Bug#863634: marked as done (unblock: systemd/232-24)

To: Jonathan Wiltshire <jmw@debian.org>
Subject: Bug#863634: marked as done (unblock: systemd/232-24)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 30 May 2017 19:09:06 +0000
Message-id: <[🔎] handler.863634.D863634.149617119929049.ackdone@bugs.debian.org>
References: <55a0afc9d51690d36d2ff1900f66ab3d@debian.org> <[🔎] 149606864335.20256.5483371696983529115.reportbug@pluto.milchstrasse.xx>

Your message dated Tue, 30 May 2017 20:06:35 +0100
with message-id <55a0afc9d51690d36d2ff1900f66ab3d@debian.org>
and subject line Re: Bug#863634: unblock: systemd/232-24
has caused the Debian Bug report #863634,
regarding unblock: systemd/232-24
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863634: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863634
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock (pre-approval): systemd/232-24
From: Michael Biebl <biebl@debian.org>
Date: Mon, 29 May 2017 16:37:23 +0200
Message-id: <[🔎] 149606864335.20256.5483371696983529115.reportbug@pluto.milchstrasse.xx>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

I'd like to make another upload of systemd if possible.
It fixes a remote DoS in resolved (#863277). We don't enable resolved
by default in Debian, so this bug is not super critical.
But since an (upstream) fix exists, I would prefer to have this fix in
stretch. The attached debdiff also has two smaller fixes which have
piled up in the stretch branch in the mean time.

Please let me know if I can proceed with the upload.
If you want me to postpone that for 9.1, I'm fine as well. Uploading it
now would have the benefit though of at least some testing in unstable.

The changes don't touch d-i, but I've CCed debian-boot@ anyway for an
ack.

Full debdiff attached.

Regards,
Michael


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/debian/changelog b/debian/changelog
index 2c670e7..68276b7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+systemd (232-24) unstable; urgency=medium
+
+  [ Felipe Sateler ]
+  * Specify nobody user and group.
+    Otherwise nss-systemd will translate to group 'nobody', which doesn't
+    exist on debian systems.
+
+  [ Michael Biebl ]
+  * Add Depends: procps to systemd.
+    It's required by /usr/lib/systemd/user/systemd-exit.service which calls
+    /bin/kill to stop the systemd --user instance. (Closes: #862292)
+  * resolved: fix null pointer p->question dereferencing.
+    This fixes a bug which allowed a remote DoS (daemon crash) via a crafted
+    DNS response with an empty question section.
+    Fixes: CVE-2017-9217 (Closes: #863277)
+
+ -- Michael Biebl <biebl@debian.org>  Mon, 29 May 2017 16:25:43 +0200
+
 systemd (232-23) unstable; urgency=medium
 
   [ Michael Biebl ]
diff --git a/debian/control b/debian/control
index b48a50a..c4e7db1 100644
--- a/debian/control
+++ b/debian/control
@@ -74,6 +74,7 @@ Depends: ${shlibs:Depends},
          util-linux (>= 2.27.1),
          mount (>= 2.26),
          adduser,
+         procps,
 Breaks: lvm2 (<< 2.02.104-1),
         apparmor (<< 2.9.2-1),
         systemd-shim (<< 10-3~),
diff --git a/debian/patches/resolved-bugfix-of-null-pointer-p-question-dereferencing-.patch b/debian/patches/resolved-bugfix-of-null-pointer-p-question-dereferencing-.patch
new file mode 100644
index 0000000..0d134c1
--- /dev/null
+++ b/debian/patches/resolved-bugfix-of-null-pointer-p-question-dereferencing-.patch
@@ -0,0 +1,24 @@
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 24 May 2017 08:56:48 +0300
+Subject: resolved: bugfix of null pointer p->question dereferencing (#6020)
+
+See https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
+(cherry picked from commit a924f43f30f9c4acaf70618dd2a055f8b0f166be)
+---
+ src/resolve/resolved-dns-packet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index 337a8c4..07a761e 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -2264,6 +2264,9 @@ int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) {
+         if (r < 0)
+                 return r;
+ 
++        if (!p->question)
++                return 0;
++
+         if (p->question->n_keys != 1)
+                 return 0;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 44daef3..adc86a7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -62,6 +62,7 @@ Adjust-pkgconfig-files-to-point-at-rootlibdir-4584.patch
 journal-fix-up-syslog-facility-when-forwarding-native-mes.patch
 machinectl-make-sure-that-inability-to-get-OS-version-isn.patch
 nspawn-support-ephemeral-boots-from-images.patch
+resolved-bugfix-of-null-pointer-p-question-dereferencing-.patch
 debian/Use-Debian-specific-config-files.patch
 debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch
 debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch
diff --git a/debian/rules b/debian/rules
index 016fc51..d6e984f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -126,7 +126,9 @@ CONFFLAGS = \
 	--disable-wheel-group \
 	--with-ntp-servers="$(DEFAULT_NTP_SERVERS)"  \
 	--with-system-uid-max=999 \
-	--with-system-gid-max=999
+	--with-system-gid-max=999 \
+	--with-nobody-user=nobody \
+	--with-nobody-group=nogroup
 
 # resolved's DNSSEC support is still not mature enough, don't enable it by
 # default on stable Debian/Ubuntu releases

--- End Message ---

--- Begin Message ---

To: Michael Biebl <biebl@debian.org>, 863634-done@bugs.debian.org

Subject: Re: Bug#863634: unblock: systemd/232-24

From: Jonathan Wiltshire <jmw@debian.org>

Date: Tue, 30 May 2017 20:06:35 +0100

Message-id: <55a0afc9d51690d36d2ff1900f66ab3d@debian.org>

In-reply-to: <[🔎] 4671d13e-866d-3c2a-a973-e47a3232ceef@debian.org>

References: <[🔎] 149606864335.20256.5483371696983529115.reportbug@pluto.milchstrasse.xx> <[🔎] 31feeafc7f5bfb5da543c5435e7d7067@debian.org> <[🔎] 4671d13e-866d-3c2a-a973-e47a3232ceef@debian.org>
On 2017-05-30 08:14, Michael Biebl wrote:
Am 29.05.2017 um 23:56 schrieb Jonathan Wiltshire:
Please go ahead and remove the moreinfo tag when it is ready to be
unblocked.
Uploaded and built everywhere.
Thanks, unblocked.


--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits
--- End Message ---

Reply to:

References:
- Bug#863634: unblock (pre-approval): systemd/232-24
  - From: Michael Biebl <biebl@debian.org>

Prev by Date: Processed: Re: Bug#863702: unblock: compiz/0.9.13.0+16.10.20160818.2-5.1 (pre-approval)
Next by Date: Bug#863706: marked as done (unblock: coyim/0.3.7-3)
Previous by thread: Processed: Re: Bug#863634: unblock: systemd/232-24
Next by thread: Bug#863645: unblock: cqrlog 2.0.2-1.1
Index(es):
- Date
- Thread