Debian Bug report logs -
#664364
[CVE-2012-1174] systemd: TOCTOU race condition by removing user session
Reported by: Luciano Bello <luciano@debian.org>
Date: Sat, 17 Mar 2012 16:27:01 UTC
Severity: important
Tags: patch, security
Found in version systemd/37-1.1
Fixed in version systemd/44-1
Done: Tollef Fog Heen <tfheen@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Information forwarded
to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#664364; Package systemd.
(Sat, 17 Mar 2012 16:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>.
(Sat, 17 Mar 2012 16:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: systemd
Severity: important
Tags: security patch
The following vulnerability had been reported against systemd:
http://www.openwall.com/lists/oss-security/2012/03/16/21
The patch can be found in the report.
Please use CVE-2012-1174 for this issue.
Cheers,
luciano
Marked as found in versions systemd/37-1.1.
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org.
(Sat, 17 Mar 2012 17:30:10 GMT) (full text, mbox, link).
Reply sent
to Tollef Fog Heen <tfheen@debian.org>:
You have taken responsibility.
(Tue, 03 Apr 2012 19:09:11 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer.
(Tue, 03 Apr 2012 19:09:11 GMT) (full text, mbox, link).
Message #12 received at 664364-close@bugs.debian.org (full text, mbox, reply):
Source: systemd
Source-Version: 44-1
We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive:
libpam-systemd_44-1_amd64.deb
to main/s/systemd/libpam-systemd_44-1_amd64.deb
libsystemd-daemon-dev_44-1_amd64.deb
to main/s/systemd/libsystemd-daemon-dev_44-1_amd64.deb
libsystemd-daemon0_44-1_amd64.deb
to main/s/systemd/libsystemd-daemon0_44-1_amd64.deb
libsystemd-id128-0_44-1_amd64.deb
to main/s/systemd/libsystemd-id128-0_44-1_amd64.deb
libsystemd-id128-dev_44-1_amd64.deb
to main/s/systemd/libsystemd-id128-dev_44-1_amd64.deb
libsystemd-journal-dev_44-1_amd64.deb
to main/s/systemd/libsystemd-journal-dev_44-1_amd64.deb
libsystemd-journal0_44-1_amd64.deb
to main/s/systemd/libsystemd-journal0_44-1_amd64.deb
libsystemd-login-dev_44-1_amd64.deb
to main/s/systemd/libsystemd-login-dev_44-1_amd64.deb
libsystemd-login0_44-1_amd64.deb
to main/s/systemd/libsystemd-login0_44-1_amd64.deb
systemd-gui_44-1_amd64.deb
to main/s/systemd/systemd-gui_44-1_amd64.deb
systemd-sysv_44-1_amd64.deb
to main/s/systemd/systemd-sysv_44-1_amd64.deb
systemd_44-1.debian.tar.gz
to main/s/systemd/systemd_44-1.debian.tar.gz
systemd_44-1.dsc
to main/s/systemd/systemd_44-1.dsc
systemd_44-1_amd64.deb
to main/s/systemd/systemd_44-1_amd64.deb
systemd_44.orig.tar.xz
to main/s/systemd/systemd_44.orig.tar.xz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 664364@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tollef Fog Heen <tfheen@debian.org> (supplier of updated systemd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 03 Apr 2012 19:59:17 +0200
Source: systemd
Binary: systemd systemd-sysv libpam-systemd systemd-gui libsystemd-login0 libsystemd-login-dev libsystemd-daemon0 libsystemd-daemon-dev libsystemd-journal0 libsystemd-journal-dev libsystemd-id128-0 libsystemd-id128-dev
Architecture: source amd64
Version: 44-1
Distribution: unstable
Urgency: low
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Changed-By: Tollef Fog Heen <tfheen@debian.org>
Description:
libpam-systemd - system and service manager - PAM module
libsystemd-daemon-dev - systemd utility library - development files
libsystemd-daemon0 - systemd utility library
libsystemd-id128-0 - systemd 128 bit ID utility library
libsystemd-id128-dev - systemd 128 bit ID utility library - development files
libsystemd-journal-dev - systemd journal utility library - development files
libsystemd-journal0 - systemd journal utility library
libsystemd-login-dev - systemd login utility library - development files
libsystemd-login0 - systemd login utility library
systemd - system and service manager
systemd-gui - system and service manager - GUI
systemd-sysv - system and service manager - SysV links
Closes: 663219 663323 664364
Changes:
systemd (44-1) unstable; urgency=low
.
[ Tollef Fog Heen ]
* New upstream version.
- Backport 3492207: journal: PAGE_SIZE is not known on ppc and other
archs
- Backport 5a2a2a1: journal: react with immediate rotation to a couple
of more errors
- Backport 693ce21: util: never follow symlinks in rm_rf_children()
Fixes CVE-2012-1174, closes: #664364
* Drop output message from init-functions hook, it's pointless.
* Only rmdir /lib/init/rw if it exists.
* Explicitly order debian-fixup before sysinit.target to prevent a
possible race condition with the creation of sockets. Thanks to
Michael Biebl for debugging this.
* Always restart the initctl socket on upgrades, to mask sysvinit
removing it.
.
[ Michael Biebl ]
* Remove workaround for non-interactive sessions from pam config again.
* Create compat /dev/initctl symlink in case we are upgrading from a system
running a newer version of sysvinit (using /run/initctl) and sysvinit is
replaced with systemd-sysv during the upgrade. Closes: #663219
* Install new man pages.
* Build-Depend on valac (>= 0.12) instead of valac-0.12. Closes: #663323
Checksums-Sha1:
059f45a0140dc61424e068be3d38b49bacab63e1 2830 systemd_44-1.dsc
851869f1d991343995a9ca1243616c8bf4edfdad 885636 systemd_44.orig.tar.xz
08afcddffe33cb65a24cb6e9330e599657da1481 20665 systemd_44-1.debian.tar.gz
9c527a49f4aa6d43f6996de7e97a9a4ed01ba251 1438842 systemd_44-1_amd64.deb
1f93323b4a546b244d08acd69081fa13e79ff8d4 13106 systemd-sysv_44-1_amd64.deb
bb3b7cb5e02d86c3f814adf5df53953045b121c5 30456 libpam-systemd_44-1_amd64.deb
1f00afed2af5d1b70325607adef23f77bb8de44d 65062 systemd-gui_44-1_amd64.deb
897941c138135b97af20d70fbce92737b0804007 27184 libsystemd-login0_44-1_amd64.deb
9712caa7128d57f22735234332e9cd7415534a5d 9782 libsystemd-login-dev_44-1_amd64.deb
2042f5116b08b124df5698f2cc7572b9e94483d8 12542 libsystemd-daemon0_44-1_amd64.deb
9592d75cd267bd00af725bfb0572974884da9dfa 12252 libsystemd-daemon-dev_44-1_amd64.deb
ff8dc04d613b3ab352d2c251b9d1023552e559bd 40350 libsystemd-journal0_44-1_amd64.deb
59a437356c824162ee056021931cd5eb41ba9c59 9394 libsystemd-journal-dev_44-1_amd64.deb
68c3cc56666378baffae0f3725f101d0f9d8f11e 18632 libsystemd-id128-0_44-1_amd64.deb
4826ad30378d42f7e25e1c6acbd3c8010a66ecde 8756 libsystemd-id128-dev_44-1_amd64.deb
Checksums-Sha256:
a1c29eabef8d91287eee9f73ba5c6372c309cd8f47c43e8b1fa379e9a27f6fd7 2830 systemd_44-1.dsc
7a5aac4b4b8b3a82bf59292f10e43d8f2c2d7039f34e95714f81d8edcb42233c 885636 systemd_44.orig.tar.xz
17d3f558f7d2df89f40cf4de69b3783bd4699db06ba602c32bdcaea786b541a1 20665 systemd_44-1.debian.tar.gz
dbcd9acd8c674edfdc361ad4f43f4c47bbdf767dad87f0b19ae53da0658ae6b1 1438842 systemd_44-1_amd64.deb
2febaefa7ebec2979663fdc49796a9daadeefe20c729b230aaa698289c02286f 13106 systemd-sysv_44-1_amd64.deb
b13f38ca0510850eec203d196893101160029bc71582c4b69903de6289edb9a2 30456 libpam-systemd_44-1_amd64.deb
d31a71dc473dbfb4bcaa9c2ac231c61c7ee1a6653c6a5139db95d35941063282 65062 systemd-gui_44-1_amd64.deb
ad1c758b20ce2f47b4b185b60e4ef1c46d89f3b905e95a591e8fe4e34a3bdc60 27184 libsystemd-login0_44-1_amd64.deb
98abda3762f17ddf765f88ebb992a3e7977be34576cf9c643d4ec271315c37bd 9782 libsystemd-login-dev_44-1_amd64.deb
3e4a564410f4ec074b4f27ed2baf3df71dda5db33aa0cb692900b3c13b25193a 12542 libsystemd-daemon0_44-1_amd64.deb
b2ffaf212640e6dea2f581d2ba36698301cdc81db2591ceec4391d5563586325 12252 libsystemd-daemon-dev_44-1_amd64.deb
5f190a65be8c644931bfe847bf2ff6fbe42013a175e70a5d01d62ff7a4571683 40350 libsystemd-journal0_44-1_amd64.deb
7071b00d4a42786532eb76abfcb82e0f7264a369e05b541b3c6999d8fe874cdd 9394 libsystemd-journal-dev_44-1_amd64.deb
851c5e274f0d6536d4a262e0df084329a2bf9b5a8ec3d16a6f7e81e1f8e55a49 18632 libsystemd-id128-0_44-1_amd64.deb
9ccf8b25b1a6796c0e14f8d4d81fec4012f2e39c065b4001603ef38797aa9b65 8756 libsystemd-id128-dev_44-1_amd64.deb
Files:
ffbd5d13bc99bfee933e664b2046f9f2 2830 admin extra systemd_44-1.dsc
11f44ff74c87850064e4351518bcff17 885636 admin extra systemd_44.orig.tar.xz
a3924d94da094a3ac1750eee7477f985 20665 admin extra systemd_44-1.debian.tar.gz
945628e662cc670e5b0835cba7cf894b 1438842 admin extra systemd_44-1_amd64.deb
4a98d8a165e446986f3fc2c67f53afc4 13106 admin extra systemd-sysv_44-1_amd64.deb
747a131ae1ff13cddc580ed3df36f5a0 30456 admin extra libpam-systemd_44-1_amd64.deb
555c4211fa23e69474584fe705383d65 65062 admin extra systemd-gui_44-1_amd64.deb
8f29026f39b354ace91766018652b867 27184 libs extra libsystemd-login0_44-1_amd64.deb
6745229696e8a0515451ae86688fbde2 9782 libdevel extra libsystemd-login-dev_44-1_amd64.deb
7b90a1f22875a3dafca1448b3518420c 12542 libs extra libsystemd-daemon0_44-1_amd64.deb
01a93011b9c6102e4083ec432370bd3e 12252 libdevel extra libsystemd-daemon-dev_44-1_amd64.deb
99e70221338f789ff227d4c2c602f50e 40350 libs extra libsystemd-journal0_44-1_amd64.deb
9e838a583fef29c94bb57c9cff2c53b6 9394 libdevel extra libsystemd-journal-dev_44-1_amd64.deb
32743936e409020ad7d6559d2606f70e 18632 libs extra libsystemd-id128-0_44-1_amd64.deb
99f5c5d42f5311279e4ea7230d45cebe 8756 libdevel extra libsystemd-id128-dev_44-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPe0SdAAoJELZaSHHKGdcXmMAP/3VOvBqsYaNKVwoihZdkT4lm
fku0rMo7nidXH7r94bsJcO3sVLK2eIgy7aDQUeE9VOjPOUHug4JsgRwlPr4HH8sx
PMyrl9r6j53370g21KBTzEQCZTXra9irm1DnnhCZnLkuIvbYh7HRaDKdHbsf//L9
ItBZCmSmF71Yj2wA+80ZJBzcUhWDEDJk1rphpxcdSYFIkhvdQG+Iv5rI59Ko7NaE
BqNyFdTrm5kL/6Ubzj2qyEK9e1N+lDO2FEH9dBTbmqUrYpckTokDYBm0XiwBHYz+
I5/O+qb5Z+60IMHV1N0gEU6K80fuSM+X0EHjOSU+5m7AuE/vADtvJwPOZeeM8qYK
bfIxS9FL8XX9fB10geJygky+BGRaqWUOAHn3+9+dl+ip4/D2fooH93fZ5YhL4dmi
pFpe9ultSosgSVTp4tZ1ruJm3RJaC+GUHJu7qYYMpffyCPRkHinPGEeFhywSZ0PT
S7fYyfGJkws0JON/N6bI3R7WMnZEO1RiqtHSRUtdffVu//y2ky7IJ5BvSQfYUqrx
nQBwM6l2fAMJz2THWqU8vruyip/dlqZJK4eAQQRLYeaeh6SGcJNMNAoW3BT9Hyua
nT2GzSwU8pxJXMpiHVLD+XmBB+7003hQe920sxLfmOnzcEUVjt2nqHSSZq/WL55b
J/mYC3Z3ZtVytki6Fa0X
=i1Zo
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 16 Jun 2012 07:44:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:37:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon