cbed44badf00e62b639e1cf04955080fcc8fc35a Mon Sep 17 00:00:00 2001
From: akhila-guruju <[email protected]>
Date: Thu, 22 May 2025 10:35:31 +0000
Subject: [PATCH] Address CVE-2023-7008

Upstream Patch reference: https://github.com/systemd/systemd-stable/commit/4ada1290584745ab6643eece9e1756a8c0e079ca

---
src/resolve/resolved-dns-transaction.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 2ee45ff..5507fd9 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2781,7 +2781,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
if (r == 0)
continue;

- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
}

return true;
@@ -2808,7 +2808,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
/* We found the transaction that was supposed to find the SOA RR for us. It was
* successful, but found no RR for us. This means we are not at a zone cut. In this
* case, we require authentication if the SOA lookup was authenticated too. */
- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
}

return true;
--
2.45.2

2 changes: 1 addition & 1 deletion SPECS/systemd-bootstrap/fix-journald-audit-logging.patch
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,4 @@ index a8e3b175ac49..ea535a27af7f 100644
+ map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, iovec, &n, n + N_IOVEC_AUDIT_FIELDS);

server_dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL, NULL, LOG_NOTICE, 0);

6 changes: 5 additions & 1 deletion SPECS/systemd-bootstrap/systemd-bootstrap.spec
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: Bootstrap version of systemd. Workaround for systemd circular dependency.
Name: systemd-bootstrap
Version: 250.3
Release: 17%{?dist}
Release: 18%{?dist}
License: LGPLv2+ AND GPLv2+ AND MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand Down Expand Up @@ -48,6 +48,7 @@ Patch7: update-cifs-for-kernel-headers-6.1.patch
# 5. Repeat from 2. as needed until it builds
# 6. Build both systemd and systemd-bootstrap, validate the contents of systemd-rpm-macros and system-bootstrap-rpm-macros are identical
Patch8: use-255-macros.patch
Patch9: CVE-2023-7008.patch
BuildRequires: docbook-dtd-xml
BuildRequires: docbook-style-xsl
BuildRequires: gettext
Expand Down Expand Up @@ -285,6 +286,9 @@ fi
%{_datadir}/pkgconfig/udev.pc

%changelog
* Fri May 23 2025 Akhila Guruju <[email protected]> - 250.3-18
- Patch CVE-2023-7008

* Mon Mar 11 2024 Daniel McIlvaney <[email protected]> - 250.3-17
- Split libs into their own subpackage to align with full systemd.

Expand Down
10 changes: 5 additions & 5 deletions toolkit/resources/manifests/package/toolchain_aarch64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -579,11 +579,11 @@ sqlite-devel-3.44.0-1.azl3.aarch64.rpm
sqlite-libs-3.44.0-1.azl3.aarch64.rpm
swig-4.2.1-1.azl3.aarch64.rpm
swig-debuginfo-4.2.1-1.azl3.aarch64.rpm
systemd-bootstrap-250.3-17.azl3.aarch64.rpm
systemd-bootstrap-debuginfo-250.3-17.azl3.aarch64.rpm
systemd-bootstrap-devel-250.3-17.azl3.aarch64.rpm
systemd-bootstrap-libs-250.3-17.azl3.aarch64.rpm
systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm
systemd-bootstrap-250.3-18.azl3.aarch64.rpm
systemd-bootstrap-debuginfo-250.3-18.azl3.aarch64.rpm
systemd-bootstrap-devel-250.3-18.azl3.aarch64.rpm
systemd-bootstrap-libs-250.3-18.azl3.aarch64.rpm
systemd-bootstrap-rpm-macros-250.3-18.azl3.noarch.rpm
tar-1.35-2.azl3.aarch64.rpm
tar-debuginfo-1.35-2.azl3.aarch64.rpm
tdnf-3.5.8-7.azl3.aarch64.rpm
Expand Down
10 changes: 5 additions & 5 deletions toolkit/resources/manifests/package/toolchain_x86_64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -587,11 +587,11 @@ sqlite-devel-3.44.0-1.azl3.x86_64.rpm
sqlite-libs-3.44.0-1.azl3.x86_64.rpm
swig-4.2.1-1.azl3.x86_64.rpm
swig-debuginfo-4.2.1-1.azl3.x86_64.rpm
systemd-bootstrap-250.3-17.azl3.x86_64.rpm
systemd-bootstrap-debuginfo-250.3-17.azl3.x86_64.rpm
systemd-bootstrap-devel-250.3-17.azl3.x86_64.rpm
systemd-bootstrap-libs-250.3-17.azl3.x86_64.rpm
systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm
systemd-bootstrap-250.3-18.azl3.x86_64.rpm
systemd-bootstrap-debuginfo-250.3-18.azl3.x86_64.rpm
systemd-bootstrap-devel-250.3-18.azl3.x86_64.rpm
systemd-bootstrap-libs-250.3-18.azl3.x86_64.rpm
systemd-bootstrap-rpm-macros-250.3-18.azl3.noarch.rpm
tar-1.35-2.azl3.x86_64.rpm
tar-debuginfo-1.35-2.azl3.x86_64.rpm
tdnf-3.5.8-7.azl3.x86_64.rpm
Expand Down
Loading