Ubuntu
systemd package

Merge ~enr0n/ubuntu/+source/systemd:ubuntu-focal-sru into ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-focal

  1. Git
  2. lp:~enr0n/ubuntu/+source/systemd
  3. ubuntu-focal-sru
  4. Merge into ubuntu-focal
Proposed by Nick Rosbrook
Status: Merged
Merged at revision: c01b87ac960331a1e79815b2a643753af074614e
Proposed branch: ~enr0n/ubuntu/+source/systemd:ubuntu-focal-sru
Merge into: ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-focal
Diff against target: 508 lines (+444/-10)
5 files modified
debian/changelog (+18/-6)
debian/patches/CVE-2022-3821.patch (+37/-0)
debian/patches/CVE-2022-4415.patch (+386/-0)
debian/patches/series (+2/-0)
debian/tests/boot-and-services (+1/-4)
Reviewer Review Type Date Requested Status
Lukas Märdian Approve
Review via email: mp+438988@code.launchpad.net

Description of the change

Re-upload these changes with a new version number due to the recent security update. Also address an SRU review comment to tweak the workaround for LP: #1991285.

To post a comment you must log in.
Revision history for this message
Lukas Märdian (slyon) wrote :

Thanks. Security matches what we have in the archive (git-ubuntu).
The is_container check looks good to me after reading the SRU discussion.

Nice job of keeping a clean fast-forward git history, with using this squashed revert commit!

review: Approve
Revision history for this message
Lukas Märdian (slyon) wrote :

I pushed the corresponding branch & tags to our git repo and sponsored the upload:
https://launchpad.net/ubuntu/focal/+queue?queue_state=1&queue_text=systemd

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 0edd425..9185ef8 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,4 +1,4 @@
6-systemd (245.4-4ubuntu3.20) focal; urgency=medium
7+systemd (245.4-4ubuntu3.21) focal; urgency=medium
8
9 * udev: avoid NIC renaming race with kernel (LP: #2002445)
10 Files:
11@@ -7,16 +7,28 @@ systemd (245.4-4ubuntu3.20) focal; urgency=medium
12 - debian/patches/lp2002445-sd-netlink-restore-altname-on-error-in-rtnl_set_link_name.patch
13 - debian/patches/lp2002445-udev-attempt-device-rename-even-if-interface-is-up.patch
14 - debian/patches/lp2002445-udev-net-allow-new-link-name-as-an-altname-before-renamin.patch
15- https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=e34409f9d68a15220aa36cbae219d4f4987e5207
16+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=69ab4a02e828e20ea0ddbd75179324df7a8d1175
17 * test-seccomp: accept ENOSYS from sysctl(2) too (LP: #1933090)
18 Thanks to Roxana Nicolescu
19 File: debian/patches/lp1933090-test-seccomp-accept-ENOSYS-from-sysctl-2-too.patch
20- https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=706f2e0c787cade9609d0f2b37634d7eb4517beb
21- * debian/test: ignore systemd-remount-fs.service failure on armhf (LP: #1991285)
22+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=adaddd1441370ebcdb8bc33d7406b95d85b744f9
23+ * debian/test: ignore systemd-remount-fs.service failure in containers (LP: #1991285)
24 File: debian/tests/boot-and-services
25- https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=cddc66ef6ecfb555dfd38c5f5fe8572efb424114
26+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=264bdc86f1e4dcd10e8d914d095581c54c33199a
27
28- -- Nick Rosbrook <nick.rosbrook@canonical.com> Mon, 27 Feb 2023 10:11:13 -0500
29+ -- Nick Rosbrook <nick.rosbrook@canonical.com> Wed, 15 Mar 2023 11:04:15 -0400
30+
31+systemd (245.4-4ubuntu3.20) focal-security; urgency=medium
32+
33+ * SECURITY UPDATE: buffer overrun vulnerability in format_timespan()
34+ - debian/patches/CVE-2022-3821.patch: time-util: fix buffer-over-run
35+ - CVE-2022-3821
36+ * SECURITY UPDATE: information leak vulnerability in systemd-coredump
37+ - debian/patches/CVE-2022-4415.patch: do not allow user to access
38+ coredumps with changed uid/gid/capabilities
39+ - CVE-2022-4415
40+
41+ -- Nishit Majithia <nishit.majithia@canonical.com> Thu, 02 Mar 2023 18:28:02 +0530
42
43 systemd (245.4-4ubuntu3.19) focal; urgency=medium
44
45diff --git a/debian/patches/CVE-2022-3821.patch b/debian/patches/CVE-2022-3821.patch
46new file mode 100644
47index 0000000..e7ee561
48--- /dev/null
49+++ b/debian/patches/CVE-2022-3821.patch
50@@ -0,0 +1,37 @@
51+ Origin: bakcport, https://github.com/systemd/systemd/commit/9102c625a673a3246d7e73d8737f3494446bad4e
52+
53+From 9102c625a673a3246d7e73d8737f3494446bad4e Mon Sep 17 00:00:00 2001
54+From: Yu Watanabe <watanabe.yu+github@gmail.com>
55+Date: Thu, 7 Jul 2022 18:27:02 +0900
56+Subject: [PATCH] time-util: fix buffer-over-run
57+
58+Fixes #23928.
59+---
60+ src/basic/time-util.c | 2 +-
61+ src/test/test-time-util.c | 5 +++++
62+ 2 files changed, 6 insertions(+), 1 deletion(-)
63+
64+--- systemd-245.4.orig/src/basic/time-util.c
65++++ systemd-245.4/src/basic/time-util.c
66+@@ -514,7 +514,7 @@ char *format_timespan(char *buf, size_t
67+ t = b;
68+ }
69+
70+- n = MIN((size_t) k, l);
71++ n = MIN((size_t) k, l-1);
72+
73+ l -= n;
74+ p += n;
75+--- systemd-245.4.orig/src/test/test-time-util.c
76++++ systemd-245.4/src/test/test-time-util.c
77+@@ -520,5 +520,10 @@ int main(int argc, char *argv[]) {
78+ x++;
79+ assert((time_t) x < 0);
80+
81++ /* See issue #23928. */
82++ _cleanup_free_ char *buf;
83++ assert_se(buf = new(char, 5));
84++ assert_se(buf == format_timespan(buf, 5, 100005, 1000));
85++
86+ return 0;
87+ }
88diff --git a/debian/patches/CVE-2022-4415.patch b/debian/patches/CVE-2022-4415.patch
89new file mode 100644
90index 0000000..527b156
91--- /dev/null
92+++ b/debian/patches/CVE-2022-4415.patch
93@@ -0,0 +1,386 @@
94+ Origin: backport, https://github.com/systemd/systemd-stable/commit/bb47600aeb38c68c857fbf0ee5f66c3144dd81ce
95+
96+From bb47600aeb38c68c857fbf0ee5f66c3144dd81ce Mon Sep 17 00:00:00 2001
97+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
98+Date: Mon, 28 Nov 2022 12:12:55 +0100
99+Subject: [PATCH] coredump: do not allow user to access coredumps with changed
100+ uid/gid/capabilities
101+
102+When the user starts a program which elevates its permissions via setuid,
103+setgid, or capabilities set on the file, it may access additional information
104+which would then be visible in the coredump. We shouldn't make the the coredump
105+visible to the user in such cases.
106+
107+Reported-by: Matthias Gerstner <mgerstner@suse.de>
108+
109+This reads the /proc/<pid>/auxv file and attaches it to the process metadata as
110+PROC_AUXV. Before the coredump is submitted, it is parsed and if either
111+at_secure was set (which the kernel will do for processes that are setuid,
112+setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file
113+is not made accessible to the user. If we can't access this data, we assume the
114+file should not be made accessible either. In principle we could also access
115+the auxv data from a note in the core file, but that is much more complex and
116+it seems better to use the stand-alone file that is provided by the kernel.
117+
118+Attaching auxv is both convient for this patch (because this way it's passed
119+between the stages along with other fields), but I think it makes sense to save
120+it in general.
121+
122+We use the information early in the core file to figure out if the program was
123+32-bit or 64-bit and its endianness. This way we don't need heuristics to guess
124+whether the format of the auxv structure. This test might reject some cases on
125+fringe architecutes. But the impact would be limited: we just won't grant the
126+user permissions to view the coredump file. If people report that we're missing
127+some cases, we can always enhance this to support more architectures.
128+
129+I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and
130+ppc64el, but not the whole coredump handling.
131+
132+(cherry picked from commit 3e4d0f6cf99f8677edd6a237382a65bfe758de03)
133+(cherry picked from commit 9b75a3d0502d6741c8ecb7175794345f8eb3827c)
134+(cherry picked from commit efca5283dc791a07171f80eef84e14fdb58fad57)
135+(cherry picked from commit 1d5e0e9910500f3c3584485f77bfc35e601036e3)
136+(cherry picked from commit 8215e1527d859e77dd1378fd7e42bbd32130edb3)
137+(cherry picked from commit 786df410b1cb3a2294c9a5d118c958525e7439e6)
138+---
139+ src/basic/io-util.h | 9 ++
140+ src/coredump/coredump.c | 196 +++++++++++++++++++++++++++++++++++++---
141+ 2 files changed, 192 insertions(+), 13 deletions(-)
142+
143+--- systemd-245.4.orig/src/basic/io-util.h
144++++ systemd-245.4/src/basic/io-util.h
145+@@ -85,7 +85,16 @@ struct iovec_wrapper *iovw_new(void);
146+ struct iovec_wrapper *iovw_free(struct iovec_wrapper *iovw);
147+ struct iovec_wrapper *iovw_free_free(struct iovec_wrapper *iovw);
148+ void iovw_free_contents(struct iovec_wrapper *iovw, bool free_vectors);
149++
150+ int iovw_put(struct iovec_wrapper *iovw, void *data, size_t len);
151++static inline int iovw_consume(struct iovec_wrapper *iovw, void *data, size_t len) {
152++ /* Move data into iovw or free on error */
153++ int r = iovw_put(iovw, data, len);
154++ if (r < 0)
155++ free(data);
156++ return r;
157++}
158++
159+ int iovw_put_string_field(struct iovec_wrapper *iovw, const char *field, const char *value);
160+ int iovw_put_string_field_free(struct iovec_wrapper *iovw, const char *field, char *value);
161+ void iovw_rebase(struct iovec_wrapper *iovw, char *old, char *new);
162+--- systemd-245.4.orig/src/coredump/coredump.c
163++++ systemd-245.4/src/coredump/coredump.c
164+@@ -3,6 +3,7 @@
165+ #include <errno.h>
166+ #include <stdio.h>
167+ #include <sys/prctl.h>
168++#include <sys/auxv.h>
169+ #include <sys/xattr.h>
170+ #include <unistd.h>
171+
172+@@ -95,6 +96,7 @@ enum {
173+
174+ META_EXE = _META_MANDATORY_MAX,
175+ META_UNIT,
176++ META_PROC_AUXV,
177+ _META_MAX
178+ };
179+
180+@@ -109,10 +111,12 @@ static const char * const meta_field_nam
181+ [META_COMM] = "COREDUMP_COMM=",
182+ [META_EXE] = "COREDUMP_EXE=",
183+ [META_UNIT] = "COREDUMP_UNIT=",
184++ [META_PROC_AUXV] = "COREDUMP_PROC_AUXV=",
185+ };
186+
187+ typedef struct Context {
188+ const char *meta[_META_MAX];
189++ size_t meta_size[_META_MAX];
190+ pid_t pid;
191+ bool is_pid1;
192+ bool is_journald;
193+@@ -171,7 +175,9 @@ static uint64_t storage_size_max(void) {
194+ return 0;
195+ }
196+
197+-static int fix_acl(int fd, uid_t uid) {
198++static int fix_acl(int fd, uid_t uid, bool allow_user) {
199++ assert(fd >= 0);
200++ assert(uid_is_valid(uid));
201+
202+ #if HAVE_ACL
203+ _cleanup_(acl_freep) acl_t acl = NULL;
204+@@ -179,7 +185,9 @@ static int fix_acl(int fd, uid_t uid) {
205+ acl_permset_t permset;
206+ int r;
207+
208+- assert(fd >= 0);
209++ /* We don't allow users to read coredumps if the uid or capabilities were changed. */
210++ if (!allow_user)
211++ return 0;
212+
213+ if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY)
214+ return 0;
215+@@ -258,7 +266,8 @@ static int fix_permissions(
216+ const char *filename,
217+ const char *target,
218+ const Context *context,
219+- uid_t uid) {
220++ uid_t uid,
221++ bool allow_user) {
222+
223+ int r;
224+
225+@@ -268,7 +277,7 @@ static int fix_permissions(
226+
227+ /* Ignore errors on these */
228+ (void) fchmod(fd, 0640);
229+- (void) fix_acl(fd, uid);
230++ (void) fix_acl(fd, uid, allow_user);
231+ (void) fix_xattr(fd, context);
232+
233+ if (fsync(fd) < 0)
234+@@ -339,6 +348,153 @@ static int make_filename(const Context *
235+ return 0;
236+ }
237+
238++static int parse_auxv64(
239++ const uint64_t *auxv,
240++ size_t size_bytes,
241++ int *at_secure,
242++ uid_t *uid,
243++ uid_t *euid,
244++ gid_t *gid,
245++ gid_t *egid) {
246++
247++ assert(auxv || size_bytes == 0);
248++
249++ if (size_bytes % (2 * sizeof(uint64_t)) != 0)
250++ return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes);
251++
252++ size_t words = size_bytes / sizeof(uint64_t);
253++
254++ /* Note that we set output variables even on error. */
255++
256++ for (size_t i = 0; i + 1 < words; i += 2)
257++ switch (auxv[i]) {
258++ case AT_SECURE:
259++ *at_secure = auxv[i + 1] != 0;
260++ break;
261++ case AT_UID:
262++ *uid = auxv[i + 1];
263++ break;
264++ case AT_EUID:
265++ *euid = auxv[i + 1];
266++ break;
267++ case AT_GID:
268++ *gid = auxv[i + 1];
269++ break;
270++ case AT_EGID:
271++ *egid = auxv[i + 1];
272++ break;
273++ case AT_NULL:
274++ if (auxv[i + 1] != 0)
275++ goto error;
276++ return 0;
277++ }
278++ error:
279++ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA),
280++ "AT_NULL terminator not found, cannot parse auxv structure.");
281++}
282++
283++static int parse_auxv32(
284++ const uint32_t *auxv,
285++ size_t size_bytes,
286++ int *at_secure,
287++ uid_t *uid,
288++ uid_t *euid,
289++ gid_t *gid,
290++ gid_t *egid) {
291++
292++ assert(auxv || size_bytes == 0);
293++
294++ size_t words = size_bytes / sizeof(uint32_t);
295++
296++ if (size_bytes % (2 * sizeof(uint32_t)) != 0)
297++ return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes);
298++
299++ /* Note that we set output variables even on error. */
300++
301++ for (size_t i = 0; i + 1 < words; i += 2)
302++ switch (auxv[i]) {
303++ case AT_SECURE:
304++ *at_secure = auxv[i + 1] != 0;
305++ break;
306++ case AT_UID:
307++ *uid = auxv[i + 1];
308++ break;
309++ case AT_EUID:
310++ *euid = auxv[i + 1];
311++ break;
312++ case AT_GID:
313++ *gid = auxv[i + 1];
314++ break;
315++ case AT_EGID:
316++ *egid = auxv[i + 1];
317++ break;
318++ case AT_NULL:
319++ if (auxv[i + 1] != 0)
320++ goto error;
321++ return 0;
322++ }
323++ error:
324++ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA),
325++ "AT_NULL terminator not found, cannot parse auxv structure.");
326++}
327++
328++static int grant_user_access(int core_fd, const Context *context) {
329++ int at_secure = -1;
330++ uid_t uid = UID_INVALID, euid = UID_INVALID;
331++ uid_t gid = GID_INVALID, egid = GID_INVALID;
332++ int r;
333++
334++ assert(core_fd >= 0);
335++ assert(context);
336++
337++ if (!context->meta[META_PROC_AUXV])
338++ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), "No auxv data, not adjusting permissions.");
339++
340++ uint8_t elf[EI_NIDENT];
341++ errno = 0;
342++ if (pread(core_fd, &elf, sizeof(elf), 0) != sizeof(elf))
343++ return log_warning_errno(errno_or_else(EIO),
344++ "Failed to pread from coredump fd: %s", errno != 0 ? strerror_safe(errno) : "Unexpected EOF");
345++
346++ if (elf[EI_MAG0] != ELFMAG0 ||
347++ elf[EI_MAG1] != ELFMAG1 ||
348++ elf[EI_MAG2] != ELFMAG2 ||
349++ elf[EI_MAG3] != ELFMAG3 ||
350++ elf[EI_VERSION] != EV_CURRENT)
351++ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN),
352++ "Core file does not have ELF header, not adjusting permissions.");
353++ if (!IN_SET(elf[EI_CLASS], ELFCLASS32, ELFCLASS64) ||
354++ !IN_SET(elf[EI_DATA], ELFDATA2LSB, ELFDATA2MSB))
355++ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN),
356++ "Core file has strange ELF class, not adjusting permissions.");
357++
358++ if ((elf[EI_DATA] == ELFDATA2LSB) != (__BYTE_ORDER == __LITTLE_ENDIAN))
359++ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN),
360++ "Core file has non-native endianness, not adjusting permissions.");
361++
362++ if (elf[EI_CLASS] == ELFCLASS64)
363++ r = parse_auxv64((const uint64_t*) context->meta[META_PROC_AUXV],
364++ context->meta_size[META_PROC_AUXV],
365++ &at_secure, &uid, &euid, &gid, &egid);
366++ else
367++ r = parse_auxv32((const uint32_t*) context->meta[META_PROC_AUXV],
368++ context->meta_size[META_PROC_AUXV],
369++ &at_secure, &uid, &euid, &gid, &egid);
370++ if (r < 0)
371++ return r;
372++
373++ /* We allow access if we got all the data and at_secure is not set and
374++ * the uid/gid matches euid/egid. */
375++ bool ret =
376++ at_secure == 0 &&
377++ uid != UID_INVALID && euid != UID_INVALID && uid == euid &&
378++ gid != GID_INVALID && egid != GID_INVALID && gid == egid;
379++ log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)",
380++ ret ? "permit" : "restrict",
381++ uid, euid, gid, egid, yes_no(at_secure));
382++ return ret;
383++}
384++
385+ static int save_external_coredump(
386+ const Context *context,
387+ int input_fd,
388+@@ -404,6 +560,8 @@ static int save_external_coredump(
389+ goto fail;
390+ }
391+ *ret_truncated = r == 1;
392++ bool allow_user = grant_user_access(fd, context) > 0;
393++
394+ if (*ret_truncated)
395+ log_struct(LOG_INFO,
396+ LOG_MESSAGE("Core file was truncated to %zu bytes.", max_size),
397+@@ -445,7 +603,7 @@ static int save_external_coredump(
398+ goto fail_compressed;
399+ }
400+
401+- r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid);
402++ r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid, allow_user);
403+ if (r < 0)
404+ goto fail_compressed;
405+
406+@@ -468,7 +626,7 @@ static int save_external_coredump(
407+ uncompressed:
408+ #endif
409+
410+- r = fix_permissions(fd, tmp, fn, context, uid);
411++ r = fix_permissions(fd, tmp, fn, context, uid, allow_user);
412+ if (r < 0)
413+ goto fail;
414+
415+@@ -719,7 +877,7 @@ static int change_uid_gid(const Context
416+ }
417+
418+ static int submit_coredump(
419+- Context *context,
420++ const Context *context,
421+ struct iovec_wrapper *iovw,
422+ int input_fd) {
423+
424+@@ -841,16 +999,15 @@ static int save_context(Context *context
425+ struct iovec *iovec = iovw->iovec + n;
426+
427+ for (i = 0; i < ELEMENTSOF(meta_field_names); i++) {
428+- char *p;
429+-
430+ /* Note that these strings are NUL terminated, because we made sure that a
431+ * trailing NUL byte is in the buffer, though not included in the iov_len
432+ * count (see process_socket() and gather_pid_metadata_*()) */
433+ assert(((char*) iovec->iov_base)[iovec->iov_len] == 0);
434+
435+- p = startswith(iovec->iov_base, meta_field_names[i]);
436++ const char *p = startswith(iovec->iov_base, meta_field_names[i]);
437+ if (p) {
438+ context->meta[i] = p;
439++ context->meta_size[i] = iovec->iov_len - strlen(meta_field_names[i]);
440+ count++;
441+ break;
442+ }
443+@@ -1098,6 +1255,7 @@ static int gather_pid_metadata(struct io
444+ uid_t owner_uid;
445+ pid_t pid;
446+ char *t;
447++ size_t size;
448+ const char *p;
449+ int r;
450+
451+@@ -1163,13 +1321,26 @@ static int gather_pid_metadata(struct io
452+ (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_LIMITS=", t);
453+
454+ p = procfs_file_alloca(pid, "cgroup");
455+- if (read_full_file(p, &t, NULL) >=0)
456++ if (read_full_file(p, &t, NULL) >= 0)
457+ (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_CGROUP=", t);
458+
459+ p = procfs_file_alloca(pid, "mountinfo");
460+- if (read_full_file(p, &t, NULL) >=0)
461++ if (read_full_file(p, &t, NULL) >= 0)
462+ (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_MOUNTINFO=", t);
463+
464++ /* We attach /proc/auxv here. ELF coredumps also contain a note for this (NT_AUXV), see elf(5). */
465++ p = procfs_file_alloca(pid, "auxv");
466++ if (read_full_virtual_file(p, &t, &size) >= 0) {
467++ char *buf = malloc(strlen("COREDUMP_PROC_AUXV=") + size + 1);
468++ if (buf) {
469++ /* Add a dummy terminator to make save_context() happy. */
470++ *((uint8_t*) mempcpy(stpcpy(buf, "COREDUMP_PROC_AUXV="), t, size)) = '\0';
471++ (void) iovw_consume(iovw, buf, size + strlen("COREDUMP_PROC_AUXV="));
472++ }
473++
474++ free(t);
475++ }
476++
477+ if (get_process_cwd(pid, &t) >= 0)
478+ (void) iovw_put_string_field_free(iovw, "COREDUMP_CWD=", t);
479+
480diff --git a/debian/patches/series b/debian/patches/series
481index bae1736..49f6f2e 100644
482--- a/debian/patches/series
483+++ b/debian/patches/series
484@@ -185,6 +185,8 @@ lp1945225/0001-udev-net_id-parse-_SUN-ACPI-index-as-a-signed-intege.patch
485 lp1945225/0002-udev-net_id-don-t-generate-slot-based-names-if-multi.patch
486 lp1945225/0003-net_id-fix-newly-added-naming-scheme-name.patch
487 lp1945225/0004-Add-remaining-supported-schemes-as-options-for-defau.patch
488+CVE-2022-3821.patch
489+CVE-2022-4415.patch
490 lp2002445-udev-net-allow-new-link-name-as-an-altname-before-renamin.patch
491 lp2002445-netlink-introduce-rtnl_get-delete_link_alternative_names.patch
492 lp2002445-netlink-do-not-fail-when-new-interface-name-is-already-us.patch
493diff --git a/debian/tests/boot-and-services b/debian/tests/boot-and-services
494index 6090569..6c832be 100755
495--- a/debian/tests/boot-and-services
496+++ b/debian/tests/boot-and-services
497@@ -59,10 +59,7 @@ class ServicesTest(unittest.TestCase):
498 # https://bugs.debian.org/926138
499 if is_container:
500 failed = [f for f in failed if 'e2scrub_reap.service' not in f]
501- # LP: #1991285
502- arch = subprocess.check_output(['dpkg', '--print-architecture'])
503- arch = arch.decode('utf-8').strip()
504- if arch == 'armhf':
505+ # LP: #1991285
506 failed = [f for f in failed if 'systemd-remount-fs.service' not in f]
507 if failed:
508 for f in failed:

Subscribers

People subscribed via source and target branches