hi again, not sure if the most sensible approach
anyway in bionic I tried to revert the last two patches from the source of systemd_237-3ubuntu10.9.debian with the following commands:
export QUILT_PATCHES=debian/patches
export QUILT_REFRESH_ARGS="-p ab --no-timestamps --no-index"
quilt pop
quilt pop
sed 's/^CVE-2018-6954.*/#&/' debian/patches/series
Then I recompiled and installed the new package and the error disappear.
Anyway the involved patches were there to fix some issues:
$ quilt header patches/CVE-2018-6954
Description: tmpfiles: don't resolve pathnames when traversing recursively
through directory trees
Otherwise we can be fooled if one path component is replaced underneath us.
The patch achieves that by always operating at file descriptor level (by using
*at() helpers) and by making sure we do not any path resolution when traversing
direcotry trees.
However this is not always possible, for instance when listing the content of a
directory or some operations don't provide the *at() helpers or others (such as
fchmodat()) don't have the AT_EMPTY_PATH flag. In such cases we operate on
/proc/self/fd/%i pseudo-symlink instead, which works the same for all kinds of
objects and requires no checking of type beforehand.
Also O_PATH flag is used when opening file objects in order to prevent
undesired behaviors: device nodes from reacting, automounts from
triggering, etc...
$ quilt header patches/CVE-2018-6954_2
Description: Make tmpfiles safe
In addition to backporting the changesets in #8822, this also backports
e04fc13 (test: add tests for systemd-tmpfiles), as well as empty_to_root()
from v239.
So I'm not sure if it's a secure/stable workaround
Maybe it would be better mixixing up the releases installing the patched package from cosmic-proposed... I will test on another snapshot to see what happens..
Just a curiosity: is bionic still supported?
hi again, not sure if the most sensible approach 237-3ubuntu10. 9.debian with the following commands:
anyway in bionic I tried to revert the last two patches from the source of systemd_
export QUILT_PATCHES= debian/ patches ARGS="- p ab --no-timestamps --no-index" 2018-6954. */#&/' debian/ patches/ series
export QUILT_REFRESH_
quilt pop
quilt pop
sed 's/^CVE-
Then I recompiled and installed the new package and the error disappear.
Anyway the involved patches were there to fix some issues:
$ quilt header patches/ CVE-2018- 6954
Description: tmpfiles: don't resolve pathnames when traversing recursively
through directory trees
Otherwise we can be fooled if one path component is replaced underneath us.
The patch achieves that by always operating at file descriptor level (by using
*at() helpers) and by making sure we do not any path resolution when traversing
direcotry trees.
However this is not always possible, for instance when listing the content of a
directory or some operations don't provide the *at() helpers or others (such as
fchmodat()) don't have the AT_EMPTY_PATH flag. In such cases we operate on
/proc/self/fd/%i pseudo-symlink instead, which works the same for all kinds of
objects and requires no checking of type beforehand.
Also O_PATH flag is used when opening file objects in order to prevent
undesired behaviors: device nodes from reacting, automounts from
triggering, etc...
Fixes: CVE-2018-6954
Origin: upstream, https:/ /github. com/systemd/ systemd/ commit/ 936f6bdb803c432 578e2cdcc5f93f3 bfff93aff0 /github. com/systemd/ systemd/ issues/ 7986
Bug: https:/
$ quilt header patches/ CVE-2018- 6954_2
Description: Make tmpfiles safe
In addition to backporting the changesets in #8822, this also backports
e04fc13 (test: add tests for systemd-tmpfiles), as well as empty_to_root()
from v239.
Origin: upstream, https:/ /github. com/systemd/ systemd/ pull/8822/ commits /github. com/systemd/ systemd/ issues/ 7986
Bug: https:/
So I'm not sure if it's a secure/stable workaround
Maybe it would be better mixixing up the releases installing the patched package from cosmic-proposed... I will test on another snapshot to see what happens..
Just a curiosity: is bionic still supported?