meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

From 612ebf6c913dd0e4197c44909cb3157f5c51a2f0 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 31 Aug 2020 19:37:13 +0200
Subject: [PATCH] pager: set $LESSSECURE whenver we invoke a pager

Some extra safety when invoked via "sudo". With this we address a
genuine design flaw of sudo, and we shouldn't need to deal with this.
But it's still a good idea to disable this surface given how exotic it
is.

Prompted by #5666

CVE: CVE-2023-26604
Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/612ebf6c913dd0e4197c44909cb3157f5c51a2f0]
Comments: Hunk not refreshed
Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
---
 man/less-variables.xml |  9 +++++++++
 man/systemctl.xml      |  1 +
 man/systemd.xml        |  1 +
 src/shared/pager.c     | 23 +++++++++++++++++++++--
 4 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/man/less-variables.xml b/man/less-variables.xml
index 08e513c99f8e..c52511ca8e18 100644
--- a/man/less-variables.xml
+++ b/man/less-variables.xml
@@ -64,6 +64,15 @@
       the invoking terminal is determined to be UTF-8 compatible).</para></listitem>
     </varlistentry>
 
+    <varlistentry id='lesssecure'>
+      <term><varname>$SYSTEMD_LESSSECURE</varname></term>
+
+      <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment
+      variable when invoking the pager, which controls the "secure" mode of less (which disables commands
+      such as <literal>|</literal> which allow to easily shell out to external command lines). By default
+      less secure mode is enabled, with this setting it may be disabled.</para></listitem>
+    </varlistentry>
+
     <varlistentry id='colors'>
       <term><varname>$SYSTEMD_COLORS</varname></term>
 
diff --git a/man/systemctl.xml b/man/systemctl.xml
index 1c5502883700..a3f0c3041a57 100644
--- a/man/systemctl.xml
+++ b/man/systemctl.xml
@@ -2240,6 +2240,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
     <xi:include href="less-variables.xml" xpointer="pager"/>
     <xi:include href="less-variables.xml" xpointer="less"/>
     <xi:include href="less-variables.xml" xpointer="lesscharset"/>
+    <xi:include href="less-variables.xml" xpointer="lesssecure"/>
     <xi:include href="less-variables.xml" xpointer="colors"/>
     <xi:include href="less-variables.xml" xpointer="urlify"/>
   </refsect1>
diff --git a/man/systemd.xml b/man/systemd.xml
index a9040545c2ab..c92cfef77689 100644
--- a/man/systemd.xml
+++ b/man/systemd.xml
@@ -692,6 +692,7 @@
       <xi:include href="less-variables.xml" xpointer="pager"/>
       <xi:include href="less-variables.xml" xpointer="less"/>
       <xi:include href="less-variables.xml" xpointer="lesscharset"/>
+      <xi:include href="less-variables.xml" xpointer="lesssecure"/>
       <xi:include href="less-variables.xml" xpointer="colors"/>
       <xi:include href="less-variables.xml" xpointer="urlify"/>
 
diff --git a/src/shared/pager.c b/src/shared/pager.c
index e03be6d23b2d..9c21881241f5 100644
--- a/src/shared/pager.c
+++ b/src/shared/pager.c
@@ -9,6 +9,7 @@
 #include <unistd.h>
 
 #include "copy.h"
+#include "env-util.h"
 #include "fd-util.h"
 #include "fileio.h"
 #include "io-util.h"
@@ -152,8 +153,7 @@ int pager_open(PagerFlags flags) {
                         _exit(EXIT_FAILURE);
                 }
 
-                /* Initialize a good charset for less. This is
-                 * particularly important if we output UTF-8
+                /* Initialize a good charset for less. This is particularly important if we output UTF-8
                  * characters. */
                 less_charset = getenv("SYSTEMD_LESSCHARSET");
                 if (!less_charset && is_locale_utf8())
@@ -164,6 +164,25 @@ int pager_open(PagerFlags flags) {
                         _exit(EXIT_FAILURE);
                 }
 
+                /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out
+                 * privileged stuff. */
+                r = getenv_bool("SYSTEMD_LESSSECURE");
+                if (r == 0) { /* Remove env var if off */
+                        if (unsetenv("LESSSECURE") < 0) {
+                                log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m");
+                                _exit(EXIT_FAILURE);
+                        }
+                } else {
+                        /* Set env var otherwise */
+                        if (r < 0)
+                                log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m");
+
+                        if (setenv("LESSSECURE", "1", 1) < 0) {
+                                log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m");
+                                _exit(EXIT_FAILURE);
+                        }
+                }
+
                 if (pager_args) {
                         r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false);
                         if (r < 0) {