[Medium] Patch systemd-bootstrap for CVE-2023-7008 (#13883)

akhila-guruju · web-flow · commit 0eca4fc24820 · 2025-08-11T13:40:41.000+05:30
diff --git a/SPECS/systemd-bootstrap/CVE-2023-7008.patch b/SPECS/systemd-bootstrap/CVE-2023-7008.patch
@@ -0,0 +1,36 @@
+From cbed44badf00e62b639e1cf04955080fcc8fc35a Mon Sep 17 00:00:00 2001
+From: akhila-guruju <v-guakhila@microsoft.com>
+Date: Thu, 22 May 2025 10:35:31 +0000
+Subject: [PATCH] Address CVE-2023-7008
+
+Upstream Patch reference: https://github.com/systemd/systemd-stable/commit/4ada1290584745ab6643eece9e1756a8c0e079ca
+
+---
+ src/resolve/resolved-dns-transaction.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index 2ee45ff..5507fd9 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2781,7 +2781,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+ 
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+@@ -2808,7 +2808,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         /* We found the transaction that was supposed to find the SOA RR for us. It was
+                          * successful, but found no RR for us. This means we are not at a zone cut. In this
+                          * case, we require authentication if the SOA lookup was authenticated too. */
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+-- 
+2.45.2
+
diff --git a/SPECS/systemd-bootstrap/fix-journald-audit-logging.patch b/SPECS/systemd-bootstrap/fix-journald-audit-logging.patch
@@ -29,4 +29,4 @@ index a8e3b175ac49..ea535a27af7f 100644
 +        map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, iovec, &n, n + N_IOVEC_AUDIT_FIELDS);
  
          server_dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL, NULL, LOG_NOTICE, 0);
-         
+
diff --git a/SPECS/systemd-bootstrap/systemd-bootstrap.spec b/SPECS/systemd-bootstrap/systemd-bootstrap.spec
@@ -1,7 +1,7 @@
 Summary:        Bootstrap version of systemd. Workaround for systemd circular dependency.
 Name:           systemd-bootstrap
 Version:        250.3
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        LGPLv2+ AND GPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -48,6 +48,7 @@ Patch7:         update-cifs-for-kernel-headers-6.1.patch
 #    5. Repeat from 2. as needed until it builds
 #    6. Build both systemd and systemd-bootstrap, validate the contents of systemd-rpm-macros and system-bootstrap-rpm-macros are identical
 Patch8:         use-255-macros.patch
+Patch9:         CVE-2023-7008.patch
 BuildRequires:  docbook-dtd-xml
 BuildRequires:  docbook-style-xsl
 BuildRequires:  gettext
@@ -285,6 +286,9 @@ fi
 %{_datadir}/pkgconfig/udev.pc
 
 %changelog
+* Fri May 23 2025 Akhila Guruju <v-guakhila@microsoft.com> - 250.3-18
+- Patch CVE-2023-7008
+
 * Mon Mar 11 2024 Daniel McIlvaney <damcilva@microsoft.com> - 250.3-17
 - Split libs into their own subpackage to align with full systemd.
 
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -579,11 +579,11 @@ sqlite-devel-3.44.0-1.azl3.aarch64.rpm
 sqlite-libs-3.44.0-1.azl3.aarch64.rpm
 swig-4.2.1-1.azl3.aarch64.rpm
 swig-debuginfo-4.2.1-1.azl3.aarch64.rpm
-systemd-bootstrap-250.3-17.azl3.aarch64.rpm
-systemd-bootstrap-debuginfo-250.3-17.azl3.aarch64.rpm
-systemd-bootstrap-devel-250.3-17.azl3.aarch64.rpm
-systemd-bootstrap-libs-250.3-17.azl3.aarch64.rpm
-systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm
+systemd-bootstrap-250.3-18.azl3.aarch64.rpm
+systemd-bootstrap-debuginfo-250.3-18.azl3.aarch64.rpm
+systemd-bootstrap-devel-250.3-18.azl3.aarch64.rpm
+systemd-bootstrap-libs-250.3-18.azl3.aarch64.rpm
+systemd-bootstrap-rpm-macros-250.3-18.azl3.noarch.rpm
 tar-1.35-2.azl3.aarch64.rpm
 tar-debuginfo-1.35-2.azl3.aarch64.rpm
 tdnf-3.5.8-7.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -587,11 +587,11 @@ sqlite-devel-3.44.0-1.azl3.x86_64.rpm
 sqlite-libs-3.44.0-1.azl3.x86_64.rpm
 swig-4.2.1-1.azl3.x86_64.rpm
 swig-debuginfo-4.2.1-1.azl3.x86_64.rpm
-systemd-bootstrap-250.3-17.azl3.x86_64.rpm
-systemd-bootstrap-debuginfo-250.3-17.azl3.x86_64.rpm
-systemd-bootstrap-devel-250.3-17.azl3.x86_64.rpm
-systemd-bootstrap-libs-250.3-17.azl3.x86_64.rpm
-systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm
+systemd-bootstrap-250.3-18.azl3.x86_64.rpm
+systemd-bootstrap-debuginfo-250.3-18.azl3.x86_64.rpm
+systemd-bootstrap-devel-250.3-18.azl3.x86_64.rpm
+systemd-bootstrap-libs-250.3-18.azl3.x86_64.rpm
+systemd-bootstrap-rpm-macros-250.3-18.azl3.noarch.rpm
 tar-1.35-2.azl3.x86_64.rpm
 tar-debuginfo-1.35-2.azl3.x86_64.rpm
 tdnf-3.5.8-7.azl3.x86_64.rpm
