Adding systemd patch for CVE-2023-7008 (#11315)

Co-authored-by: Sam Meluch <[email protected]>
microsoft · Jan 14, 2025 · 97f9494 · 97f9494
1 parent 3f92114
commit 97f9494
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 4 deletions.
diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec
@@ -14,7 +14,7 @@ Version:        255
 # determine the build information from local checkout
 Version:        %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
 %endif
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -93,6 +93,10 @@ popd
 /boot/efi/EFI/BOOT/grubx64.efi
 
 %changelog
+* Fri Jan 10 2024 Aditya Dubey <[email protected]> - 255-20
+- Updating to version 255-19
+- Includes patch for enhancing DNSSEC signature validation integrity
+
 * Thu Dec 12 2024 Daniel McIlvaney <[email protected]> - 255-19
 - Version bump to force signing with new Azure Linux secure boot key
 - Add confilcts/recommends on shim to ensure the keys match

diff --git a/SPECS/systemd/CVE-2023-7008.patch b/SPECS/systemd/CVE-2023-7008.patch
@@ -0,0 +1,38 @@
+From 43124825d209452d677c267c96da3592e418fca9 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <[email protected]>
+Date: Wed, 20 Dec 2023 16:44:14 +0100
+Subject: [PATCH] resolved: actually check authenticated flag of SOA
+ transaction
+
+Fixes #25676
+
+(cherry picked from commit 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1)
+
+Resolves: RHEL-6216
+---
+ src/resolve/resolved-dns-transaction.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index 0212569fb03..0306af84a21 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2800,7 +2800,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+
+                 return true;
+@@ -2827,7 +2827,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         /* We found the transaction that was supposed to find the SOA RR for us. It was
+                          * successful, but found no RR for us. This means we are not at a zone cut. In this
+                          * case, we require authentication if the SOA lookup was authenticated too. */
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+
+                 return true;
+
diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec
@@ -50,7 +50,7 @@ Version:        255
 # determine the build information from local checkout
 Version:        %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
 %endif
-Release:        19%{?dist}
+Release:        20%{?dist}
 
 # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore
 %global stable 1
@@ -142,6 +142,7 @@ Patch0491:      azurelinux-use-system-auth-in-pam-systemd-user.patch
 # Patches for Azure Linux
 Patch0900:      do-not-test-openssl-sm3.patch
 Patch0901:      networkd-default-use-domains.patch
+Patch0902:      CVE-2023-7008.patch
 
 %ifarch %{ix86} x86_64
 %global want_bootloader 1
@@ -1216,6 +1217,10 @@ rm -f %{name}.lang
 # %autochangelog. So we need to continue manually maintaining the
 # changelog here.
 %changelog
+* Fri Jan 10 2025 Aditya Dubey <[email protected]> - 255-20
+- adding patch for enhancing DNSSEC signature validation integrity
+- addresses CVE-2023-7008
+
 * Thu Dec 12 2024 Daniel McIlvaney <[email protected]> - 255-19
 - Version bump to force signing with new Azure Linux secure boot key
 
@@ -1237,7 +1242,7 @@ rm -f %{name}.lang
 * Thu May 02 2024 Rachel Menge <[email protected]> - 255-13
 - Supply 10-console-messages.conf sysctl to lower the default kernel messages to the console
 
-* Thu Apr 18 2024 Dan Streetman <[email protected]> - 255-12
+* Thu Apr 25 2024 Dan Streetman <[email protected]> - 255-12
 - move libidn2 recommends from core package to systemd-networkd
 
 * Wed Apr 24 2024 Dan Streetman <[email protected]> - 255-11
@@ -1253,7 +1258,7 @@ rm -f %{name}.lang
 * Mon Mar 11 2024 Daniel McIlvaney <[email protected]> - 255-8
 - Obsolete the new systemd-bootstrap-libs subpacakge.
 
-* Thu Feb 22 2024 Dan Streetman <[email protected]> - 255-7
+* Thu Feb 29 2024 Dan Streetman <[email protected]> - 255-7
 - remove use of %%azure (or %%azl) macro
 
 * Wed Feb 28 2024 Dan Streetman <[email protected]> - 255-6