Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org at packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-systemd-maintain...@lists.alioth.debian.org
Dear Release Team, We would like to upload the latest stable point release of systemd 252 to bookworm-p-u. Stable release branches are maintained upstream with the intention of providing bug fixes only and no compatibility breakages, and with automated non-trivial CI jobs that also cover Debian and Ubuntu. I have already uploaded to p-u. The only fix in this release is for a minor security advisory that affects systemd-boot on arm64/riscv64 on EFI with secure-boot enabled (which debian doesn't provide for sd-boot at all, so only affects local self-signed deployments). Details at: https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c Debdiff attached. No packaging changes. -- Kind regards, Luca Boccassi
diff -Nru systemd-252.16/debian/changelog systemd-252.17/debian/changelog --- systemd-252.16/debian/changelog 2023-09-09 02:24:49.000000000 +0100 +++ systemd-252.17/debian/changelog 2023-09-20 13:15:14.000000000 +0100 @@ -1,3 +1,11 @@ +systemd (252.17-1~deb12u1) bookworm; urgency=medium + + * New upstream version 252.17. Fixes minor security issue in arm64 + and riscv64 systemd-boot (EFI) with device tree blobs loading: + https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c + + -- Luca Boccassi <bl...@debian.org> Wed, 20 Sep 2023 13:15:14 +0100 + systemd (252.16-1~deb12u1) bookworm; urgency=medium * New upstream version 252.16 diff -Nru systemd-252.16/src/boot/efi/boot.c systemd-252.17/src/boot/efi/boot.c --- systemd-252.16/src/boot/efi/boot.c 2023-09-09 02:21:12.000000000 +0100 +++ systemd-252.17/src/boot/efi/boot.c 2023-09-20 10:14:24.000000000 +0100 @@ -2402,7 +2402,9 @@ if (err != EFI_SUCCESS) return log_error_status_stall(err, L"Error loading %s: %r", entry->loader, err); - if (entry->devicetree) { + /* DTBs are loaded by the kernel before ExitBootServices, and they can be used to map and assign + * arbitrary memory ranges, so skip it when secure boot is enabled as the DTB here is unverified. */ + if (entry->devicetree && !secure_boot_enabled()) { err = devicetree_install(&dtstate, image_root, entry->devicetree); if (err != EFI_SUCCESS) return log_error_status_stall(err, L"Error loading %s: %r", entry->devicetree, err);
signature.asc
Description: This is a digitally signed message part
