Forked from
pkg / systemd
133 commits behind the upstream repository.
-
Michael Biebl authoredsystemd (241-7~deb10u1) buster; urgency=medium * Rebuild for buster systemd (241-7) unstable; urgency=medium [ Michael Biebl ] * network: Fix failure to bring up interface with Linux kernel 5.2. Backport two patches from systemd master in order to fix a bug with 5.2 kernels where the network interface fails to come up with the following error: "enp3s0: Could not bring up interface: Invalid argument" (Closes: #931636) * Use /usr/sbin/nologin as nologin shell. In Debian the nologin shell is installed in /usr/sbin, not /sbin. (Closes: #931850) [ Mert Dirik ] * 40-systemd: Don't fail if SysV init script uses set -u and $1 is unset (Closes: #931719) systemd (241-6) unstable; urgency=medium * ask-password: Prevent buffer overflow when reading from keyring. Fixes a possible memory corruption that causes systemd-cryptsetup to crash either when a single large password is used or when multiple passwords have already been pushed to the keyring. (Closes: #929726) * Clarify documentation regarding %h/%u/%U specifiers. Make it clear, that setting "User=" has no effect on those specifiers. Also ensure that "%h" is actually resolved to "/root" for the system manager instance as documented in the systemd.unit man page. (Closes: #927911) * network: Behave more gracefully when IPv6 has been disabled. Ignore any configured IPv6 settings when IPv6 has been disabled in the kernel via sysctl. Instead of failing completely, continue and log a warning instead. (Closes: #929469)Michael Biebl authoredsystemd (241-7~deb10u1) buster; urgency=medium * Rebuild for buster systemd (241-7) unstable; urgency=medium [ Michael Biebl ] * network: Fix failure to bring up interface with Linux kernel 5.2. Backport two patches from systemd master in order to fix a bug with 5.2 kernels where the network interface fails to come up with the following error: "enp3s0: Could not bring up interface: Invalid argument" (Closes: #931636) * Use /usr/sbin/nologin as nologin shell. In Debian the nologin shell is installed in /usr/sbin, not /sbin. (Closes: #931850) [ Mert Dirik ] * 40-systemd: Don't fail if SysV init script uses set -u and $1 is unset (Closes: #931719) systemd (241-6) unstable; urgency=medium * ask-password: Prevent buffer overflow when reading from keyring. Fixes a possible memory corruption that causes systemd-cryptsetup to crash either when a single large password is used or when multiple passwords have already been pushed to the keyring. (Closes: #929726) * Clarify documentation regarding %h/%u/%U specifiers. Make it clear, that setting "User=" has no effect on those specifiers. Also ensure that "%h" is actually resolved to "/root" for the system manager instance as documented in the systemd.unit man page. (Closes: #927911) * network: Behave more gracefully when IPv6 has been disabled. Ignore any configured IPv6 settings when IPv6 has been disabled in the kernel via sysctl. Instead of failing completely, continue and log a warning instead. (Closes: #929469)
ask-password-prevent-buffer-overflow-when-reading-from-ke.patch 1.25 KiB
From: Michael Biebl <biebl@debian.org>
Date: Thu, 27 Jun 2019 15:02:40 +0200
Subject: ask-password: prevent buffer overflow when reading from keyring
When we read from keyring, a temporary buffer is allocated in order to
determine the size needed for the entire data. However, when zeroing that area,
we use the data size returned by the read instead of the lesser size allocate
for the buffer.
That will cause memory corruption that causes systemd-cryptsetup to crash
either when a single large password is used or when multiple passwords have
already been pushed to the keyring.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
(cherry picked from commit 59c55e73eaee345e1ee67c23eace8895ed499693)
---
src/shared/ask-password-api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
index 072bf72..97a800f 100644
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@@ -81,7 +81,7 @@ static int retrieve_key(key_serial_t serial, char ***ret) {
if (n < m)
break;
- explicit_bzero_safe(p, n);
+ explicit_bzero_safe(p, m);
free(p);
m *= 2;
}