forked from systemd/systemd
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
journalctl: verify that old entries are not sealed with too recent key (
systemd#28885) When verifying seals produced with forward secure sealing, the verification currently does not check that old entries are only sealed with the key for their epoch and not a more recent one. This missing check allows an attacker to remove seals, and create new ones with the currently available key, and verify will claim everything is in order, although all entries could have been modified. This resolves CVE-2023-31439. Co-authored-by: Felix Dörre <felix.doerre@kit.edu> (cherry picked from commit 3846d3a)
- Loading branch information
1 parent
4252dee
commit ea67d47
Showing
1 changed file
with
24 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters