diff --git a/backport-0001-coredump-also-stop-forwarding-non-dumpable-processes.patch b/backport-0001-coredump-also-stop-forwarding-non-dumpable-processes.patch new file mode 100644 index 0000000000000000000000000000000000000000..8235119984935906d3b93b68c1afa550353b227a --- /dev/null +++ b/backport-0001-coredump-also-stop-forwarding-non-dumpable-processes.patch @@ -0,0 +1,55 @@ +From 3d365b4a68240757b79fb0361360b2730ac5bbff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 5 May 2025 15:48:40 +0200 +Subject: [PATCH] coredump: also stop forwarding non-dumpable processes + +See the comment in the patch for details. + +Suggested-by: Qualys Security Advisory + +(cherry-picked from commit 8fc7b2a211eb13ef1a94250b28e1c79cab8bdcb9) +(cherry-picked from commit 101058955eb41023e0dba5766f6bfb190ebbb4f6) +(cherry picked from commit 9c9e09ed85f89b9d42102211b9fa72492a16ef1b) +--- + src/coredump/coredump.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index d5c01bf02d..c34568d502 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -1415,10 +1415,21 @@ static int receive_ucred(int transport_fd, struct ucred *ret_ucred) { + return 0; + } + +-static int can_forward_coredump(pid_t pid) { ++static int can_forward_coredump(Context *context, pid_t pid) { + _cleanup_free_ char *cgroup = NULL, *path = NULL, *unit = NULL; + int r; + ++ assert(context); ++ ++ /* We don't use %F/pidfd to pin down the crashed process yet. We need to avoid a situation where the ++ * attacker crashes a SUID process or a root daemon and quickly replaces it with a namespaced process ++ * and we forward the initial part of the coredump to the attacker, inside the namespace. ++ * ++ * TODO: relax this check when %F is implemented and used. ++ */ ++ if (context->dumpable != 1) ++ return false; ++ + r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, pid, &cgroup); + if (r < 0) + return r; +@@ -1460,7 +1471,7 @@ static int forward_coredump_to_container(Context *context) { + if (r < 0) + return log_debug_errno(r, "Failed to get namespace leader: %m"); + +- r = can_forward_coredump(pid); ++ r = can_forward_coredump(context, pid); + if (r < 0) + return log_debug_errno(r, "Failed to check if coredump can be forwarded: %m"); + if (r == 0) +-- +2.27.0 + diff --git a/backport-0001-coredump-restore-compatibility-with-older-patterns.patch b/backport-0001-coredump-restore-compatibility-with-older-patterns.patch new file mode 100644 index 0000000000000000000000000000000000000000..19f0077ffb24fe6ad06e14a8ed30dc3c262798e8 --- /dev/null +++ b/backport-0001-coredump-restore-compatibility-with-older-patterns.patch @@ -0,0 +1,116 @@ +From c6f79626b6d175c6a5b62b8c5d957a83eb882301 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 29 Apr 2025 14:47:59 +0200 +Subject: [PATCH] coredump: restore compatibility with older patterns + +This was broken in f45b8015513d38ee5f7cc361db9c5b88c9aae704. Unfortunately +the review does not talk about backward compatibility at all. There are +two places where it matters: +- During upgrades, the replacement of kernel.core_pattern is asynchronous. + For example, during rpm upgrades, it would be updated a post-transaction + file trigger. In other scenarios, the update might only happen after + reboot. We have a potentially long window where the old pattern is in + place. We need to capture coredumps during upgrades too. +- With --backtrace. The interface of --backtrace, in hindsight, is not + great. But there are users of --backtrace which were written to use + a specific set of arguments, and we can't just break compatiblity. + One example is systemd-coredump-python, but there are also reports of + users using --backtrace to generate coredump logs. + +Thus, we require the original set of args, and will use the additional args if +found. + +A test is added to verify that --backtrace works with and without the optional +args. + +(cherry picked from commit ded0aac389e647d35bce7ec4a48e718d77c0435b) +(cherry picked from commit f9b8b75c11bba9b63096904be98cc529c304eb97) +(cherry picked from commit 385a33b043406ad79a7207f3906c3b15192a3333) +--- + src/coredump/coredump.c | 21 ++++++++++++++------- + test/units/testsuite-74.coredump.sh | 18 +++++++++++------- + 2 files changed, 25 insertions(+), 14 deletions(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index b6ca6f03b0..026e0111ce 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -95,8 +95,12 @@ enum { + META_ARGV_SIGNAL, /* %s: number of signal causing dump */ + META_ARGV_TIMESTAMP, /* %t: time of dump, expressed as seconds since the Epoch (we expand this to μs granularity) */ + META_ARGV_RLIMIT, /* %c: core file size soft resource limit */ +- META_ARGV_HOSTNAME, /* %h: hostname */ ++ _META_ARGV_REQUIRED, ++ /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */ ++ META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */ + _META_ARGV_MAX, ++ /* If new fields are added, they should be added here, to maintain compatibility ++ * with callers which don't know about the new fields. */ + + /* The following indexes are cached for a couple of special fields we use (and + * thereby need to be retrieved quickly) for naming coredump files, and attaching +@@ -107,7 +111,7 @@ enum { + _META_MANDATORY_MAX, + + /* The rest are similar to the previous ones except that we won't fail if one of +- * them is missing. */ ++ * them is missing in a message sent over the socket. */ + + META_EXE = _META_MANDATORY_MAX, + META_UNIT, +@@ -1169,14 +1173,17 @@ static int gather_pid_metadata_from_argv( + assert(context); + + /* We gather all metadata that were passed via argv[] into an array of iovecs that +- * we'll forward to the socket unit */ ++ * we'll forward to the socket unit. ++ * ++ * We require at least _META_ARGV_REQUIRED args, but will accept more. ++ * We know how to parse _META_ARGV_MAX args. The rest will be ignored. */ + +- if (argc < _META_ARGV_MAX) ++ if (argc < _META_ARGV_REQUIRED) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), +- "Not enough arguments passed by the kernel (%i, expected %i).", +- argc, _META_ARGV_MAX); ++ "Not enough arguments passed by the kernel (%i, expected between %i and %i).", ++ argc, _META_ARGV_REQUIRED, _META_ARGV_MAX); + +- for (int i = 0; i < _META_ARGV_MAX; i++) { ++ for (int i = 0; i < MIN(argc, _META_ARGV_MAX); i++) { + + t = argv[i]; + +diff --git a/test/units/testsuite-74.coredump.sh b/test/units/testsuite-74.coredump.sh +index 6552643ee9..d9945b61d4 100755 +--- a/test/units/testsuite-74.coredump.sh ++++ b/test/units/testsuite-74.coredump.sh +@@ -186,14 +186,18 @@ rm -f /tmp/core.{output,redirected} + (! "${UNPRIV_CMD[@]}" coredumpctl dump "$CORE_TEST_BIN" >/dev/null) + + # --backtrace mode +-# Pass one of the existing journal coredump records to systemd-coredump and +-# use our PID as the source to make matching the coredump later easier +-# systemd-coredump args: PID UID GID SIGNUM TIMESTAMP CORE_SOFT_RLIMIT HOSTNAME ++# Pass one of the existing journal coredump records to systemd-coredump. ++# Use our PID as the source to be able to create a PIDFD and to make matching easier. ++# systemd-coredump args: PID UID GID SIGNUM TIMESTAMP CORE_SOFT_RLIMIT [HOSTNAME] + journalctl -b -n 1 --output=export --output-fields=MESSAGE,COREDUMP COREDUMP_EXE="/usr/bin/test-dump" | +- /usr/lib/systemd/systemd-coredump --backtrace $$ 0 0 6 1679509994 12345 mymachine +-# Wait a bit for the coredump to get processed +-timeout 30 bash -c "while [[ \$(coredumpctl list -q --no-legend $$ | wc -l) -eq 0 ]]; do sleep 1; done" +-coredumpctl info "$$" ++ /usr/lib/systemd/systemd-coredump --backtrace $$ 0 0 6 1679509900 12345 ++journalctl -b -n 1 --output=export --output-fields=MESSAGE,COREDUMP COREDUMP_EXE="/usr/bin/test-dump" | ++ /usr/lib/systemd/systemd-coredump --backtrace $$ 0 0 6 1679509901 12345 mymachine ++# Wait a bit for the coredumps to get processed ++timeout 30 bash -c "while [[ \$(coredumpctl list -q --no-legend $$ | wc -l) -lt 2 ]]; do sleep 1; done" ++coredumpctl info $$ ++coredumpctl info COREDUMP_TIMESTAMP=1679509900000000 ++coredumpctl info COREDUMP_TIMESTAMP=1679509901000000 + coredumpctl info COREDUMP_HOSTNAME="mymachine" + + # This used to cause a stack overflow +-- +2.27.0 + diff --git a/backport-0002-coredump-get-rid-of-_META_MANDATORY_MAX.patch b/backport-0002-coredump-get-rid-of-_META_MANDATORY_MAX.patch new file mode 100644 index 0000000000000000000000000000000000000000..f4240288d09921291a080a459c313b492415128f --- /dev/null +++ b/backport-0002-coredump-get-rid-of-_META_MANDATORY_MAX.patch @@ -0,0 +1,98 @@ +From b46a4f023cd80b24c8f1aa7a95700bc0cb828cdc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 26 May 2025 12:04:44 +0200 +Subject: [PATCH] coredump: get rid of _META_MANDATORY_MAX + +No functional change. This change is done in preparation for future changes. +Currently, the list of fields which are received on the command line is a +strict subset of the fields which are always expected to be received on a +socket. But when we add new kernel args in the future, we'll have two +non-overlapping sets and this approach will not work. Get rid of the variable +and enumerate the required fields. This set will never change, so this is +actually more maintainable. + +The message with the hint where to add new fields is switched with +_META_ARGV_MAX. The new order is more correct. + +(cherry-picked from 49f1f2d4a7612bbed5211a73d11d6a94fbe3bb69) +(cherry-picked from aea6a631bca93e8b04a11aaced694f25f4da155e) +(cherry picked from cf16b6b6b2e0a656531bfd73ad66be3817b155cd) +--- + src/coredump/coredump.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index 026e0111ce..904b02b91d 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -82,7 +82,7 @@ + * size. See DATA_SIZE_MAX in journal-importer.h. */ + assert_cc(JOURNAL_SIZE_MAX <= DATA_SIZE_MAX); + +-enum { ++typedef enum { + /* We use these as array indexes for our process metadata cache. + * + * The first indices of the cache stores the same metadata as the ones passed by +@@ -98,9 +98,9 @@ enum { + _META_ARGV_REQUIRED, + /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */ + META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */ +- _META_ARGV_MAX, + /* If new fields are added, they should be added here, to maintain compatibility + * with callers which don't know about the new fields. */ ++ _META_ARGV_MAX, + + /* The following indexes are cached for a couple of special fields we use (and + * thereby need to be retrieved quickly) for naming coredump files, and attaching +@@ -108,16 +108,15 @@ enum { + * environment. */ + + META_COMM = _META_ARGV_MAX, +- _META_MANDATORY_MAX, + + /* The rest are similar to the previous ones except that we won't fail if one of + * them is missing in a message sent over the socket. */ + +- META_EXE = _META_MANDATORY_MAX, ++ META_EXE, + META_UNIT, + META_PROC_AUXV, + _META_MAX +-}; ++} meta_argv_t; + + static const char * const meta_field_names[_META_MAX] = { + [META_ARGV_PID] = "COREDUMP_PID=", +@@ -1084,12 +1083,24 @@ static int process_socket(int fd) { + if (r < 0) + goto finish; + +- /* Make sure we received at least all fields we need. */ +- for (int i = 0; i < _META_MANDATORY_MAX; i++) ++ /* Make sure we received all the expected fields. We support being called by an *older* ++ * systemd-coredump from the outside, so we require only the basic set of fields that ++ * was being sent when the support for sending to containers over a socket was added ++ * in a108c43e36d3ceb6e34efe37c014fc2cda856000. */ ++ meta_argv_t i; ++ VA_ARGS_FOREACH(i, ++ META_ARGV_PID, ++ META_ARGV_UID, ++ META_ARGV_GID, ++ META_ARGV_SIGNAL, ++ META_ARGV_TIMESTAMP, ++ META_ARGV_RLIMIT, ++ META_ARGV_HOSTNAME, ++ META_COMM) + if (!context.meta[i]) { + r = log_error_errno(SYNTHETIC_ERRNO(EINVAL), +- "A mandatory argument (%i) has not been sent, aborting.", +- i); ++ "Mandatory argument %s not received on socket, aborting.", ++ meta_field_names[i]); + goto finish; + } + +-- +2.27.0 + diff --git a/backport-0002-coredump-get-rid-of-a-bogus-assertion.patch b/backport-0002-coredump-get-rid-of-a-bogus-assertion.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc396182252fb454f86e839ccb2ed8a082643ea9 --- /dev/null +++ b/backport-0002-coredump-get-rid-of-a-bogus-assertion.patch @@ -0,0 +1,45 @@ +From 32c4237a2bc8a29ceefbc277356e72e36889bedd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 26 May 2025 15:24:04 +0200 +Subject: [PATCH] coredump: get rid of a bogus assertion + +The check looks plausible, but when I started checking whether it needs +to be lowered for the recent changes, I realized that it doesn't make +much sense. + +context_parse_iovw() is called from a few places, e.g.: +- process_socket(), where the other side controls the contents of the + message. We already do other checks on the correctness of the message + and this assert is not needed. +- gather_pid_metadata_from_argv(), which is called after + inserting MESSAGE_ID= and PRIORITY= into the array, so there is no + direct relation between _META_ARGV_MAX and the number of args in the + iovw. +- gather_pid_metadata_from_procfs(), where we insert a bazillion fields, + but without any relation to _META_ARGV_MAX. + +Since we already separately check if the required stuff was set, drop this +misleading check. + +(cherry picked from commit 13902e025321242b1d95c6d8b4e482b37f58cdef) +(cherry picked from commit 4c424072b3cc6a68265345cef2d29a6903081dcf) +(cherry picked from commit e1afd271b5a297873008dcf54d3ce45fe2965984) +--- + src/coredump/coredump.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index c34568d502..cb7ae6673f 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -961,7 +961,6 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) { + + assert(context); + assert(iovw); +- assert(iovw->count >= _META_ARGV_MAX); + + /* The context does not allocate any memory on its own */ + +-- +2.27.0 + diff --git a/backport-CVE-2025-4598-coredump-use-d-in-kernel-core-pattern.patch b/backport-CVE-2025-4598-coredump-use-d-in-kernel-core-pattern.patch new file mode 100644 index 0000000000000000000000000000000000000000..fcae626f9fb43ae1b2cb3a2c48291c21dc5cc33a --- /dev/null +++ b/backport-CVE-2025-4598-coredump-use-d-in-kernel-core-pattern.patch @@ -0,0 +1,156 @@ +From 4de5da9505963a3c6c4b3e218b35a8e4509b0750 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 29 Apr 2025 14:47:59 +0200 +Subject: [PATCH] coredump: use %d in kernel core pattern +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The kernel provides %d which is documented as +"dump mode—same as value returned by prctl(2) PR_GET_DUMPABLE". + +We already query /proc/pid/auxv for this information, but unfortunately this +check is subject to a race, because the crashed process may be replaced by an +attacker before we read this data, for example replacing a SUID process that +was killed by a signal with another process that is not SUID, tricking us into +making the coredump of the original process readable by the attacker. + +With this patch, we effectively add one more check to the list of conditions +that need be satisfied if we are to make the coredump accessible to the user. + +Reportedy-by: Qualys Security Advisory + +(cherry-picked from commit 0c49e0049b7665bb7769a13ef346fef92e1ad4d6) +(cherry-picked from commit c58a8a6ec9817275bb4babaa2c08e0e35090d4e3) +(cherry picked from commit 19d439189ab85dd7222bdd59fd442bbcc8ea99a7) +--- + man/systemd-coredump.xml | 10 ++++++++++ + src/coredump/coredump.c | 21 ++++++++++++++++++--- + sysctl.d/50-coredump.conf.in | 2 +- + test/units/testsuite-74.coredump.sh | 5 +++++ + 4 files changed, 34 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-coredump.xml b/man/systemd-coredump.xml +index 762873a..b44b398 100644 +--- a/man/systemd-coredump.xml ++++ b/man/systemd-coredump.xml +@@ -292,6 +292,16 @@ COREDUMP_FILENAME=/var/lib/systemd/coredump/core.Web….552351.….zst + + + ++ ++ COREDUMP_DUMPABLE= ++ ++ The PR_GET_DUMPABLE field as reported by the kernel, see ++ prctl2. ++ ++ ++ ++ + + COREDUMP_OPEN_FDS= + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index 986c673..ab942eb 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -98,6 +98,7 @@ typedef enum { + _META_ARGV_REQUIRED, + /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */ + META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */ ++ META_ARGV_DUMPABLE, /* %d: as set by the kernel */ + /* If new fields are added, they should be added here, to maintain compatibility + * with callers which don't know about the new fields. */ + _META_ARGV_MAX, +@@ -126,6 +127,7 @@ static const char * const meta_field_names[_META_MAX] = { + [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=", + [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=", + [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=", ++ [META_ARGV_DUMPABLE] = "COREDUMP_DUMPABLE=", + [META_COMM] = "COREDUMP_COMM=", + [META_EXE] = "COREDUMP_EXE=", + [META_UNIT] = "COREDUMP_UNIT=", +@@ -138,6 +140,7 @@ typedef struct Context { + pid_t pid; + uid_t uid; + gid_t gid; ++ unsigned dumpable; + bool is_pid1; + bool is_journald; + } Context; +@@ -396,14 +399,16 @@ static int grant_user_access(int core_fd, const Context *context) { + if (r < 0) + return r; + +- /* We allow access if we got all the data and at_secure is not set and +- * the uid/gid matches euid/egid. */ ++ /* We allow access if dumpable on the command line was exactly 1, we got all the data, ++ * at_secure is not set, and the uid/gid match euid/egid. */ + bool ret = ++ context->dumpable == 1 && + at_secure == 0 && + uid != UID_INVALID && euid != UID_INVALID && uid == euid && + gid != GID_INVALID && egid != GID_INVALID && gid == egid; +- log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)", ++ log_debug("Will %s access (dumpable=%u uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)", + ret ? "permit" : "restrict", ++ context->dumpable, + uid, euid, gid, egid, yes_no(at_secure)); + return ret; + } +@@ -990,6 +995,16 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) { + if (r < 0) + return log_error_errno(r, "Failed to parse GID \"%s\": %m", context->meta[META_ARGV_GID]); + ++ /* The value is set to contents of /proc/sys/fs/suid_dumpable, which we set to 2, ++ * if the process is marked as not dumpable, see PR_SET_DUMPABLE(2const). */ ++ if (context->meta[META_ARGV_DUMPABLE]) { ++ r = safe_atou(context->meta[META_ARGV_DUMPABLE], &context->dumpable); ++ if (r < 0) ++ return log_error_errno(r, "Failed to parse dumpable field \"%s\": %m", context->meta[META_ARGV_DUMPABLE]); ++ if (context->dumpable > 2) ++ log_notice("Got unexpected %%d/dumpable value %u.", context->dumpable); ++ } ++ + unit = context->meta[META_UNIT]; + context->is_pid1 = streq(context->meta[META_ARGV_PID], "1") || streq_ptr(unit, SPECIAL_INIT_SCOPE); + context->is_journald = streq_ptr(unit, SPECIAL_JOURNALD_SERVICE); +diff --git a/sysctl.d/50-coredump.conf.in b/sysctl.d/50-coredump.conf.in +index 90c080b..a550c87 100644 +--- a/sysctl.d/50-coredump.conf.in ++++ b/sysctl.d/50-coredump.conf.in +@@ -13,7 +13,7 @@ + # the core dump. + # + # See systemd-coredump(8) and core(5). +-kernel.core_pattern=|{{LIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h ++kernel.core_pattern=|{{LIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h %d + + # Allow 16 coredumps to be dispatched in parallel by the kernel. + # We collect metadata from /proc/%P/, and thus need to make sure the crashed +diff --git a/test/units/testsuite-74.coredump.sh b/test/units/testsuite-74.coredump.sh +index d9945b6..961cae6 100755 +--- a/test/units/testsuite-74.coredump.sh ++++ b/test/units/testsuite-74.coredump.sh +@@ -193,12 +193,17 @@ journalctl -b -n 1 --output=export --output-fields=MESSAGE,COREDUMP COREDUMP_EXE + /usr/lib/systemd/systemd-coredump --backtrace $$ 0 0 6 1679509900 12345 + journalctl -b -n 1 --output=export --output-fields=MESSAGE,COREDUMP COREDUMP_EXE="/usr/bin/test-dump" | + /usr/lib/systemd/systemd-coredump --backtrace $$ 0 0 6 1679509901 12345 mymachine ++journalctl -b -n 1 --output=export --output-fields=MESSAGE,COREDUMP COREDUMP_EXE="/usr/bin/test-dump" | ++ /usr/lib/systemd/systemd-coredump --backtrace $$ 0 0 6 1679509902 12345 youmachine 1 + # Wait a bit for the coredumps to get processed + timeout 30 bash -c "while [[ \$(coredumpctl list -q --no-legend $$ | wc -l) -lt 2 ]]; do sleep 1; done" + coredumpctl info $$ + coredumpctl info COREDUMP_TIMESTAMP=1679509900000000 + coredumpctl info COREDUMP_TIMESTAMP=1679509901000000 + coredumpctl info COREDUMP_HOSTNAME="mymachine" ++coredumpctl info COREDUMP_TIMESTAMP=1679509902000000 ++coredumpctl info COREDUMP_HOSTNAME="youmachine" ++coredumpctl info COREDUMP_DUMPABLE="1" + + # This used to cause a stack overflow + systemd-run -t --property CoredumpFilter=all ls /tmp +-- +2.43.0 + diff --git a/systemd.spec b/systemd.spec index 9695a1ef2616fc5672c41862ad691447ff2cd663..b02dea57079067c5e42333cc77d7d40c39693cc5 100644 --- a/systemd.spec +++ b/systemd.spec @@ -25,7 +25,7 @@ Name: systemd Url: https://systemd.io/ Version: 255 -Release: 43 +Release: 44 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -105,6 +105,12 @@ Patch6651: backport-core-fix-assert-when-AddDependencyUnitFiles-is-calle.pa Patch6652: backport-CVE-2023-7008.patch Patch6653: backport-run-pass-the-pty-slave-fd-to-transient-service.patch Patch6654: backport-run-do-not-pass-the-pty-slave-fd-to-transient-servic.patch +#fix CVE-2025-4598 +Patch6655: backport-0001-coredump-restore-compatibility-with-older-patterns.patch +Patch6656: backport-0002-coredump-get-rid-of-_META_MANDATORY_MAX.patch +Patch6657: backport-CVE-2025-4598-coredump-use-d-in-kernel-core-pattern.patch +Patch6658: backport-0001-coredump-also-stop-forwarding-non-dumpable-processes.patch +Patch6659: backport-0002-coredump-get-rid-of-a-bogus-assertion.patch Patch9008: update-rtc-with-system-clock-when-shutdown.patch Patch9009: udev-add-actions-while-rename-netif-failed.patch @@ -1694,6 +1700,9 @@ fi %{_unitdir}/veritysetup.target %changelog +* Sun Jun 8 2025 Han Jinpeng - 255-44 +- Fix CVE-2025-4598 + * Mon May 26 2025 zhangyao - 255-43 - Take ownership of /var/log/lastlog from util-linux