[systemd/f16] CVE-2012-1174 (#804118)

Michal Schmidt michich at fedoraproject.org
Fri Mar 16 17:42:58 UTC 2012 

commit f3be5854ec493f6b1b29f3e94a651c8aef3e904b
Author: Michal Schmidt <mschmidt at redhat.com>
Date:   Fri Mar 16 18:41:27 2012 +0100

    CVE-2012-1174 (#804118)

 ...-the-socket-if-the-service-keeps-dying-on.patch |    2 +-
 ...me-broken-failure-result-to-failed-perman.patch |    2 +-
 0158-nspawn-be-less-cryptic-when-clone-fails.patch |    2 +-
 ...sh-completion-get-rid-of-awk-sed-and-grep.patch |    2 +-
 ...ount-properly-check-return-for-mount_add_.patch |    2 +-
 ...l-never-follow-symlinks-in-rm_rf_children.patch |   30 ++++++++++++++++++++
 systemd.spec                                       |    6 +++-
 7 files changed, 40 insertions(+), 6 deletions(-)
---
diff --git a/0156-socket-fail-the-socket-if-the-service-keeps-dying-on.patch b/0156-socket-fail-the-socket-if-the-service-keeps-dying-on.patch
index e76a500..e0fbe51 100644
--- a/0156-socket-fail-the-socket-if-the-service-keeps-dying-on.patch
+++ b/0156-socket-fail-the-socket-if-the-service-keeps-dying-on.patch
@@ -1,4 +1,4 @@
-From 6af0f4d18a60f01d005410b541eb9a0655bc2a86 Mon Sep 17 00:00:00 2001
+From b57bafa73c2e035c216de8fb7933d751d456a93b Mon Sep 17 00:00:00 2001
 From: Michal Schmidt <mschmidt at redhat.com>
 Date: Mon, 5 Mar 2012 22:47:54 +0100
 Subject: [PATCH] socket: fail the socket if the service keeps dying on start
diff --git a/0157-socket-rename-broken-failure-result-to-failed-perman.patch b/0157-socket-rename-broken-failure-result-to-failed-perman.patch
index c9f30fa..b0bb70b 100644
--- a/0157-socket-rename-broken-failure-result-to-failed-perman.patch
+++ b/0157-socket-rename-broken-failure-result-to-failed-perman.patch
@@ -1,4 +1,4 @@
-From dda7fed7d225da9242c767f2e548a4bf4d5fe022 Mon Sep 17 00:00:00 2001
+From 1289495c06a1c8456f6c5bd1df5738bc5e311d9a Mon Sep 17 00:00:00 2001
 From: Lennart Poettering <lennart at poettering.net>
 Date: Tue, 6 Mar 2012 01:29:29 +0100
 Subject: [PATCH] socket: rename 'broken' failure result to 'failed-permanent'
diff --git a/0158-nspawn-be-less-cryptic-when-clone-fails.patch b/0158-nspawn-be-less-cryptic-when-clone-fails.patch
index 5f2b9ef..39f1654 100644
--- a/0158-nspawn-be-less-cryptic-when-clone-fails.patch
+++ b/0158-nspawn-be-less-cryptic-when-clone-fails.patch
@@ -1,4 +1,4 @@
-From a92d0708fa5755e2c66943c7827c538824473596 Mon Sep 17 00:00:00 2001
+From 68fd1b7fbb33996fd2849acf25bb364a834b5d74 Mon Sep 17 00:00:00 2001
 From: Lennart Poettering <lennart at poettering.net>
 Date: Tue, 6 Mar 2012 02:06:29 +0100
 Subject: [PATCH] nspawn: be less cryptic when clone() fails
diff --git a/0159-bash-completion-get-rid-of-awk-sed-and-grep.patch b/0159-bash-completion-get-rid-of-awk-sed-and-grep.patch
index 4290748..ece3286 100644
--- a/0159-bash-completion-get-rid-of-awk-sed-and-grep.patch
+++ b/0159-bash-completion-get-rid-of-awk-sed-and-grep.patch
@@ -1,4 +1,4 @@
-From 79453cbee691a52b48a8cb166a62de5a7dc999b9 Mon Sep 17 00:00:00 2001
+From 8d3ee2c91ab839fe5296ae4f348e38dcc5223a8e Mon Sep 17 00:00:00 2001
 From: Harald Hoyer <harald at redhat.com>
 Date: Tue, 21 Feb 2012 15:48:24 +0100
 Subject: [PATCH] bash-completion: get rid of awk, sed and grep
diff --git a/0160-mount-properly-check-return-for-mount_add_.patch b/0160-mount-properly-check-return-for-mount_add_.patch
index ec3093e..d81d3da 100644
--- a/0160-mount-properly-check-return-for-mount_add_.patch
+++ b/0160-mount-properly-check-return-for-mount_add_.patch
@@ -1,4 +1,4 @@
-From 70cb1063f8588e659c6e0eb6ad544823a5d2cd98 Mon Sep 17 00:00:00 2001
+From 84fefa4d9e1e6ddc9d2ec486181e2afaeb20f1c9 Mon Sep 17 00:00:00 2001
 From: Dave Reisner <d at falconindy.com>
 Date: Fri, 17 Feb 2012 12:17:49 -0500
 Subject: [PATCH] mount: properly check return for mount_add_*
diff --git a/0161-util-never-follow-symlinks-in-rm_rf_children.patch b/0161-util-never-follow-symlinks-in-rm_rf_children.patch
new file mode 100644
index 0000000..2c9adf3
--- /dev/null
+++ b/0161-util-never-follow-symlinks-in-rm_rf_children.patch
@@ -0,0 +1,30 @@
+From 90eb06e8c7da2c10eeccc4915bca577304785664 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Fri, 2 Mar 2012 10:39:10 +0100
+Subject: [PATCH] util: never follow symlinks in rm_rf_children()
+
+The function checks if the entry is a directory before recursing, but
+there is a window between the check and the open, during which the
+directory could be replaced with a symlink.
+
+CVE-2012-1174
+https://bugzilla.redhat.com/show_bug.cgi?id=803358
+(cherry picked from commit 5ebff5337594d690b322078c512eb222d34aaa82)
+---
+ src/util.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index a488289..6a2c61f 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -3483,7 +3483,8 @@ static int rm_rf_children(int fd, bool only_dirs, bool honour_sticky) {
+                 if (is_dir) {
+                         int subdir_fd;
+ 
+-                        if ((subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)) < 0) {
++                        subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW);
++                        if (subdir_fd < 0) {
+                                 if (ret == 0 && errno != ENOENT)
+                                         ret = -errno;
+                                 continue;
diff --git a/systemd.spec b/systemd.spec
index d359b3e..bcc7915 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -2,7 +2,7 @@ Name:           systemd
 Url:            http://www.freedesktop.org/wiki/Software/systemd
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Version:        37
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        GPLv2+
 Group:          System Environment/Base
 Summary:        A System and Service Manager
@@ -213,6 +213,7 @@ Patch0157:      0157-socket-rename-broken-failure-result-to-failed-perman.patch
 Patch0158:      0158-nspawn-be-less-cryptic-when-clone-fails.patch
 Patch0159:      0159-bash-completion-get-rid-of-awk-sed-and-grep.patch
 Patch0160:      0160-mount-properly-check-return-for-mount_add_.patch
+Patch0161:      0161-util-never-follow-symlinks-in-rm_rf_children.patch
 
 # For sysvinit tools
 Obsoletes:      SysVinit < 2.86-24, sysvinit < 2.86-24
@@ -534,6 +535,9 @@ fi
 %{_bindir}/systemd-sysv-convert
 
 %changelog
+* Fri Mar 16 2012 Michal Schmidt <mschmidt at redhat.com> - 37-17
+- CVE-2012-1174 (#804118)
+
 * Tue Mar 06 2012 Michal Schmidt <mschmidt at redhat.com> - 37-16
 - From upstream:
   - avoid socket tarpits when the service keeps failing

More information about the scm-commits mailing list