[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1052325: marked as done (bookworm-pu: package systemd/252.17-1~deb12u1)

Your message dated Sat, 07 Oct 2023 09:59:42 +0000
with message-id <E1qp462-00A4Hl-NO@coccia.debian.org>
and subject line Released with 12.2
has caused the Debian Bug report #1052325,
regarding bookworm-pu: package systemd/252.17-1~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1052325: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052325
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-systemd-maintainers@lists.alioth.debian.org

Dear Release Team,

We would like to upload the latest stable point release of systemd 252
to bookworm-p-u. Stable release branches are maintained upstream with
the intention of providing bug fixes only and no compatibility
breakages, and with automated non-trivial CI jobs that also cover
Debian and Ubuntu. I have already uploaded to p-u.

The only fix in this release is for a minor security advisory that
affects systemd-boot on arm64/riscv64 on EFI with secure-boot enabled
(which debian doesn't provide for sd-boot at all, so only affects local
self-signed deployments). Details at:

https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c

Debdiff attached. No packaging changes.

-- 
Kind regards,
Luca Boccassi

diff -Nru systemd-252.16/debian/changelog systemd-252.17/debian/changelog
--- systemd-252.16/debian/changelog	2023-09-09 02:24:49.000000000 +0100
+++ systemd-252.17/debian/changelog	2023-09-20 13:15:14.000000000 +0100
@@ -1,3 +1,11 @@
+systemd (252.17-1~deb12u1) bookworm; urgency=medium
+
+  * New upstream version 252.17. Fixes minor security issue in arm64
+    and riscv64 systemd-boot (EFI) with device tree blobs loading:
+    https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c
+
+ -- Luca Boccassi <bluca@debian.org>  Wed, 20 Sep 2023 13:15:14 +0100
+
 systemd (252.16-1~deb12u1) bookworm; urgency=medium
 
   * New upstream version 252.16
diff -Nru systemd-252.16/src/boot/efi/boot.c systemd-252.17/src/boot/efi/boot.c
--- systemd-252.16/src/boot/efi/boot.c	2023-09-09 02:21:12.000000000 +0100
+++ systemd-252.17/src/boot/efi/boot.c	2023-09-20 10:14:24.000000000 +0100
@@ -2402,7 +2402,9 @@
         if (err != EFI_SUCCESS)
                 return log_error_status_stall(err, L"Error loading %s: %r", entry->loader, err);
 
-        if (entry->devicetree) {
+        /* DTBs are loaded by the kernel before ExitBootServices, and they can be used to map and assign
+         * arbitrary memory ranges, so skip it when secure boot is enabled as the DTB here is unverified. */
+        if (entry->devicetree && !secure_boot_enabled()) {
                 err = devicetree_install(&dtstate, image_root, entry->devicetree);
                 if (err != EFI_SUCCESS)
                         return log_error_status_stall(err, L"Error loading %s: %r", entry->devicetree, err);

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Version: 12.2

The upload requested in this bug has been released as part of 12.2.

--- End Message ---
Reply to: