From 835eeac58ca3abddc010c2d20a1bbf8c59effc15 Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Feb 05 2020 17:22:14 +0000 Subject: Update to 243.6 --- diff --git a/70e8c1978a9a688662eb1b3983370dd1cc415083.patch b/70e8c1978a9a688662eb1b3983370dd1cc415083.patch deleted file mode 100644 index d490ee2..0000000 --- a/70e8c1978a9a688662eb1b3983370dd1cc415083.patch +++ /dev/null @@ -1,220 +0,0 @@ -From 70e8c1978a9a688662eb1b3983370dd1cc415083 Mon Sep 17 00:00:00 2001 -From: Mike Gilbert -Date: Fri, 6 Dec 2019 14:28:13 -0500 -Subject: [PATCH] seccomp: real syscall numbers are >= 0 - -Real syscall numbers start at 0. The fake seccomp values seem to be -strictly less than 0. - -Fixes: 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f -(cherry picked from commit fb4b0465abbd96e6d342e5606c61c919c99a82ff) ---- - src/basic/missing_syscall.h | 28 ++++++++++++++-------------- - src/test/test-seccomp.c | 16 ++++++++-------- - 2 files changed, 22 insertions(+), 22 deletions(-) - -diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h -index 1255d8b197..8879422ce9 100644 ---- a/src/basic/missing_syscall.h -+++ b/src/basic/missing_syscall.h -@@ -33,7 +33,7 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old) - - #if !HAVE_MEMFD_CREATE - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_memfd_create && __NR_memfd_create > 0) -+# if ! (defined __NR_memfd_create && __NR_memfd_create >= 0) - # if defined __NR_memfd_create - # undef __NR_memfd_create - # endif -@@ -80,7 +80,7 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) { - - #if !HAVE_GETRANDOM - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_getrandom && __NR_getrandom > 0) -+# if ! (defined __NR_getrandom && __NR_getrandom >= 0) - # if defined __NR_getrandom - # undef __NR_getrandom - # endif -@@ -143,7 +143,7 @@ static inline pid_t missing_gettid(void) { - - #if !HAVE_NAME_TO_HANDLE_AT - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at > 0) -+# if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at >= 0) - # if defined __NR_name_to_handle_at - # undef __NR_name_to_handle_at - # endif -@@ -184,7 +184,7 @@ static inline int missing_name_to_handle_at(int fd, const char *name, struct fil - - #if !HAVE_SETNS - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_setns && __NR_setns > 0) -+# if ! (defined __NR_setns && __NR_setns >= 0) - # if defined __NR_setns - # undef __NR_setns - # endif -@@ -225,7 +225,7 @@ static inline pid_t raw_getpid(void) { - - #if !HAVE_RENAMEAT2 - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_renameat2 && __NR_renameat2 > 0) -+# if ! (defined __NR_renameat2 && __NR_renameat2 >= 0) - # if defined __NR_renameat2 - # undef __NR_renameat2 - # endif -@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c - - #if !HAVE_KCMP - static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { --# if defined __NR_kcmp && __NR_kcmp > 0 -+# if defined __NR_kcmp && __NR_kcmp >= 0 - return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2); - # else - errno = ENOSYS; -@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i - - #if !HAVE_KEYCTL - static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { --# if defined __NR_keyctl && __NR_keyctl > 0 -+# if defined __NR_keyctl && __NR_keyctl >= 0 - return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); - # else - errno = ENOSYS; -@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg - } - - static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { --# if defined __NR_add_key && __NR_add_key > 0 -+# if defined __NR_add_key && __NR_add_key >= 0 - return syscall(__NR_add_key, type, description, payload, plen, ringid); - # else - errno = ENOSYS; -@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip - } - - static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) { --# if defined __NR_request_key && __NR_request_key > 0 -+# if defined __NR_request_key && __NR_request_key >= 0 - return syscall(__NR_request_key, type, description, callout_info, destringid); - # else - errno = ENOSYS; -@@ -326,7 +326,7 @@ static inline key_serial_t missing_request_key(const char *type, const char *des - - #if !HAVE_COPY_FILE_RANGE - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_copy_file_range && __NR_copy_file_range > 0) -+# if ! (defined __NR_copy_file_range && __NR_copy_file_range >= 0) - # if defined __NR_copy_file_range - # undef __NR_copy_file_range - # endif -@@ -368,7 +368,7 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in, - - #if !HAVE_BPF - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_bpf && __NR_bpf > 0) -+# if ! (defined __NR_bpf && __NR_bpf >= 0) - # if defined __NR_bpf - # undef __NR_bpf - # endif -@@ -409,7 +409,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { - - #ifndef __IGNORE_pkey_mprotect - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect > 0) -+# if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect >= 0) - # if defined __NR_pkey_mprotect - # undef __NR_pkey_mprotect - # endif -@@ -445,7 +445,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { - - #if !HAVE_STATX - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_statx && __NR_statx > 0) -+# if ! (defined __NR_statx && __NR_statx >= 0) - # if defined __NR_statx - # undef __NR_statx - # endif -@@ -496,7 +496,7 @@ enum { - static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask, - unsigned long maxnode) { - long i; --# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0 -+# if defined __NR_set_mempolicy && __NR_set_mempolicy >= 0 - i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode); - # else - errno = ENOSYS; -diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c -index 6dd98672b8..328a656343 100644 ---- a/src/test/test-seccomp.c -+++ b/src/test/test-seccomp.c -@@ -29,7 +29,7 @@ - #include "virt.h" - - /* __NR_socket may be invalid due to libseccomp */ --#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) -+#if !defined(__NR_socket) || __NR_socket < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) - /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, - * and we can't restrict it hence via seccomp. */ - # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 -@@ -305,14 +305,14 @@ static void test_protect_sysctl(void) { - assert_se(pid >= 0); - - if (pid == 0) { --#if defined __NR__sysctl && __NR__sysctl > 0 -+#if defined __NR__sysctl && __NR__sysctl >= 0 - assert_se(syscall(__NR__sysctl, NULL) < 0); - assert_se(errno == EFAULT); - #endif - - assert_se(seccomp_protect_sysctl() >= 0); - --#if defined __NR__sysctl && __NR__sysctl > 0 -+#if defined __NR__sysctl && __NR__sysctl >= 0 - assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); - assert_se(errno == EPERM); - #endif -@@ -641,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) { - assert_se(poll(NULL, 0, 0) == 0); - - assert_se(s = hashmap_new(NULL)); --#if defined __NR_access && __NR_access > 0 -+#if defined __NR_access && __NR_access >= 0 - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); - #else - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); -@@ -657,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) { - s = hashmap_free(s); - - assert_se(s = hashmap_new(NULL)); --#if defined __NR_access && __NR_access > 0 -+#if defined __NR_access && __NR_access >= 0 - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); - #else - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); -@@ -673,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) { - s = hashmap_free(s); - - assert_se(s = hashmap_new(NULL)); --#if defined __NR_poll && __NR_poll > 0 -+#if defined __NR_poll && __NR_poll >= 0 - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); - #else - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); -@@ -690,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) { - s = hashmap_free(s); - - assert_se(s = hashmap_new(NULL)); --#if defined __NR_poll && __NR_poll > 0 -+#if defined __NR_poll && __NR_poll >= 0 - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); - #else - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); -@@ -768,7 +768,7 @@ static int real_open(const char *path, int flags, mode_t mode) { - * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On - * other architectures, let's just fall back to the glibc call. */ - --#if defined __NR_open && __NR_open > 0 -+#if defined __NR_open && __NR_open >= 0 - return (int) syscall(__NR_open, path, flags, mode); - #else - return open(path, flags, mode); diff --git a/sources b/sources index 272e69f..bec2289 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-243.5.tar.gz) = ff7df8028ab8e411866a00cb3adc1228663263e08a199bcc3954f6462bae3e433fb75676705509a69d847d9bd7bac50b40a91b1d8f34f76e48a4f19b32475ec2 +SHA512 (systemd-243.6.tar.gz) = 04f618fd5c7384dae5366691c3ff87416930a3c4d7cd3d345f4db95b59ab3d4ca0382349f960f60b6007c2948f8b5739ced15b52535799dfcad25849dfe29132 diff --git a/systemd.spec b/systemd.spec index c4e4f96..e55c033 100644 --- a/systemd.spec +++ b/systemd.spec @@ -14,7 +14,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 243.5 +Version: 243.6 Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -58,8 +58,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0001: https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch -Patch0002: https://github.com/systemd/systemd-stable/commit/a0a1977d9a5dc28e6c1998d8d5cb712305bd0b50.patch -Patch0003: https://github.com/systemd/systemd-stable/commit/70e8c1978a9a688662eb1b3983370dd1cc415083.patch Patch0900: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch @@ -708,6 +706,10 @@ fi %files tests -f .file-list-tests %changelog +* Wed Feb 5 2020 Zbigniew Jędrzejewski-Szmek - 243.6-1 +- Pull in a bunch of bugfixes (#1774242, #1798414/CVE-2020-1712) +- The hardware database is updated to v245-rc1 + * Sun Dec 15 2019 - 243.5-1 - Latest bugfix release (systemd-networkd fixups, minor cleanups to documentation).