On Thu, 2019-01-24 at 15:55 +0000, Burton, Ross wrote: > On Thu, 24 Jan 2019 at 12:44, Marcus Cooper <marcus.coo...@axis.com> > wrote: > > +++ b/meta/recipes-core/systemd/systemd/0024-journald-do-not-store- > > the-iovec-entry-for-process-co.patch > > @@ -0,0 +1,204 @@ > > +From fe19f5a9d0d8b9977e9507a9b66c3cc66744cd38 Mon Sep 17 00:00:00 > > 2001 > > +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= < > > zbys...@in.waw.pl> > > +Date: Wed, 5 Dec 2018 18:38:39 +0100 > > +Subject: [PATCH] journald: do not store the iovec entry for > > process > > + commandline on stack > > + > > +This fixes a crash where we would read the commandline, whose > > length is under > > +control of the sending program, and then crash when trying to > > create a stack > > +allocation for it. > > + > > +CVE-2018-16864 > > +https://bugzilla.redhat.com/show_bug.cgi?id=1653855 > > + > > +The message actually doesn't get written to disk, because > > +journal_file_append_entry() returns -E2BIG. > > + > > +Patch backported from systemd master at > > +084eeb865ca63887098e0945fb4e93c852b91b0f. > > These patches need a CVE tag (CVE: CVE-2018-16864), and > Upstream-Status tag (Backport), and your Signed-off-by.
This managed to sneak past me, can you send a follow up patch to fix this please? Cheers, Richard -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
