new file mode 100644

@@ -0,0 +1,114 @@

+From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001

+From: Aurelien Jarno <aurelien@aurel32.net>

+Date: Sat, 30 Dec 2017 10:54:23 +0100

+Subject: [PATCH] elf: Check for empty tokens before dynamic string token

+ expansion [BZ #22625]

+

+The fillin_rpath function in elf/dl-load.c loops over each RPATH or

+RUNPATH tokens and interprets empty tokens as the current directory

+("./"). In practice the check for empty token is done *after* the

+dynamic string token expansion. The expansion process can return an

+empty string for the $ORIGIN token if __libc_enable_secure is set

+or if the path of the binary can not be determined (/proc not mounted).

+

+Fix that by moving the check for empty tokens before the dynamic string

+token expansion. In addition, check for NULL pointer or empty strings

+return by expand_dynamic_string_token.

+

+The above changes highlighted a bug in decompose_rpath, an empty array

+is represented by the first element being NULL at the fillin_rpath

+level, but by using a -1 pointer in decompose_rpath and other functions.

+

+Changelog:

+	[BZ #22625]

+	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic

+	string token expansion. Check for NULL pointer or empty string possibly

+	returned by expand_dynamic_string_token.

+	(decompose_rpath): Check for empty path after dynamic string

+	token expansion.

+(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)

+---

+ ChangeLog     | 10 ++++++++++

+ NEWS          |  4 ++++

+ elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------

+ 3 files changed, 47 insertions(+), 16 deletions(-)

+

+diff --git a/elf/dl-load.c b/elf/dl-load.c

+index 50996e2..7397c18 100644

+--- a/elf/dl-load.c

+@@ -434,31 +434,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,

+ {

+   char *cp;

+   size_t nelems = 0;

+-  char *to_free;

+ 

+   while ((cp = __strsep (&rpath, sep)) != NULL)

+     {

+       struct r_search_path_elem *dirp;

++      char *to_free = NULL;

++      size_t len = 0;

+ 

+-      to_free = cp = expand_dynamic_string_token (l, cp, 1);

++      /* `strsep' can pass an empty string.  */

++      if (*cp != '\0')

++	{

++	  to_free = cp = expand_dynamic_string_token (l, cp, 1);

+ 

+-      size_t len = strlen (cp);

++	  /* expand_dynamic_string_token can return NULL in case of empty

++	     path or memory allocation failure.  */

++	  if (cp == NULL)

++	    continue;

+ 

+-      /* `strsep' can pass an empty string.  This has to be

+-	 interpreted as `use the current directory'. */

+-      if (len == 0)

+-	{

+-	  static const char curwd[] = "./";

+-	  cp = (char *) curwd;

+-	}

++	  /* Compute the length after dynamic string token expansion and

++	     ignore empty paths.  */

++	  len = strlen (cp);

++	  if (len == 0)

++	    {

++	      free (to_free);

++	      continue;

++	    }

+ 

+-      /* Remove trailing slashes (except for "/").  */

+-      while (len > 1 && cp[len - 1] == '/')

+-	--len;

++	  /* Remove trailing slashes (except for "/").  */

++	  while (len > 1 && cp[len - 1] == '/')

++	    --len;

+ 

+-      /* Now add one if there is none so far.  */

+-      if (len > 0 && cp[len - 1] != '/')

+-	cp[len++] = '/';

++	  /* Now add one if there is none so far.  */

++	  if (len > 0 && cp[len - 1] != '/')

++	    cp[len++] = '/';

++	}

+ 

+       /* Make sure we don't use untrusted directories if we run SUID.  */

+       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))

+@@ -622,6 +631,14 @@ decompose_rpath (struct r_search_path_struct *sps,

+      necessary.  */

+   free (copy);

+ 

++  /* There is no path after expansion.  */

++  if (result[0] == NULL)

++    {

++      free (result);

++      sps->dirs = (struct r_search_path_elem **) -1;

++      return false;

++    }

++

+   sps->dirs = result;

+   /* The caller will change this value if we haven't used a real malloc.  */

+   sps->malloced = 1;

+-- 

+2.9.3

+

@@ -4,7 +4,7 @@

 Summary:        Main C library

 Name:           glibc

 Version:        2.26

-Release:        8%{?dist}

+Release:        9%{?dist}

 License:        LGPLv2+

 URL:            http://www.gnu.org/software/libc

 Group:          Applications/System

@@ -21,6 +21,7 @@ Patch3:         0002-malloc-arena-fix.patch

 Patch4:         glibc-fix-CVE-2017-15670.patch

 Patch5:         glibc-fix-CVE-2017-15804.patch

 Patch6:         glibc-fix-CVE-2017-17426.patch

+Patch7:         glibc-fix-CVE-2017-16997.patch

 Provides:       rtld(GNU_HASH)

 Requires:       filesystem

 %description

@@ -81,6 +82,7 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile

 %patch4 -p1

 %patch5 -p1

 %patch6 -p1

+%patch7 -p1

 install -vdm 755 %{_builddir}/%{name}-build

 # do not try to explicitly provide GLIBC_PRIVATE versioned libraries

 %define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh

@@ -285,6 +287,8 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:

 %changelog

+*   Mon Jan 08 2018 Xiaolin Li <xiaolinl@vmware.com> 2.26-9

+-   Fix CVE-2017-16997

 *   Thu Dec 21 2017 Xiaolin Li <xiaolinl@vmware.com> 2.26-8

 -   Fix CVE-2017-17426

 *   Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 2.26-7

new file mode 100644

@@ -0,0 +1,65 @@

+%{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}

+

+Name:           meson

+Summary:        Extremely fast and user friendly build system

+Version:        0.44.0

+Release:        1%{?dist}

+License:        ASL 2.0

+URL:            https://mesonbuild.com/

+Vendor:         VMware, Inc.

+Distribution:   Photon

+Source0:        https://github.com/mesonbuild/meson/archive/%{version}/%{name}-%{version}.tar.gz

+%define sha1    meson=4a5aa56f81fc1350a5c501ef6046eef8a13467c7

+BuildArch:      noarch

+BuildRequires:  gcc

+BuildRequires:  python3-devel

+BuildRequires:  python3-libs

+BuildRequires:  python3-setuptools

+BuildRequires:  ninja-build

+BuildRequires:  gtest-devel

+BuildRequires:  gmock-devel

+BuildRequires:  gettext

+

+Requires:       ninja-build

+Requires:       python3

+

+%description

+Meson is an open source build system meant to be both extremely fast, 

+and, even more importantly, as user friendly as possible.

+The main design point of Meson is that every moment a developer spends 

+writing or debugging build definitions is a second wasted. 

+So is every second spent waiting for the build system to actually start compiling code.

+

+%prep

+%setup 

+

+%build

+

+%install

+python3 setup.py install --root=%{buildroot}/

+install -Dpm0644 data/macros.%{name} %{buildroot}%{_libdir}/rpm/macros.d/macros.%{name}

+

+%check

+export MESON_PRINT_TEST_OUTPUT=1

+python3 ./run_tests.py

+

+%files

+%license COPYING

+%{_bindir}/%{name}

+%{_bindir}/%{name}conf

+%{_bindir}/%{name}introspect

+%{_bindir}/%{name}test

+%{_bindir}/wraptool

+%{python3_sitelib}/mesonbuild

+%{python3_sitelib}/%{name}-*.egg-info

+%{_mandir}/man1/%{name}.1*

+%{_mandir}/man1/%{name}conf.1*

+%{_mandir}/man1/%{name}introspect.1*

+%{_mandir}/man1/%{name}test.1*

+%{_mandir}/man1/wraptool.1*

+%{_libdir}/rpm/macros.d/macros.%{name}

+

+%changelog

+*   Wed Dec 27 2017 Anish Swaminathan <anishs@vmware.com> 0.44.0-1

+-   Initial packaging

+

new file mode 100644

@@ -0,0 +1,8 @@

+%__ninja %{_bindir}/ninja

+%__ninja_common_opts -v %{?_smp_mflags}

+%ninja_build \

+    %{__ninja} %{__ninja_common_opts}

+%ninja_install \

+    DESTDIR=%{buildroot} %{__ninja} install %{__ninja_common_opts}

+%ninja_test \

+    %{__ninja} test %{__ninja_common_opts}

new file mode 100644

@@ -0,0 +1,48 @@

+Name:           ninja-build

+Summary:        Small build system with focus on speed

+Version:        1.8.2

+Release:        1%{?dist}

+License:        ASL 2.0

+URL:            https://ninja-build.org

+Vendor:         VMware, Inc.

+Distribution:   Photon

+Source0:        https://github.com/ninja-build/ninja/archive/%{name}-%{version}.tar.gz

+%define sha1    ninja-build=17219deb34dd816363e37470f77ff7231509143a

+Source1:        macros.ninja

+BuildRequires:  gcc

+BuildRequires:  python3-devel

+BuildRequires:  gtest-devel

+

+%description

+Ninja is a small build system with a focus on speed. 

+It differs from other build systems in two major respects: 

+it is designed to have its input files generated by a higher-level build system, 

+and it is designed to run builds as fast as possible.

+

+%prep

+%setup -n ninja-%{version}

+

+%build

+python3 configure.py --bootstrap --verbose

+./ninja -v all

+

+%install

+install -Dpm0755 ninja -t %{buildroot}%{_bindir}/

+install -Dpm0644 misc/bash-completion %{buildroot}%{_datadir}/bash-completion/completions/ninja

+ln -s ninja %{buildroot}%{_bindir}/ninja-build

+install -Dpm0644 %{SOURCE1} %{buildroot}%{_libdir}/rpm/macros.d/macros.ninja

+

+%check

+./ninja_test --gtest_filter=-SubprocessTest.SetWithLots

+

+%files

+%license COPYING

+%doc HACKING.md README

+%{_bindir}/ninja

+%{_bindir}/ninja-build

+%{_datadir}/bash-completion/completions/ninja

+%{_libdir}/rpm/macros.d/macros.ninja

+

+%changelog

+*   Wed Dec 27 2017 Anish Swaminathan <anishs@vmware.com> 1.8.2-1

+-   Initial packaging

@@ -1,14 +1,14 @@

 Summary:        Ruby

 Name:           ruby

-Version:        2.4.2

+Version:        2.4.3

 Release:        1%{?dist}

 License:        BSDL

 URL:            https://www.ruby-lang.org/en/

 Group:          System Environment/Security

 Vendor:         VMware, Inc.

 Distribution:   Photon

-Source0:        http://cache.ruby-lang.org/pub/ruby/%{name}-%{version}.tar.xz

-%define sha1    ruby=8373e32c63bba2180799da091b572664aa9faf6f

+Source0:        http://cache.ruby-lang.org/pub/ruby/2.4/%{name}-%{version}.tar.bz2

+%define sha1    ruby=3ca96536320b915762d57fe1ee540df6810bf631

 Patch0:         ruby-CVE-2017-9224.patch

 Patch1:         ruby-CVE-2017-9226.patch

 Patch2:         ruby-CVE-2017-9227.patch

@@ -63,6 +63,8 @@ rm -rf %{buildroot}/*

 %{_docdir}/%{name}-%{version}

 %{_mandir}/man1/*

 %changelog

+*   Wed Jan 03 2018 Xiaolin Li <xiaolinl@vmware.com> 2.4.3-1

+-   Update to version 2.4.3, fix CVE-2017-17405

 *   Fri Sep 29 2017 Xiaolin Li <xiaolinl@vmware.com> 2.4.2-1

 -   Update to version 2.4.2

 *   Fri Sep 15 2017 Xiaolin Li <xiaolinl@vmware.com> 2.4.1-5

@@ -1,28 +1,18 @@

-diff -Naur a/Makefile.am b/Makefile.am

-+++ b/Makefile.am	2016-08-29 13:42:31.472636829 -0700

-@@ -309,7 +309,7 @@

- 	set -- $(USER_UNIT_ALIASES) && \

- 		dir=$(userunitdir) && $(install-relative-aliases)

- 	set -- $(GENERAL_ALIASES) && \

--		dir= && $(install-relative-aliases)

-+		dir= && $(install-general-aliases)

+diff -rup systemd-236/units/meson-add-wants.sh systemd-236-new/units/meson-add-wants.sh

+--- systemd-236/units/meson-add-wants.sh	2017-12-14 14:09:57.000000000 -0800

+@@ -13,8 +13,6 @@ case "$target" in

+                 ;;

+ esac

- define install-aliases

- 	while [ -n "$$1" ]; do \

-@@ -328,6 +328,15 @@

- 		shift 2 || exit $$?; \

- 	done

- endef

-+

-+define install-general-aliases

-+	while [ -n "$$1" ]; do \

-+		$(MKDIR_P) `dirname $(DESTDIR)$$dir/$$2` && \

-+		rm -f $(DESTDIR)$$dir/$$2 && \

-+		$(LN_S) /usr$$1 $(DESTDIR)$$dir/$$2 && \

-+		shift 2 || exit $$?; \

-+	done

-+endef

+-unitpath="${DESTDIR:-}${unitdir}/${unit}"

+-

+ case "$target" in

+         */)

+                 mkdir -p -m 0755 "$dir"

+@@ -24,4 +22,4 @@ case "$target" in

+                 ;;

+ esac

- install-touch-usr-hook:

- 	touch -c $(DESTDIR)/$(prefix)

+-ln -vfs --relative "$unitpath" "$dir"

++ln -vfs "${unitdir}/${unit}" "$dir"

deleted file mode 100644

@@ -1,36 +0,0 @@

-From 9f939335a07085aa9a9663efd1dca06ef6405d62 Mon Sep 17 00:00:00 2001

-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

-Date: Wed, 25 Oct 2017 11:19:19 +0200

-Subject: [PATCH] resolved: fix loop on packets with pseudo dns types

-

-Reported by Karim Hossen & Thomas Imbert from Sogeti ESEC R&D.

-

-https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725351

- src/resolve/resolved-dns-packet.c | 6 +-----

- 1 file changed, 1 insertion(+), 5 deletions(-)

-

-diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c

-index e2f227bfc6..35f4d0689b 100644

-+++ b/src/resolve/resolved-dns-packet.c

-@@ -1514,7 +1514,7 @@ static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *sta

- 

-                 found = true;

- 

--                while (bitmask) {

-+                for (; bitmask; bit++, bitmask >>= 1)

-                         if (bitmap[i] & bitmask) {

-                                 uint16_t n;

- 

-@@ -1528,10 +1528,6 @@ static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *sta

-                                 if (r < 0)

-                                         return r;

-                         }

--

--                        bit++;

--                        bitmask >>= 1;

--                }

-         }

- 

-         if (!found)

deleted file mode 100644

@@ -1,305 +0,0 @@

-diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c

-index 6a6dadda2b..49a5c53f96 100644

-+++ b/src/core/load-fragment.c

-@@ -636,26 +636,36 @@ int config_parse_exec(

- 

-                 r = unit_full_printf(u, f, &path);

-                 if (r < 0) {

--                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s, ignoring: %m", f);

--                        return 0;

-+                        log_syntax(unit, LOG_ERR, filename, line, r,

-+                                   "Failed to resolve unit specifiers on %s%s: %m",

-+                                   f, ignore ? ", ignoring" : "");

-+                        return ignore ? 0 : -ENOEXEC;

-                 }

- 

-                 if (isempty(path)) {

-                         /* First word is either "-" or "@" with no command. */

--                        log_syntax(unit, LOG_ERR, filename, line, 0, "Empty path in command line, ignoring: \"%s\"", rvalue);

--                        return 0;

-+                        log_syntax(unit, LOG_ERR, filename, line, 0,

-+                                   "Empty path in command line%s: \"%s\"",

-+                                   ignore ? ", ignoring" : "", rvalue);

-+                        return ignore ? 0 : -ENOEXEC;

-                 }

-                 if (!string_is_safe(path)) {

--                        log_syntax(unit, LOG_ERR, filename, line, 0, "Executable path contains special characters, ignoring: %s", rvalue);

--                        return 0;

-+                        log_syntax(unit, LOG_ERR, filename, line, 0,

-+                                   "Executable path contains special characters%s: %s",

-+                                   ignore ? ", ignoring" : "", rvalue);

-+                        return ignore ? 0 : -ENOEXEC;

-                 }

-                 if (!path_is_absolute(path)) {

--                        log_syntax(unit, LOG_ERR, filename, line, 0, "Executable path is not absolute, ignoring: %s", rvalue);

--                        return 0;

-+                        log_syntax(unit, LOG_ERR, filename, line, 0,

-+                                   "Executable path is not absolute%s: %s",

-+                                   ignore ? ", ignoring" : "", rvalue);

-+                        return ignore ? 0 : -ENOEXEC;

-                 }

-                 if (endswith(path, "/")) {

--                        log_syntax(unit, LOG_ERR, filename, line, 0, "Executable path specifies a directory, ignoring: %s", rvalue);

--                        return 0;

-+                        log_syntax(unit, LOG_ERR, filename, line, 0,

-+                                   "Executable path specifies a directory%s: %s",

-+                                   ignore ? ", ignoring" : "", rvalue);

-+                        return ignore ? 0 : -ENOEXEC;

-                 }

- 

-                 if (!separate_argv0) {

-@@ -708,12 +718,14 @@ int config_parse_exec(

-                         if (r == 0)

-                                 break;

-                         if (r < 0)

--                                return 0;

-+                                return ignore ? 0 : -ENOEXEC;

- 

-                         r = unit_full_printf(u, word, &resolved);

-                         if (r < 0) {

--                                log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to resolve unit specifiers on %s, ignoring: %m", word);

--                                return 0;

-+                                log_syntax(unit, LOG_ERR, filename, line, r,

-+                                           "Failed to resolve unit specifiers on %s%s: %m",

-+                                           word, ignore ? ", ignoring" : "");

-+                                return ignore ? 0 : -ENOEXEC;

-                         }

- 

-                         if (!GREEDY_REALLOC(n, nbufsize, nlen + 2))

-@@ -724,8 +736,10 @@ int config_parse_exec(

-                 }

- 

-                 if (!n || !n[0]) {

--                        log_syntax(unit, LOG_ERR, filename, line, 0, "Empty executable name or zeroeth argument, ignoring: %s", rvalue);

--                        return 0;

-+                        log_syntax(unit, LOG_ERR, filename, line, 0,

-+                                   "Empty executable name or zeroeth argument%s: %s",

-+                                   ignore ? ", ignoring" : "", rvalue);

-+                        return ignore ? 0 : -ENOEXEC;

-                 }

- 

-                 nce = new0(ExecCommand, 1);

-@@ -1332,8 +1346,10 @@ int config_parse_exec_selinux_context(

- 

-         r = unit_full_printf(u, rvalue, &k);

-         if (r < 0) {

--                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %m");

--                return 0;

-+                log_syntax(unit, LOG_ERR, filename, line, r,

-+                           "Failed to resolve specifiers%s: %m",

-+                           ignore ? ", ignoring" : "");

-+                return ignore ? 0 : -ENOEXEC;

-         }

- 

-         free(c->selinux_context);

-@@ -1380,8 +1396,10 @@ int config_parse_exec_apparmor_profile(

- 

-         r = unit_full_printf(u, rvalue, &k);

-         if (r < 0) {

--                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %m");

--                return 0;

-+                log_syntax(unit, LOG_ERR, filename, line, r,

-+                           "Failed to resolve specifiers%s: %m",

-+                           ignore ? ", ignoring" : "");

-+                return ignore ? 0 : -ENOEXEC;

-         }

- 

-         free(c->apparmor_profile);

-@@ -1428,8 +1446,10 @@ int config_parse_exec_smack_process_label(

- 

-         r = unit_full_printf(u, rvalue, &k);

-         if (r < 0) {

--                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %m");

--                return 0;

-+                log_syntax(unit, LOG_ERR, filename, line, r,

-+                           "Failed to resolve specifiers%s: %m",

-+                           ignore ? ", ignoring" : "");

-+                return ignore ? 0 : -ENOEXEC;

-         }

- 

-         free(c->smack_process_label);

-@@ -1647,19 +1667,19 @@ int config_parse_socket_service(

- 

-         r = unit_name_printf(UNIT(s), rvalue, &p);

-         if (r < 0) {

--                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %s", rvalue);

--                return 0;

-+                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers: %s", rvalue);

-+                return -ENOEXEC;

-         }

- 

-         if (!endswith(p, ".service")) {

--                log_syntax(unit, LOG_ERR, filename, line, 0, "Unit must be of type service, ignoring: %s", rvalue);

--                return 0;

-+                log_syntax(unit, LOG_ERR, filename, line, 0, "Unit must be of type service: %s", rvalue);

-+                return -ENOEXEC;

-         }

- 

-         r = manager_load_unit(UNIT(s)->manager, p, NULL, &error, &x);

-         if (r < 0) {

--                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to load unit %s, ignoring: %s", rvalue, bus_error_message(&error, r));

--                return 0;

-+                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to load unit %s: %s", rvalue, bus_error_message(&error, r));

-+                return -ENOEXEC;

-         }

- 

-         unit_ref_set(&s->service, x);

-@@ -1907,13 +1927,13 @@ int config_parse_user_group(

- 

-                 r = unit_full_printf(u, rvalue, &k);

-                 if (r < 0) {

--                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers in %s, ignoring: %m", rvalue);

--                        return 0;

-+                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers in %s: %m", rvalue);

-+                        return -ENOEXEC;

-                 }

- 

-                 if (!valid_user_group_name_or_id(k)) {

--                        log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid user/group name or numeric ID, ignoring: %s", k);

--                        return 0;

-+                        log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid user/group name or numeric ID: %s", k);

-+                        return -ENOEXEC;

-                 }

- 

-                 n = k;

-@@ -1971,19 +1991,19 @@ int config_parse_user_group_strv(

-                 if (r == -ENOMEM)

-                         return log_oom();

-                 if (r < 0) {

--                        log_syntax(unit, LOG_ERR, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);

--                        break;

-+                        log_syntax(unit, LOG_ERR, filename, line, r, "Invalid syntax: %s", rvalue);

-+                        return -ENOEXEC;

-                 }

- 

-                 r = unit_full_printf(u, word, &k);

-                 if (r < 0) {

--                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers in %s, ignoring: %m", word);

--                        continue;

-+                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers in %s: %m", word);

-+                        return -ENOEXEC;

-                 }

- 

-                 if (!valid_user_group_name_or_id(k)) {

--                        log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid user/group name or numeric ID, ignoring: %s", k);

--                        continue;

-+                        log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid user/group name or numeric ID: %s", k);

-+                        return -ENOEXEC;

-                 }

- 

-                 r = strv_push(users, k);

-@@ -2142,25 +2162,28 @@ int config_parse_working_directory(

- 

-                 r = unit_full_printf(u, rvalue, &k);

-                 if (r < 0) {

--                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers in working directory path '%s', ignoring: %m", rvalue);

--                        return 0;

-+                        log_syntax(unit, LOG_ERR, filename, line, r,

-+                                   "Failed to resolve unit specifiers in working directory path '%s'%s: %m",

-+                                   rvalue, missing_ok ? ", ignoring" : "");

-+                        return missing_ok ? 0 : -ENOEXEC;

-                 }

- 

-                 path_kill_slashes(k);

- 

-                 if (!utf8_is_valid(k)) {

-                         log_syntax_invalid_utf8(unit, LOG_ERR, filename, line, rvalue);

--                        return 0;

-+                        return missing_ok ? 0 : -ENOEXEC;

-                 }

- 

-                 if (!path_is_absolute(k)) {

--                        log_syntax(unit, LOG_ERR, filename, line, 0, "Working directory path '%s' is not absolute, ignoring.", rvalue);

--                        return 0;

-+                        log_syntax(unit, LOG_ERR, filename, line, 0,

-+                                   "Working directory path '%s' is not absolute%s.",

-+                                   rvalue, missing_ok ? ", ignoring" : "");

-+                        return missing_ok ? 0 : -ENOEXEC;

-                 }

- 

--                free_and_replace(c->working_directory, k);

--

-                 c->working_directory_home = false;

-+                free_and_replace(c->working_directory, k);

-         }

- 

-         c->working_directory_missing_ok = missing_ok;

-@@ -4456,8 +4479,11 @@ int unit_load_fragment(Unit *u) {

-                         return r;

- 

-                 r = load_from_path(u, k);

--                if (r < 0)

-+                if (r < 0) {

-+                        if (r == -ENOEXEC)

-+                                log_unit_notice(u, "Unit configuration has fatal error, unit will not be started.");

-                         return r;

-+                }

- 

-                 if (u->load_state == UNIT_STUB) {

-                         SET_FOREACH(t, u->names, i) {

-diff --git a/src/test/test-unit-file.c b/src/test/test-unit-file.c

-index 12f48bf435..fd797b587e 100644

-+++ b/src/test/test-unit-file.c

-@@ -146,7 +146,7 @@ static void test_config_parse_exec(void) {

-         r = config_parse_exec(NULL, "fake", 4, "section", 1,

-                               "LValue", 0, "/RValue/ argv0 r1",

-                               &c, u);

--        assert_se(r == 0);

-+        assert_se(r == -ENOEXEC);

-         assert_se(c1->command_next == NULL);

- 

-         log_info("/* honour_argv0 */");

-@@ -161,7 +161,7 @@ static void test_config_parse_exec(void) {

-         r = config_parse_exec(NULL, "fake", 3, "section", 1,

-                               "LValue", 0, "@/RValue",

-                               &c, u);

--        assert_se(r == 0);

-+        assert_se(r == -ENOEXEC);

-         assert_se(c1->command_next == NULL);

- 

-         log_info("/* no command, whitespace only, reset */");

-@@ -220,7 +220,7 @@ static void test_config_parse_exec(void) {

-                               "-@/RValue argv0 r1 ; ; "

-                               "/goo/goo boo",

-                               &c, u);

--        assert_se(r >= 0);

-+        assert_se(r == -ENOEXEC);

-         c1 = c1->command_next;

-         check_execcommand(c1, "/RValue", "argv0", "r1", NULL, true);

- 

-@@ -374,7 +374,7 @@ static void test_config_parse_exec(void) {

-                 r = config_parse_exec(NULL, "fake", 4, "section", 1,

-                                       "LValue", 0, path,

-                                       &c, u);

--                assert_se(r == 0);

-+                assert_se(r == -ENOEXEC);

-                 assert_se(c1->command_next == NULL);

-         }

- 

-@@ -401,21 +401,21 @@ static void test_config_parse_exec(void) {

-         r = config_parse_exec(NULL, "fake", 4, "section", 1,

-                               "LValue", 0, "/path\\",

-                               &c, u);

--        assert_se(r == 0);

-+        assert_se(r == -ENOEXEC);

-         assert_se(c1->command_next == NULL);

- 

-         log_info("/* missing ending ' */");

-         r = config_parse_exec(NULL, "fake", 4, "section", 1,

-                               "LValue", 0, "/path 'foo",

-                               &c, u);

--        assert_se(r == 0);

-+        assert_se(r == -ENOEXEC);

-         assert_se(c1->command_next == NULL);

- 

-         log_info("/* missing ending ' with trailing backslash */");

-         r = config_parse_exec(NULL, "fake", 4, "section", 1,

-                               "LValue", 0, "/path 'foo\\",

-                               &c, u);

--        assert_se(r == 0);

-+        assert_se(r == -ENOEXEC);

-         assert_se(c1->command_next == NULL);

- 

-         log_info("/* invalid space between modifiers */");

deleted file mode 100644

@@ -1,100 +0,0 @@

-diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4

-index c43b7885be..5b5a86250e 100644

-+++ b/src/core/load-fragment-gperf.gperf.m4

-@@ -18,8 +18,8 @@ struct ConfigPerfItem;

- m4_dnl Define the context options only once

- m4_define(`EXEC_CONTEXT_CONFIG_ITEMS',

- `$1.WorkingDirectory,            config_parse_working_directory,     0,                             offsetof($1, exec_context)

--$1.RootDirectory,                config_parse_unit_path_printf,      0,                             offsetof($1, exec_context.root_directory)

--$1.RootImage,                    config_parse_unit_path_printf,      0,                             offsetof($1, exec_context.root_image)

-+$1.RootDirectory,                config_parse_unit_path_printf,      true,                          offsetof($1, exec_context.root_directory)

-+$1.RootImage,                    config_parse_unit_path_printf,      true,                          offsetof($1, exec_context.root_image)

- $1.User,                         config_parse_user_group,            0,                             offsetof($1, exec_context.user)

- $1.Group,                        config_parse_user_group,            0,                             offsetof($1, exec_context.group)

- $1.SupplementaryGroups,          config_parse_user_group_strv,       0,                             offsetof($1, exec_context.supplementary_groups)

-@@ -35,7 +35,7 @@ $1.UMask,                        config_parse_mode,                  0,

- $1.Environment,                  config_parse_environ,               0,                             offsetof($1, exec_context.environment)

- $1.EnvironmentFile,              config_parse_unit_env_file,         0,                             offsetof($1, exec_context.environment_files)

- $1.PassEnvironment,              config_parse_pass_environ,          0,                             offsetof($1, exec_context.pass_environment)

--$1.DynamicUser,                  config_parse_bool,                  0,                             offsetof($1, exec_context.dynamic_user)

-+$1.DynamicUser,                  config_parse_bool,                  true,                          offsetof($1, exec_context.dynamic_user)

- $1.StandardInput,                config_parse_exec_input,            0,                             offsetof($1, exec_context)

- $1.StandardOutput,               config_parse_exec_output,           0,                             offsetof($1, exec_context)

- $1.StandardError,                config_parse_exec_output,           0,                             offsetof($1, exec_context)

-diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c

-index 49a5c53f96..9d5c39b3dd 100644

-+++ b/src/core/load-fragment.c

-@@ -242,6 +242,7 @@ int config_parse_unit_path_printf(

-         _cleanup_free_ char *k = NULL;

-         Unit *u = userdata;

-         int r;

-+        bool fatal = ltype;

- 

-         assert(filename);

-         assert(lvalue);

-@@ -250,8 +251,10 @@ int config_parse_unit_path_printf(

- 

-         r = unit_full_printf(u, rvalue, &k);

-         if (r < 0) {

--                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s, ignoring: %m", rvalue);

--                return 0;

-+                log_syntax(unit, LOG_ERR, filename, line, r,

-+                           "Failed to resolve unit specifiers on %s%s: %m",

-+                           fatal ? "" : ", ignoring", rvalue);

-+                return fatal ? -ENOEXEC : 0;

-         }

- 

-         return config_parse_path(unit, filename, line, section, section_line, lvalue, ltype, k, data, userdata);

-diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c

-index 44df7493e2..e08402e3d2 100644

-+++ b/src/shared/conf-parser.c

-@@ -615,6 +615,7 @@ int config_parse_bool(const char* unit,

- 

-         int k;

-         bool *b = data;

-+        bool fatal = ltype;

- 

-         assert(filename);

-         assert(lvalue);

-@@ -623,8 +624,10 @@ int config_parse_bool(const char* unit,

- 

-         k = parse_boolean(rvalue);

-         if (k < 0) {

--                log_syntax(unit, LOG_ERR, filename, line, k, "Failed to parse boolean value, ignoring: %s", rvalue);

--                return 0;

-+                log_syntax(unit, LOG_ERR, filename, line, k,

-+                           "Failed to parse boolean value%s: %s",

-+                           fatal ? "" : ", ignoring", rvalue);

-+                return fatal ? -ENOEXEC : 0;

-         }

- 

-         *b = !!k;

-@@ -715,6 +718,7 @@ int config_parse_path(

-                 void *userdata) {

- 

-         char **s = data, *n;

-+        bool fatal = ltype;

- 

-         assert(filename);

-         assert(lvalue);

-@@ -723,12 +727,14 @@ int config_parse_path(

- 

-         if (!utf8_is_valid(rvalue)) {

-                 log_syntax_invalid_utf8(unit, LOG_ERR, filename, line, rvalue);

--                return 0;

-+                return fatal ? -ENOEXEC : 0;

-         }

- 

-         if (!path_is_absolute(rvalue)) {

--                log_syntax(unit, LOG_ERR, filename, line, 0, "Not an absolute path, ignoring: %s", rvalue);

--                return 0;

-+                log_syntax(unit, LOG_ERR, filename, line, 0,

-+                           "Not an absolute path%s: %s",

-+                           fatal ? "" : ", ignoring", rvalue);

-+                return fatal ? -ENOEXEC : 0;

-         }

- 

-         n = strdup(rvalue);

deleted file mode 100644

@@ -1,25 +0,0 @@

-From a924f43f30f9c4acaf70618dd2a055f8b0f166be Mon Sep 17 00:00:00 2001

-From: Evgeny Vereshchagin <evvers@ya.ru>

-Date: Wed, 24 May 2017 08:56:48 +0300

-Subject: [PATCH] resolved: bugfix of null pointer p->question dereferencing

- (#6020)

-

-See https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396

- src/resolve/resolved-dns-packet.c | 3 +++

- 1 file changed, 3 insertions(+)

-

-diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c

-index 652970284e..240ee448f4 100644

-+++ b/src/resolve/resolved-dns-packet.c

-@@ -2269,6 +2269,9 @@ int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) {

-         if (r < 0)

-                 return r;

- 

-+        if (!p->question)

-+                return 0;

-+

-         if (p->question->n_keys != 1)

-                 return 0;

- 

deleted file mode 100644

@@ -1,48 +0,0 @@

-From 8587c3351003b1613ad2e439cebbb20fbae07e70 Mon Sep 17 00:00:00 2001

-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek () in waw pl>

-Date: Sun, 18 Jun 2017 16:07:57 -0400

-Subject: [PATCH 2/2] resolved: simplify alloc size calculation

-

-The allocation size was calculated in a complicated way, and for values

-close to the page size we would actually allocate less than requested.

-

-Reported by Chris Coulson <chris.coulson () canonical com>.

- src/resolve/resolved-dns-packet.c | 8 +-------

- src/resolve/resolved-dns-packet.h | 2 --

- 2 files changed, 1 insertion(+), 9 deletions(-)

-

-diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c

-index 240ee448f4..821b66e266 100644

-+++ b/src/resolve/resolved-dns-packet.c

-@@ -47,13 +47,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {

- 

-         assert(ret);

- 

--        if (mtu <= UDP_PACKET_HEADER_SIZE)

--                a = DNS_PACKET_SIZE_START;

--        else

--                a = mtu - UDP_PACKET_HEADER_SIZE;

--

--        if (a < DNS_PACKET_HEADER_SIZE)

--                a = DNS_PACKET_HEADER_SIZE;

-+        a = MAX(mtu, DNS_PACKET_HEADER_SIZE);

- 

-         /* round up to next page size */

-         a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket));

-diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h

-index 2c92392e4d..3abcaf8cf3 100644

-+++ b/src/resolve/resolved-dns-packet.h

-@@ -66,8 +66,6 @@ struct DnsPacketHeader {

- /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */

- #define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096

- 

--#define DNS_PACKET_SIZE_START 512

--

- struct DnsPacket {

-         int n_ref;

-         DnsProtocol protocol;

-2.13.0

deleted file mode 100644

@@ -1,23 +0,0 @@