diff --git a/backport-01-CVE-2023-50387.patch b/backport-01-CVE-2023-50387.patch new file mode 100644 index 0000000000000000000000000000000000000000..72cd7df6843806bee8270d030f3a57d081552b20 --- /dev/null +++ b/backport-01-CVE-2023-50387.patch @@ -0,0 +1,33 @@ +From 572692f0bdd6a3fabe3dd4a3e8e5565cc69b5e14 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Sun, 25 Feb 2024 00:23:32 -0700 +Subject: [PATCH] resolved: reduce the maximum nsec3 iterations to 100 + +According to RFC9267, the 2500 value is not helpful, and in fact it can +be harmful to permit a large number of iterations. Combined with limits +on the number of signature validations, I expect this will mitigate the +impact of maliciously crafted domains designed to cause excessive +cryptographic work. + +(cherry picked from commit eba291124bc11f03732d1fc468db3bfac069f9cb) +--- + src/resolve/resolved-dns-dnssec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c +index aa87820dca..a192d82083 100644 +--- a/src/resolve/resolved-dns-dnssec.c ++++ b/src/resolve/resolved-dns-dnssec.c +@@ -28,8 +28,9 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL); + /* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */ + #define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE) + +-/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */ +-#define NSEC3_ITERATIONS_MAX 2500 ++/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value, but ++ * RFC9276 § 3.2 says that we should reduce the acceptable iteration count */ ++#define NSEC3_ITERATIONS_MAX 100 + + /* + * The DNSSEC Chain of trust: + diff --git a/backport-02-CVE-2023-50387.patch b/backport-02-CVE-2023-50387.patch new file mode 100644 index 0000000000000000000000000000000000000000..7c82cab391ea4e186b8557f06b5955472fb7b4e4 --- /dev/null +++ b/backport-02-CVE-2023-50387.patch @@ -0,0 +1,169 @@ +From 9850ae09441a3315c5bcdd72f2d33d5fa3f73b40 Mon Sep 17 00:00:00 2001 +From: rabbitali +Date: Tue, 14 Oct 2025 00:25:58 +0800 +Subject: [PATCH 1/1] backport-CVE-2023-50387.patch + +--- + src/resolve/resolved-dns-dnssec.c | 16 ++++++++++++++-- + src/resolve/resolved-dns-dnssec.h | 9 ++++++++- + src/resolve/resolved-dns-transaction.c | 19 ++++++++++++++++--- + 3 files changed, 38 insertions(+), 6 deletions(-) + +diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c +index 2580c23..aa87820 100644 +--- a/src/resolve/resolved-dns-dnssec.c ++++ b/src/resolve/resolved-dns-dnssec.c +@@ -1169,6 +1169,7 @@ int dnssec_verify_rrset_search( + DnsResourceRecord **ret_rrsig) { + + bool found_rrsig = false, found_invalid = false, found_expired_rrsig = false, found_unsupported_algorithm = false; ++ unsigned nvalidations = 0; + DnsResourceRecord *rrsig; + int r; + +@@ -1214,6 +1215,14 @@ int dnssec_verify_rrset_search( + if (realtime == USEC_INFINITY) + realtime = now(CLOCK_REALTIME); + ++ /* Have we seen an unreasonable number of invalid signaures? */ ++ if (nvalidations > DNSSEC_INVALID_MAX) { ++ if (ret_rrsig) ++ *ret_rrsig = NULL; ++ *result = DNSSEC_TOO_MANY_VALIDATIONS; ++ return (int) nvalidations; ++ } ++ + /* Yay, we found a matching RRSIG with a matching + * DNSKEY, awesome. Now let's verify all entries of + * the RRSet against the RRSIG and DNSKEY +@@ -1223,6 +1232,8 @@ int dnssec_verify_rrset_search( + if (r < 0) + return r; + ++ nvalidations++; ++ + switch (one_result) { + + case DNSSEC_VALIDATED: +@@ -1233,7 +1244,7 @@ int dnssec_verify_rrset_search( + *ret_rrsig = rrsig; + + *result = one_result; +- return 0; ++ return (int) nvalidations; + + case DNSSEC_INVALID: + /* If the signature is invalid, let's try another +@@ -1280,7 +1291,7 @@ int dnssec_verify_rrset_search( + if (ret_rrsig) + *ret_rrsig = NULL; + +- return 0; ++ return (int) nvalidations; + } + + int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key) { +@@ -2564,6 +2575,7 @@ static const char* const dnssec_result_table[_DNSSEC_RESULT_MAX] = { + [DNSSEC_FAILED_AUXILIARY] = "failed-auxiliary", + [DNSSEC_NSEC_MISMATCH] = "nsec-mismatch", + [DNSSEC_INCOMPATIBLE_SERVER] = "incompatible-server", ++ [DNSSEC_TOO_MANY_VALIDATIONS] = "too-many-validations", + }; + DEFINE_STRING_TABLE_LOOKUP(dnssec_result, DnssecResult); + +diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h +index 954bb3e..29b9013 100644 +--- a/src/resolve/resolved-dns-dnssec.h ++++ b/src/resolve/resolved-dns-dnssec.h +@@ -9,12 +9,13 @@ typedef enum DnssecVerdict DnssecVerdict; + #include "resolved-dns-rr.h" + + enum DnssecResult { +- /* These five are returned by dnssec_verify_rrset() */ ++ /* These six are returned by dnssec_verify_rrset() */ + DNSSEC_VALIDATED, + DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */ + DNSSEC_INVALID, + DNSSEC_SIGNATURE_EXPIRED, + DNSSEC_UNSUPPORTED_ALGORITHM, ++ DNSSEC_TOO_MANY_VALIDATIONS, + + /* These two are added by dnssec_verify_rrset_search() */ + DNSSEC_NO_SIGNATURE, +@@ -45,6 +46,12 @@ enum DnssecVerdict { + /* The longest digest we'll ever generate, of all digest algorithms we support */ + #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32)) + ++/* The most invalid signatures we will tolerate for a single rrset */ ++#define DNSSEC_INVALID_MAX 5 ++ ++/* The total number of signature validations we will tolerate for a single transaction */ ++#define DNSSEC_VALIDATION_MAX 64 ++ + int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok); + int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig); + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index fe88e50..0d212ed 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -3148,11 +3148,14 @@ static int dnssec_validate_records( + DnsTransaction *t, + Phase phase, + bool *have_nsec, ++ unsigned *nvalidations, + DnsAnswer **validated) { + + DnsResourceRecord *rr; + int r; + ++ assert(nvalidations); ++ + /* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */ + + DNS_ANSWER_FOREACH(rr, t->answer) { +@@ -3194,6 +3197,7 @@ static int dnssec_validate_records( + &rrsig); + if (r < 0) + return r; ++ *nvalidations += r; + + log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result)); + +@@ -3391,7 +3395,8 @@ static int dnssec_validate_records( + DNSSEC_SIGNATURE_EXPIRED, + DNSSEC_NO_SIGNATURE)) + manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key); +- else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */ ++ else /* DNSSEC_MISSING_KEY, DNSSEC_UNSUPPORTED_ALGORITHM, ++ or DNSSEC_TOO_MANY_VALIDATIONS */ + manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key); + + /* This is a primary response to our question, and it failed validation. +@@ -3484,13 +3489,21 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { + return r; + + phase = DNSSEC_PHASE_DNSKEY; +- for (;;) { ++ for (unsigned nvalidations = 0;;) { + bool have_nsec = false; + +- r = dnssec_validate_records(t, phase, &have_nsec, &validated); ++ r = dnssec_validate_records(t, phase, &have_nsec, &nvalidations, &validated); + if (r <= 0) + return r; + ++ if (nvalidations > DNSSEC_VALIDATION_MAX) { ++ /* This reply requires an onerous number of signature validations to verify. Let's ++ * not waste our time trying, as this shouldn't happen for well-behaved domains ++ * anyway. */ ++ t->answer_dnssec_result = DNSSEC_TOO_MANY_VALIDATIONS; ++ return 0; ++ } ++ + /* Try again as long as we managed to achieve something */ + if (r == 1) + continue; +-- +2.47.3 + diff --git a/backport-meson-do-not-fail-build-with-newer-kernel-headers.patch b/backport-meson-do-not-fail-build-with-newer-kernel-headers.patch new file mode 100644 index 0000000000000000000000000000000000000000..e7579105c2fe94b52194e4732b2075f283bcc9ac --- /dev/null +++ b/backport-meson-do-not-fail-build-with-newer-kernel-headers.patch @@ -0,0 +1,37 @@ +From f14895301489e7f36db24afb022ea89646176eaa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 7 Apr 2024 10:39:20 +0200 +Subject: [PATCH 0499/1160] meson: do not fail build with newer kernel headers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +systemd-255 is failing a build with the latest kernel headers… Let's downgrade +this warning, because it's fine if there's a file system we don't know about +and it makes thing less brittle if we don't treat this as a hard error. + +(I initially conditionalized this on BUILD_MODE, but I don't think we need a +hard error there either. A warning will be noticed and fixed.) + +(cherry picked from commit c71b50179e24282a74a8d9faed82b01fb3aaeb6d) +--- + src/basic/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/meson.build b/src/basic/meson.build +index d7450d8b44..111253e3a5 100644 +--- a/src/basic/meson.build ++++ b/src/basic/meson.build +@@ -235,7 +235,7 @@ filesystem_includes = ['linux/magic.h', + check_filesystems = find_program('check-filesystems.sh') + r = run_command([check_filesystems, cpp, files('filesystems-gperf.gperf')] + filesystem_includes, check: false) + if r.returncode() != 0 +- error('Unknown filesystems defined in kernel headers:\n\n' + r.stdout()) ++ warning('Unknown filesystems defined in kernel headers:\n\n' + r.stdout()) + endif + + filesystems_gperf_h = custom_target( +-- +2.33.0 + + diff --git a/systemd.spec b/systemd.spec index c923846556db88771c3fdc52ebc8b8cd0cdaeca1..d6f33cf1d9133e119d61c4048bcad6cb5d2eae38 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,4 +1,4 @@ -%define anolis_release 8 +%define anolis_release 9 %global __requires_exclude pkg-config %global pkgdir %{_prefix}/lib/systemd @@ -66,9 +66,15 @@ Patch0493: coredump-get-rid-of-_META_MANDATORY_MAX.patch Patch0494: 0494-Fix-CVE-2025-4598.patch Patch0495: coredump-also-stop-forwarding-non-dumpable-processes.patch Patch0496: coredump-get-rid-of-a-bogus-assertion.patch +# https://github.com/systemd/systemd-stable/commit/572692f0bdd6a3fabe3dd4a3e8e5565cc69b5e14 +Patch0497: backport-01-CVE-2023-50387.patch +# https://github.com/systemd/systemd-stable/commit/1ebdb19ff194120109b08bbf888bdcc502f83211 +Patch0498: backport-02-CVE-2023-50387.patch +# https://github.com/systemd/systemd/commit/c71b50179e24282a74a8d9faed82b01fb3aaeb6d +Patch0499: backport-meson-do-not-fail-build-with-newer-kernel-headers.patch Patch1001: Systemd-Add-sw64-architecture.patch - + BuildRequires: gcc gcc-c++ clang coreutils BuildRequires: libcap-devel libmount-devel libfdisk-devel libpwquality-devel BuildRequires: pam-devel libselinux-devel audit-libs-devel dbus-devel @@ -2177,6 +2183,9 @@ fi %doc docs/DISTRO_PORTING.md docs/HACKING.md %changelog +* Tue Oct 14 2025 wenxin - 255-9 +- add patch to Fix CVE-2023-50387 + * Mon Sep 15 2025 zhoujiajia111 - 255-8 - Fix abnormal version conflict information @@ -2198,7 +2207,7 @@ fi * Mon Apr 8 2024 Wenlong Zhang - 255-2 - fix build error for loongarch64 -* Fri Mar 21 2024 Zhenyu Wang - 255 +* Fri Mar 22 2024 Zhenyu Wang - 255 - update to 255 * Wed Jan 31 2024 wangkaiyuan - 252.4-9