1
diff --git a/debian/changelog b/debian/changelog
2
index 26816f5..0b600be 100644
3
--- a/debian/changelog
4
+++ b/debian/changelog
5
@@ -1,3 +1,22 @@
6
1
systemd (240-6ubuntu5.7) disco; urgency=medium
7
2
8
3
  * d/p/d/Revert-udev-network-device-renaming-immediately-give.patch:
9
4
    - udev: add Revert-udev-network-device-renaming-immediately-give.patch back
10
5
      Dropping this patch will cause the persistent network regression.
11
6
      (LP: #1842651)
12
7
13
8
 -- Shih-Yuan Lee (FourDollars) <sylee@canonical.com>  Thu, 05 Sep 2019 19:01:29 +0800
14
9
15
10
systemd (240-6ubuntu5.6) disco-security; urgency=medium
16
11
17
12
  * SECURITY UPDATE: Unprivileged users are granted access to privileged
18
13
    systemd-resolved D-Bus methods
19
14
    - d/p/0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch:
20
15
      drop trusted annotation from bus_open_system_watch_bind_with_description()
21
16
    - CVE-2019-15718
22
17
23
18
 -- Chris Coulson <chris.coulson@canonical.com>  Thu, 29 Aug 2019 23:29:13 +0100
24
19
25
1
systemd (240-6ubuntu5.4) disco; urgency=medium
20
systemd (240-6ubuntu5.4) disco; urgency=medium
26
2
21
27
3
  [ You-Sheng Yang ]
22
  [ You-Sheng Yang ]
28
diff --git a/debian/patches/0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch b/debian/patches/0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch
29
4
new file mode 100644
23
new file mode 100644
30
index 0000000..8186f70
31
--- /dev/null
32
+++ b/debian/patches/0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch
33
@@ -0,0 +1,31 @@
34
1
From 35e528018f315798d3bffcb592b32a0d8f5162bd Mon Sep 17 00:00:00 2001
35
2
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
36
3
Date: Tue, 27 Aug 2019 19:00:34 +0200
37
4
Subject: [PATCH] shared/but-util: drop trusted annotation from
38
5
 bus_open_system_watch_bind_with_description()
39
6
40
7
https://bugzilla.redhat.com/show_bug.cgi?id=1746057
41
8
42
9
This only affects systemd-resolved. bus_open_system_watch_bind_with_description()
43
10
is also used in timesyncd, but it has no methods, only read-only properties, and
44
11
in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does
45
12
polkit checks.
46
13
---
47
14
 src/shared/bus-util.c | 4 ----
48
15
 1 file changed, 4 deletions(-)
49
16
50
17
diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
51
18
index 6af115e7aa..821339d4ae 100644
52
19
--- a/src/shared/bus-util.c
53
20
+++ b/src/shared/bus-util.c
54
21
@@ -1705,10 +1705,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri
55
22
         if (r < 0)
56
23
                 return r;
57
24
 
58
25
-        r = sd_bus_set_trusted(bus, true);
59
26
-        if (r < 0)
60
27
-                return r;
61
28
-
62
29
         r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS);
63
30
         if (r < 0)
64
31
                 return r;
65
diff --git a/debian/patches/debian/Revert-udev-network-device-renaming-immediately-give.patch b/debian/patches/debian/Revert-udev-network-device-renaming-immediately-give.patch
66
0
new file mode 100644
32
new file mode 100644
67
index 0000000..e8bf17b
68
--- /dev/null
69
+++ b/debian/patches/debian/Revert-udev-network-device-renaming-immediately-give.patch
70
@@ -0,0 +1,89 @@
71
1
From: Michael Biebl <biebl@debian.org>
72
2
Date: Thu, 18 Jul 2013 01:04:07 +0200
73
3
Subject: Revert "udev: network device renaming - immediately give up if the
74
4
 target name isn't available"
75
5
76
6
This reverts commit 97595710b77aa162ca5e20da57d0a1ed7355eaad.
77
7
78
8
We need to keep supporting systems with 75-persistent-net-generator.rules
79
9
generated names for a while after switching to net.ifnames. Re-apply this old
80
10
hack to make the renaming less likely to fail.
81
11
---
82
12
 src/udev/udev-event.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++-----
83
13
 1 file changed, 46 insertions(+), 5 deletions(-)
84
14
85
15
diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c
86
16
index 07b7365..f67b295 100644
87
17
--- a/src/udev/udev-event.c
88
18
+++ b/src/udev/udev-event.c
89
19
@@ -680,6 +680,7 @@ static int rename_netif(UdevEvent *event) {
90
20
         const char *action, *oldname;
91
21
         char name[IFNAMSIZ];
92
22
         int ifindex, r;
93
23
+        int loop;
94
24
 
95
25
         if (!event->name)
96
26
                 return 0; /* No new name is requested. */
97
27
@@ -705,17 +706,57 @@ static int rename_netif(UdevEvent *event) {
98
28
                 return log_device_error_errno(dev, r, "Failed to get ifindex: %m");
99
29
 
100
30
         strscpy(name, IFNAMSIZ, event->name);
101
31
+
102
32
         r = rtnl_set_link_name(&event->rtnl, ifindex, name);
103
33
-        if (r < 0)
104
34
-                return log_device_error_errno(dev, r, "Failed to rename network interface %i from '%s' to '%s': %m", ifindex, oldname, name);
105
35
+        if (r >= 0) {
106
36
+                r = device_rename(dev, event->name);
107
37
+                if (r < 0)
108
38
+                        return log_warning_errno(r, "Network interface %i is renamed from '%s' to '%s', but could not update sd_device object: %m", ifindex, oldname, name);
109
39
+
110
40
+                log_device_debug(dev, "Network interface %i is renamed from '%s' to '%s'", ifindex, oldname, name);
111
41
+
112
42
+                return 1;
113
43
+        }
114
44
+
115
45
+        /* keep trying if the destination interface name already exists */
116
46
+        if (r != -EEXIST)
117
47
+                goto out;
118
48
 
119
49
-        r = device_rename(dev, event->name);
120
50
+        /* free our own name, another process may wait for us */
121
51
+        snprintf(name, IFNAMSIZ, "rename%u", ifindex);
122
52
+        r = rtnl_set_link_name(&event->rtnl, ifindex, name);
123
53
         if (r < 0)
124
54
-                return log_warning_errno(r, "Network interface %i is renamed from '%s' to '%s', but could not update sd_device object: %m", ifindex, oldname, name);
125
55
+                goto out;
126
56
 
127
57
+        /* log temporary name */
128
58
         log_device_debug(dev, "Network interface %i is renamed from '%s' to '%s'", ifindex, oldname, name);
129
59
 
130
60
-        return 1;
131
61
+        /* wait a maximum of 90 seconds for our target to become available */
132
62
+        strscpy(name, IFNAMSIZ, event->name);
133
63
+        loop = 90 * 20;
134
64
+        while (loop--) {
135
65
+                const struct timespec duration = { 0, 1000 * 1000 * 1000 / 20 };
136
66
+
137
67
+                nanosleep(&duration, NULL);
138
68
+
139
69
+                r = rtnl_set_link_name(&event->rtnl, ifindex, name);
140
70
+                if (r >= 0) {
141
71
+                        r = device_rename(dev, event->name);
142
72
+                        if (r < 0)
143
73
+                                return log_warning_errno(r, "Network interface %i is renamed from '%s' to '%s', but could not update sd_device object: %m", ifindex, oldname, name);
144
74
+
145
75
+                        log_device_debug(dev, "Network interface %i is renamed from '%s' to '%s'", ifindex, oldname, name);
146
76
+
147
77
+                        return 1;
148
78
+                }
149
79
+                if (r != -EEXIST)
150
80
+                        goto out;
151
81
+        }
152
82
+
153
83
+out:
154
84
+        if (r < 0)
155
85
+                return log_device_error_errno(dev, r, "Failed to rename network interface %i from '%s' to '%s': %m", ifindex, oldname, name);
156
86
+        return r;
157
87
 }
158
88
 
159
89
 static int update_devnode(UdevEvent *event) {
160
diff --git a/debian/patches/series b/debian/patches/series
161
index 3a69a3a..eaf2648 100644
162
--- a/debian/patches/series
163
+++ b/debian/patches/series
164
@@ -54,6 +54,7 @@ core-when-we-uninstall-a-job-add-unit-to-dbus-queue.patch
165
54
debian/Use-Debian-specific-config-files.patch
54
debian/Use-Debian-specific-config-files.patch
166
55
debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
55
debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
167
56
debian/Make-run-lock-tmpfs-an-API-fs.patch
56
debian/Make-run-lock-tmpfs-an-API-fs.patch
168
57
debian/Revert-udev-network-device-renaming-immediately-give.patch
169
57
debian/Add-support-for-TuxOnIce-hibernation.patch
58
debian/Add-support-for-TuxOnIce-hibernation.patch
170
58
debian/Re-enable-journal-forwarding-to-syslog.patch
59
debian/Re-enable-journal-forwarding-to-syslog.patch
171
59
debian/Don-t-enable-audit-by-default.patch
60
debian/Don-t-enable-audit-by-default.patch
172
@@ -149,3 +150,4 @@ ask-password-prevent-buffer-overrow-when-reading-fro.patch
173
149
rdrand-workaround-on-amd.patch
150
rdrand-workaround-on-amd.patch
174
150
lp1835581-src-network-networkd-dhcp4.c-set-prefsrc-for-classle.patch
151
lp1835581-src-network-networkd-dhcp4.c-set-prefsrc-for-classle.patch
175
151
lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch
152
lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch
176
153
0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch
Reviewer	Review Type	Date Requested	Status
Robert Ancell (community)		2019-09-05	Approve on 2019-09-06
Review via email: mp+372334@code.launchpad.net