[Medium] Patch systemd & systemd-bootstrap for CVE-2023-7008 (#13866)

Author: akhila-guruju

SPECS/systemd/CVE-2023-7008.patch

@@ -0,0 +1,36 @@
+From cbed44badf00e62b639e1cf04955080fcc8fc35a Mon Sep 17 00:00:00 2001
+From: akhila-guruju <[email protected]>
+Date: Thu, 22 May 2025 10:35:31 +0000
+Subject: [PATCH] Address CVE-2023-7008
+
+Upstream Patch reference: https://github.com/systemd/systemd-stable/commit/4ada1290584745ab6643eece9e1756a8c0e079ca
+
+---
+ src/resolve/resolved-dns-transaction.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index 2ee45ff..5507fd9 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2781,7 +2781,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+ 
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+@@ -2808,7 +2808,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         /* We found the transaction that was supposed to find the SOA RR for us. It was
+                          * successful, but found no RR for us. This means we are not at a zone cut. In this
+                          * case, we require authentication if the SOA lookup was authenticated too. */
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+-- 
+2.45.2
+

SPECS/systemd/fix-journald-audit-logging.patch

@@ -29,4 +29,4 @@ index a8e3b175ac49..ea535a27af7f 100644
 +        map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, iovec, &n, n + N_IOVEC_AUDIT_FIELDS);
 
          server_dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL, NULL, LOG_NOTICE, 0);
-         
+

SPECS/systemd/systemd-bootstrap.spec

@@ -1,7 +1,7 @@
 Summary:        Bootstrap version of systemd. Workaround for systemd circular dependency.
 Name:           systemd-bootstrap
 Version:        250.3
-Release:        12%{?dist}
+Release:        13%{?dist}
 License:        LGPLv2+ AND GPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -25,6 +25,7 @@ Patch3:         CVE-2022-3821.patch
 Patch4:         CVE-2022-45873.patch
 Patch5:         backport-helper-util-macros.patch
 Patch6:         CVE-2022-4415.patch
+Patch7:         CVE-2023-7008.patch
 BuildRequires:  docbook-dtd-xml
 BuildRequires:  docbook-style-xsl
 BuildRequires:  gettext
@@ -246,6 +247,9 @@ fi
 %{_datadir}/pkgconfig/udev.pc
 
 %changelog
+* Fri May 23 2025 Akhila Guruju <[email protected]> - 250.3-13
+- Patch CVE-2023-7008
+
 * Mon Mar 13 2023 Nicolas Guibourge <[email protected]> - 250.3-12
 - Add patch for CVE-2022-4415
 - Add patch backport-helper-util-macros.patch to backport needed macros for CVE-2022-4415.patch

SPECS/systemd/systemd.spec

@@ -1,7 +1,7 @@
 Summary:        Systemd-250
 Name:           systemd
 Version:        250.3
-Release:        21%{?dist}
+Release:        22%{?dist}
 License:        LGPLv2+ AND GPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -31,6 +31,7 @@ Patch8:         serve-stale-0002-resolved-Initialize-until_valid-while-storing-n
 Patch9:         mariner-2-do-not-default-zstd-journal-files-for-backwards-compatibility.patch
 Patch10:        mariner-2-force-use-of-lz4-for-coredump.patch
 Patch11:        networkd-default-use-domains.patch
+Patch12:	CVE-2023-7008.patch
 BuildRequires:  audit-devel
 BuildRequires:  cryptsetup-devel
 BuildRequires:  docbook-dtd-xml
@@ -289,6 +290,9 @@ fi
 %files lang -f %{name}.lang
 
 %changelog
+* Thu May 22 2025 Akhila Guruju <[email protected]> - 250.3-22
+- Patch CVE-2023-7008
+
 * Mon Apr 08 2024 Henry Li <[email protected]> - 250.3-21
 - Add patch to allow configurability of "UseDomains=" for networkd
 

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -554,10 +554,10 @@ sqlite-devel-3.39.2-3.cm2.aarch64.rpm
 sqlite-libs-3.39.2-3.cm2.aarch64.rpm
 swig-4.0.2-3.cm2.aarch64.rpm
 swig-debuginfo-4.0.2-3.cm2.aarch64.rpm
-systemd-bootstrap-250.3-12.cm2.aarch64.rpm
-systemd-bootstrap-debuginfo-250.3-12.cm2.aarch64.rpm
-systemd-bootstrap-devel-250.3-12.cm2.aarch64.rpm
-systemd-bootstrap-rpm-macros-250.3-12.cm2.noarch.rpm
+systemd-bootstrap-250.3-13.cm2.aarch64.rpm
+systemd-bootstrap-debuginfo-250.3-13.cm2.aarch64.rpm
+systemd-bootstrap-devel-250.3-13.cm2.aarch64.rpm
+systemd-bootstrap-rpm-macros-250.3-13.cm2.noarch.rpm
 tar-1.34-3.cm2.aarch64.rpm
 tar-debuginfo-1.34-3.cm2.aarch64.rpm
 tdnf-3.5.2-4.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -560,10 +560,10 @@ sqlite-devel-3.39.2-3.cm2.x86_64.rpm
 sqlite-libs-3.39.2-3.cm2.x86_64.rpm
 swig-4.0.2-3.cm2.x86_64.rpm
 swig-debuginfo-4.0.2-3.cm2.x86_64.rpm
-systemd-bootstrap-250.3-12.cm2.x86_64.rpm
-systemd-bootstrap-debuginfo-250.3-12.cm2.x86_64.rpm
-systemd-bootstrap-devel-250.3-12.cm2.x86_64.rpm
-systemd-bootstrap-rpm-macros-250.3-12.cm2.noarch.rpm
+systemd-bootstrap-250.3-13.cm2.x86_64.rpm
+systemd-bootstrap-debuginfo-250.3-13.cm2.x86_64.rpm
+systemd-bootstrap-devel-250.3-13.cm2.x86_64.rpm
+systemd-bootstrap-rpm-macros-250.3-13.cm2.noarch.rpm
 tar-1.34-3.cm2.x86_64.rpm
 tar-debuginfo-1.34-3.cm2.x86_64.rpm
 tdnf-3.5.2-4.cm2.x86_64.rpm