Bug#1052325: bookworm-pu: package systemd/252.17-1~deb12u1

To: submit@bugs.debian.org
Subject: Bug#1052325: bookworm-pu: package systemd/252.17-1~deb12u1
From: Luca Boccassi <bluca@debian.org>
Date: Wed, 20 Sep 2023 14:15:03 +0100
Message-id: <[🔎] c7c14baa1e1057f5195bfe9ca0ffcec478ab1028.camel@debian.org>
Reply-to: Luca Boccassi <bluca@debian.org>, 1052325@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-systemd-maintainers@lists.alioth.debian.org

Dear Release Team,

We would like to upload the latest stable point release of systemd 252
to bookworm-p-u. Stable release branches are maintained upstream with
the intention of providing bug fixes only and no compatibility
breakages, and with automated non-trivial CI jobs that also cover
Debian and Ubuntu. I have already uploaded to p-u.

The only fix in this release is for a minor security advisory that
affects systemd-boot on arm64/riscv64 on EFI with secure-boot enabled
(which debian doesn't provide for sd-boot at all, so only affects local
self-signed deployments). Details at:

https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c

Debdiff attached. No packaging changes.

-- 
Kind regards,
Luca Boccassi

diff -Nru systemd-252.16/debian/changelog systemd-252.17/debian/changelog
--- systemd-252.16/debian/changelog	2023-09-09 02:24:49.000000000 +0100
+++ systemd-252.17/debian/changelog	2023-09-20 13:15:14.000000000 +0100
@@ -1,3 +1,11 @@
+systemd (252.17-1~deb12u1) bookworm; urgency=medium
+
+  * New upstream version 252.17. Fixes minor security issue in arm64
+    and riscv64 systemd-boot (EFI) with device tree blobs loading:
+    https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c
+
+ -- Luca Boccassi <bluca@debian.org>  Wed, 20 Sep 2023 13:15:14 +0100
+
 systemd (252.16-1~deb12u1) bookworm; urgency=medium
 
   * New upstream version 252.16
diff -Nru systemd-252.16/src/boot/efi/boot.c systemd-252.17/src/boot/efi/boot.c
--- systemd-252.16/src/boot/efi/boot.c	2023-09-09 02:21:12.000000000 +0100
+++ systemd-252.17/src/boot/efi/boot.c	2023-09-20 10:14:24.000000000 +0100
@@ -2402,7 +2402,9 @@
         if (err != EFI_SUCCESS)
                 return log_error_status_stall(err, L"Error loading %s: %r", entry->loader, err);
 
-        if (entry->devicetree) {
+        /* DTBs are loaded by the kernel before ExitBootServices, and they can be used to map and assign
+         * arbitrary memory ranges, so skip it when secure boot is enabled as the DTB here is unverified. */
+        if (entry->devicetree && !secure_boot_enabled()) {
                 err = devicetree_install(&dtstate, image_root, entry->devicetree);
                 if (err != EFI_SUCCESS)
                         return log_error_status_stall(err, L"Error loading %s: %r", entry->devicetree, err);

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#1052325: systemd 252.17-1~deb12u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: nmu: glom_1.30.4-7+b3
Next by Date: Bug#1049325: marked as done (bullseye-pu: netatalk/3.1.12~ds-8+deb11u1)
Previous by thread: Bug#1052324: marked as done (nmu: glom_1.30.4-7+b3)
Next by thread: Bug#1052325: systemd 252.17-1~deb12u1 flagged for acceptance
Index(es):
- Date
- Thread