Re: systemd CVE-2016-7796
Ben Hutchings <ben@decadent.org.uk> writes:
> [ Unknown signature status ]
> On Thu, 2016-10-06 at 08:07 +1100, Brian May wrote:
>> Here is a new revised patch:
>
> You're trying to make multiple changes in one patch, and still not
> getting all of them. I think you will need to apply (at least) this
> series of patches:
Ok, sure.
>
> 1. Change from version 219 that removed the treatment of n < 0 as an
> error
It looks like n < 0 in version 219 is an error to me:
n = recvmsg(m->notify_fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
if (n < 0) {
if (errno == EAGAIN || errno == EINTR)
break;
return -errno;
}
I also see the assert(n > 0) line.
Did I misunderstand? Maybe you meant to say n==0 shouldn't return an
error (actually that is what I initially thought you said).
If so, unfortunately there isn't a single patch that changes this.
This (big) patch (which I initially thought removed the error) moves the
test down several lines and changes the error from EIO to ECONNRESET:
https://github.com/systemd/systemd/commit/a354329f724d6ce913d2ccffb2be8f3327a67faa#diff-ab78220e12703ee63fa1e6a2caa16bebL1508
Ok, found the next commit:
https://github.com/systemd/systemd/commit/d875aa8ce10b458dc218c0d98f4a82c8904d6d03
So assuming this is what you want, probably easiest to recreate this
patch.
> 2. Fix for CVE-2016-7796
> 3. If-the-notification-message-length-is-0-ignore-the-messag.patch
> 4. pid1-process-zero-length-notification-messages-again.patch
--
Brian May <bam@debian.org>
Reply to: