nixpkgs-suyu/pkgs/os-specific/linux/systemd/0007-Ignore-IPv6-link-local-addresses.patch
Eelco Dolstra e65ff3b72a systemd: Prevent privilege escalation via polkit
Cherry-picked from upstream.  Also applied a fix for the CPUShares
configuration option while I'm at it.

CVE-2013-4327
2013-09-30 13:30:15 +02:00

37 lines
1.3 KiB
Diff

From f0c362873860526579bf9bda216005fd5a0936dd Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Mon, 4 Feb 2013 12:41:14 +0100
Subject: [PATCH 07/11] Ignore IPv6 link-local addresses
Returning IPv6 link-local addresses is a bad idea, because they only
work if an application connects specifically over the corresponding
interface. So you get errors like:
$ curl -6 http://my-machine/
curl: (7) Failed to connect to fe80::d6be:d9ff:fe1b:8477: Invalid argument
To prevent this, this patch filters out link-local addresses. So if
you don't have a routable IPv6 address, nss-myhostname will fall back
to returning ::1.
---
src/nss-myhostname/netlink.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/nss-myhostname/netlink.c b/src/nss-myhostname/netlink.c
index b1ef912..4f2ab5c 100644
--- a/src/nss-myhostname/netlink.c
+++ b/src/nss-myhostname/netlink.c
@@ -113,6 +113,10 @@ static int read_reply(int fd, struct address **list, unsigned *n_list) {
ifaddrmsg->ifa_scope == RT_SCOPE_NOWHERE)
continue;
+ if (ifaddrmsg->ifa_family == AF_INET6 &&
+ ifaddrmsg->ifa_scope == RT_SCOPE_LINK)
+ continue;
+
if (ifaddrmsg->ifa_flags & IFA_F_DEPRECATED)
continue;
--
1.8.3.4