microsoft · akhila-guruju · May 23, 2025 · May 23, 2025 · May 23, 2025
@@ -0,0 +1,36 @@
+From cbed44badf00e62b639e1cf04955080fcc8fc35a Mon Sep 17 00:00:00 2001
+From: akhila-guruju <[email protected]>
+Date: Thu, 22 May 2025 10:35:31 +0000
+Subject: [PATCH] Address CVE-2023-7008
+
+Upstream Patch reference: https://github.com/systemd/systemd-stable/commit/4ada1290584745ab6643eece9e1756a8c0e079ca
+
+---
+ src/resolve/resolved-dns-transaction.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index 2ee45ff..5507fd9 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2781,7 +2781,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+
+                 return true;
+@@ -2808,7 +2808,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         /* We found the transaction that was supposed to find the SOA RR for us. It was
+                          * successful, but found no RR for us. This means we are not at a zone cut. In this
+                          * case, we require authentication if the SOA lookup was authenticated too. */
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+
+                 return true;
+-- 
+2.45.2
+
@@ -29,4 +29,4 @@ index a8e3b175ac49..ea535a27af7f 100644
 +        map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, iovec, &n, n + N_IOVEC_AUDIT_FIELDS);
 
          server_dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL, NULL, LOG_NOTICE, 0);
-         
+
@@ -1,7 +1,7 @@
 Summary:        Bootstrap version of systemd. Workaround for systemd circular dependency.
 Name:           systemd-bootstrap
 Version:        250.3
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        LGPLv2+ AND GPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -48,6 +48,7 @@ Patch7:         update-cifs-for-kernel-headers-6.1.patch
 #    5. Repeat from 2. as needed until it builds
 #    6. Build both systemd and systemd-bootstrap, validate the contents of systemd-rpm-macros and system-bootstrap-rpm-macros are identical
 Patch8:         use-255-macros.patch
+Patch9:         CVE-2023-7008.patch
 BuildRequires:  docbook-dtd-xml
 BuildRequires:  docbook-style-xsl
 BuildRequires:  gettext
@@ -285,6 +286,9 @@ fi
 %{_datadir}/pkgconfig/udev.pc
 
 %changelog
+* Fri May 23 2025 Akhila Guruju <[email protected]> - 250.3-18
+- Patch CVE-2023-7008
+
 * Mon Mar 11 2024 Daniel McIlvaney <[email protected]> - 250.3-17
 - Split libs into their own subpackage to align with full systemd.
 

@@ -579,11 +579,11 @@ sqlite-devel-3.44.0-1.azl3.aarch64.rpm
 sqlite-libs-3.44.0-1.azl3.aarch64.rpm
 swig-4.2.1-1.azl3.aarch64.rpm
 swig-debuginfo-4.2.1-1.azl3.aarch64.rpm
-systemd-bootstrap-250.3-17.azl3.aarch64.rpm
-systemd-bootstrap-debuginfo-250.3-17.azl3.aarch64.rpm
-systemd-bootstrap-devel-250.3-17.azl3.aarch64.rpm
-systemd-bootstrap-libs-250.3-17.azl3.aarch64.rpm
-systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm
+systemd-bootstrap-250.3-18.azl3.aarch64.rpm
+systemd-bootstrap-debuginfo-250.3-18.azl3.aarch64.rpm
+systemd-bootstrap-devel-250.3-18.azl3.aarch64.rpm
+systemd-bootstrap-libs-250.3-18.azl3.aarch64.rpm
+systemd-bootstrap-rpm-macros-250.3-18.azl3.noarch.rpm
 tar-1.35-2.azl3.aarch64.rpm
 tar-debuginfo-1.35-2.azl3.aarch64.rpm
 tdnf-3.5.8-7.azl3.aarch64.rpm

@@ -587,11 +587,11 @@ sqlite-devel-3.44.0-1.azl3.x86_64.rpm
 sqlite-libs-3.44.0-1.azl3.x86_64.rpm
 swig-4.2.1-1.azl3.x86_64.rpm
 swig-debuginfo-4.2.1-1.azl3.x86_64.rpm
-systemd-bootstrap-250.3-17.azl3.x86_64.rpm
-systemd-bootstrap-debuginfo-250.3-17.azl3.x86_64.rpm
-systemd-bootstrap-devel-250.3-17.azl3.x86_64.rpm
-systemd-bootstrap-libs-250.3-17.azl3.x86_64.rpm
-systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm
+systemd-bootstrap-250.3-18.azl3.x86_64.rpm
+systemd-bootstrap-debuginfo-250.3-18.azl3.x86_64.rpm
+systemd-bootstrap-devel-250.3-18.azl3.x86_64.rpm
+systemd-bootstrap-libs-250.3-18.azl3.x86_64.rpm
+systemd-bootstrap-rpm-macros-250.3-18.azl3.noarch.rpm
 tar-1.35-2.azl3.x86_64.rpm
 tar-debuginfo-1.35-2.azl3.x86_64.rpm
 tdnf-3.5.8-7.azl3.x86_64.rpm
Original file line number	Diff line number	Diff line change
Expand Up		@@ -29,4 +29,4 @@ index a8e3b175ac49..ea535a27af7f 100644
		+ map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, iovec, &n, n + N_IOVEC_AUDIT_FIELDS);

		server_dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL, NULL, LOG_NOTICE, 0);