Merge 215 17+steamosb1+deb8u13

See merge request !5

Signed-off-by: Andrew Lee (李健秋) <andrew.lee@collabora.co.uk>

Signed-off-by: Andrew Lee (李健秋) <andrew.lee@collabora.co.uk>

Mike Gabriel authored Apr 25, 2019 and Andrew Lee committed Apr 30, 2019

systemd (215-17+deb8u13) jessie-security; urgency=medium

  * Regression fixes for CVE-2017-18078 in src/tmpfiles/tmpfiles.c:
    - Add missing pair of curly braces.
    - Return negative error code.

systemd (215-17+deb8u12) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS team.
  * CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are
    hardlinked, unless protected_hardlinks sysctl is on.
  * CVE-2019-3842: pam-systemd: use secure_getenv() rather than getenv().

Merge 215 17+deb8u11

See merge request !4

Signed-off-by: Andrew Lee (李健秋) <andrew.lee@collabora.co.uk>

systemd (215-17+deb8u11) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-3815:
    A memory leak was discovered in the backport of fixes for CVE-2018-16864.
    Function dispatch_message_real() in journald-server.c does not free
    allocated memory to store the `_CMDLINE=` entry. A local attacker may use
    this flaw to make systemd-journald crash. (Closes: #924060)

Merge 215 17+deb8u10

See merge request !3

Signed-off-by: Andrew Lee (李健秋) <andrew.lee@collabora.co.uk>

Signed-off-by: Andrew Lee (李健秋) <andrew.lee@collabora.co.uk>

Emilio Pozuelo Monfort authored Feb 19, 2019 and Andrew Lee committed Feb 26, 2019

systemd (215-17+deb8u10) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Team.
  * CVE-2019-6454: DBus messages with a crafted (long) path can crash
    PID1.

Merge 215 17+deb8u9

See merge request !2

Signed-off-by: Andrew Lee (李健秋) <andrew.lee@collabora.co.uk>

Signed-off-by: Andrew Lee (李健秋) <andrew.lee@collabora.co.uk>

Antoine Beaupré authored Jan 22, 2019 and Andrew Lee committed Jan 31, 2019

systemd (215-17+deb8u9) jessie-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * CVE-2018-16865: fix memory allocation overflow which could result in
    crash or code execution in journald's socket (Closes: #918848).
  * CVE-2018-16864: fix memory allocation overflow which could result in
    crash or code execution on journald's commandline (Closes: #918841)

Merge 215 17+deb8u8

See merge request !1

Signed-off-by: Andrew Lee (李健秋) <andrew.lee@collabora.co.uk>

Signed-off-by: Andrew Lee (李健秋) <andrew.lee@collabora.co.uk>

systemd (215-17+deb8u8) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Security Team.
  * CVE-2018-1049: fix race condition between .mount and .automount
    unitspossibly leading to Denial of Service
  * CVE-2018-15686: fix improper serialization on upgrade which can
    influence systemd execution environment and lead to root privilege
    escalation (Closes: #912005)
  * CVE-2018-15688: fix buffer overflow vulnerability in the dhcp6 client
    of systemd, which allows a malicious dhcp6 server to overwrite heap
    memory in systemd-networkd, leading to denial of service or potential
    code execution. (Closes: #912008)

Tested-by: smcv
Reviewed-by: zumbi

mtd_probe.h-Include-stdint.h-for-uint32_t.patch: Add missing <stdint.h> for uint32_t to fix FTBFS on amd64

* Merge from Debian jessie, remaining changes:
  + d/p/sound-no-uaccess.patch
    - SteamOS uses a system-wide PulseAudio instance, which should be the
      only thing with access to the sound devices. As such,
      disable uaccess for sound devices.
  + d/p/pulse-owns-audio.patch
    - Change the sound device group from the default audio to pulse so that
      only the system-wide pulse daemon can access those devices.
  + streamcontroller-support.patch
    - Allow access by the steam group to uinput devices, as used for Steam
      Controller support

Sjoerd Simons authored Jun 02, 2015 and Simon McVittie committed Apr 20, 2018

systemd (215-17+steamos1) brewmaster; urgency=medium

  * Merge SteamOS patches
    + sound-no-uaccess.patch
      - SteamOS uses a system wide pulseaudio instance, which should be the
        only daemon with access to the sound devices. As such disable uaccess
        for sound devices
    + pulse-owns-audio.patch
      - Change the sound device group from the default audio to pulse such that
        only the system-wide pulse daemon can access those devices
    + streamcontroller-support.patch
      - Allow access to the stream group for uinput device as used for stream
        controller support

Otherwise we'll hit an assert sooner or later.

Closes: #856035

This can happen when the configuration is changed and reloaded while we
are executing a service. Let's not hit an assert in this case.

Closes: #856985

The update-rc.d utility does not provide is-enabled, so implement it
ourselves in systemctl using the same logic as systemd-sysv-install from
Stretch.

Closes: #809405

This fixes the problem that on big endian architectures, like mips or
powerpc, boolean properties that were retrieved via sd-bus were always
set to 0 (no).

Closes: #774430

Closes: #776997

Run ifup after all kernel modules have been loaded and all sysctl
settings are applied.

Update ifup@.service to add missing After= for the device unit we bind to.
This ensures that the device unit is active when systemd tries to start
the service.

Closes: #819314

This adds a concept of "extrinsic" mounts. If mounts are extrinsic we
consider them managed by something else and do not add automatic
ordering against umount.target, local-fs.target, remote-fs.target.

Extrinsic mounts include API mounts such as everything below /proc,
/sys, /dev.

This avoids a crash in LXC containers where /dev/urandom is a bind mount
from the host system and unmounting it leads to an assert in systemd.

Closes: #818978

Patch cherry-picked from upstream master.

LP: #1565617
Closes: #774153

The debian-specific patch to read Debian config files was not tolerating
the absence of /etc/default/keyboard. This causes systemd-localed to
fail to start on systems where that file isn't populated (like embedded
systems without keyboards).

Closes: #833849

If manager_dispatch_notify_fd() fails and returns an error then the
handling of service notifications will be disabled entirely leading to a
compromised system.

For example pid1 won't be able to receive the WATCHDOG messages anymore
and will kill all services supposed to send such messages.

Fixes: CVE-2016-7796
Closes: #839607