Patches for CVE-2019-6454

sources

@@ -1 +1 @@
-SHA512 (systemd-0e0aa59.tar.gz) = e904aaf5e5427413894816614cc60f453bd43335654f39356c55345bdc8fd0876d0a234a1e4658632747db5a2fbe395bf145bf9dbef3354a55f339f66e821027
+SHA512 (systemd-07f8cd5.tar.gz) = 784bf49da7e79008c67e9496ec2143a5c4672c49296194f75106447b8f9c0893d17a56ff3b2c32cf1074d564cec4453161dafcc8d57029b921a79de858bf57c8

systemd.spec

@@ -1,4 +1,4 @@
-%global gitcommit 0e0aa590a8ba759679efbd72e92c0ba4811aa1ec
+%global gitcommit 07f8cd571e22e892d68932fe9e7fcf92c7ca7d5c
 %{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})}
 
 # We ship a .pc file but don't want to have a dep on pkg-config. We
@@ -13,7 +13,7 @@
 Name:           systemd
 Url:            http://www.freedesktop.org/wiki/Software/systemd
 Version:        238
-Release:        8%{?gitcommit:.git%{gitcommitshort}}%{?dist}
+Release:        12%{?gitcommit:.git%{gitcommitshort}}%{?dist}
 # For a breakdown of the licensing, see README
 License:        LGPLv2+ and MIT and GPLv2+
 Summary:        System and Service Manager
@@ -701,6 +701,36 @@ fi
 %files tests -f .file-list-tests
 
 %changelog
+* Wed Feb 20 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-12.git07f8cd5
+- Properly validate dbus paths received over dbus (#1678394, CVE-2019-6454)
+- systemd-networkd fixes: keep bond slave up if already attached, keep existing
+  ip addresses and routes
+
+* Fri Jan 11 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-11.gita76ee90
+- systemd-journald and systemd-journal-remote reject entries which
+  contain too many fields (CVE-2018-16865, #1664973) and set limits on the
+  process' command line length (CVE-2018-16864, #1664972)
+- Fix out-of-bounds read when parsing a crafted syslog message in systemd-journald
+  (CVE-2018-16866, #1664975)
+
+* Mon Oct 29 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-10.git438ac26
+- Fix a local vulnerability from a race condition in chown-recursive (CVE-2018-15687, #1643367)
+- Fix a local vulnerability from invalid handling of long lines in state deserialization (CVE-2018-15686, #1643372)
+- Fix a remote vulnerability in DHCPv6 in systemd-networkd (CVE-2018-15688, #1643362)
+- Downgrade logging of various messages and add loging in other places
+- Many many fixes in error handling and minor memory leaks and such
+- Fix typos and omissions in documentation
+- Various smaller improvements to unit ordering and dependencies
+- Handling of invalid (intentionally corrupt) dbus messages is improved, fixing potential local DOS avenues
+- The target of symlinks links in .wants/ and .requires/ is now ignored. This fixes an issue where
+  the unit file would sometimes be loaded from such a symlink, leading to non-deterministic unit contents.
+- Filtering of kernel threads is improved. This fixes an issues with newer kernels where hybrid kernel/user
+  threads are used by bpfilter.
+- Catalog entries for the journal are improved (#1639482)
+
+* Wed Jul 18 2018 Terje Rosten <terje.rosten@ntnu.no> - 238-9.git0e0aa59
+- Ignore return value from systemd-binfmt in scriptlet (#1565425)
+
 * Fri May 11 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-8.git0e0aa59
 - Backport a number of patches (documentation, hwdb updates)
 - Fixes for tmpfiles 'e' entries

triggers.systemd

@@ -105,5 +105,7 @@ fi
 # This script will automatically apply binfmt rules if files have been
 # installed or updated in /usr/lib/binfmt.d.
 if test -d /run/systemd/system; then
-  /usr/lib/systemd/systemd-binfmt
+  # systemd-binfmt might fail if binfmt_misc kernel module is not loaded
+  # during install
+  /usr/lib/systemd/systemd-binfmt || :
 fi