From 25e03803c910a4a48d6e2727906aa79f86a832bd Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Thu, 11 Jun 2026 06:54:09 +0000 Subject: [PATCH] fix(journal-importer): cap field size when checking Originally reported on yeswehack.com as YWH-PGM9780-82 Follow-up for 1e448731f51865184ba988b246d02823a9284d6c Changes: - Add debian/patches/fix-journal-importer-cap-field-size.patch - Modify debian/patches/series - Modify debian/changelog Upstream: https://github.com/systemd/systemd/commit/5d31694318088a908ccbced2fe95ea4657017b47 Generated-By: glm-5-turbo Co-Authored-By: deepin-ci-robot --- debian/changelog | 7 +++++ .../fix-journal-importer-cap-field-size.patch | 31 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 39 insertions(+) create mode 100644 debian/patches/fix-journal-importer-cap-field-size.patch diff --git a/debian/changelog b/debian/changelog index 5c960842..b40c6a56 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +systemd (255.2-4deepin31) unstable; urgency=medium + + * Cap field size in journal-importer to prevent potential DoS via + oversized fields (YWH-PGM9780-82) + + -- deepin-ci-robot Thu, 11 Jun 2026 06:54:00 +0800 + systemd (255.2-4deepin30) unstable; urgency=medium * Fix tmpfiles x11 socket age-based cleanup causing unexpected removal diff --git a/debian/patches/fix-journal-importer-cap-field-size.patch b/debian/patches/fix-journal-importer-cap-field-size.patch new file mode 100644 index 00000000..58de07da --- /dev/null +++ b/debian/patches/fix-journal-importer-cap-field-size.patch @@ -0,0 +1,31 @@ +From 5d31694318088a908ccbced2fe95ea4657017b47 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 7 Jun 2026 19:02:38 +0100 +Subject: [PATCH] journal-importer: cap field size when checking + +Originally reported on yeswehack.com as YWH-PGM9780-82 + +Follow-up for 1e448731f51865184ba988b246d02823a9284d6c + +diff --git a/src/shared/journal-importer.c b/src/shared/journal-importer.c +index 87286a33b2..471ad879a4 100644 +--- a/src/shared/journal-importer.c ++++ b/src/shared/journal-importer.c +@@ -325,7 +325,7 @@ int journal_importer_process_data(JournalImporter *imp) { + if (!journal_field_valid(line, sep - line, true)) { + char buf[64], *t; + +- t = strndupa_safe(line, sep - line); ++ t = strndupa_safe(line, MIN((size_t) (sep - line), sizeof buf)); + log_debug("Ignoring invalid field: \"%s\"", + cellescape(buf, sizeof buf, t)); + +@@ -344,7 +344,7 @@ int journal_importer_process_data(JournalImporter *imp) { + if (!journal_field_valid(line, n - 1, true)) { + char buf[64], *t; + +- t = strndupa_safe(line, n - 1); ++ t = strndupa_safe(line, MIN(n - 1, sizeof buf)); + log_debug("Ignoring invalid field: \"%s\"", + cellescape(buf, sizeof buf, t)); + diff --git a/debian/patches/series b/debian/patches/series index 4b002b6d..fef2e2a0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -42,3 +42,4 @@ hwdb-reject-oob-fnmatch.patch exec-invoke-chdir-after-chroot.patch uniontech-skip-clock-restore-for-timesyncd.patch fix-tmpfiles-x11-cleanup.patch +fix-journal-importer-cap-field-size.patch