Debian Bug report logs -
#929116
systemd: CVE-2018-20839
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#929116; Package src:systemd.
(Fri, 17 May 2019 12:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Fri, 17 May 2019 12:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: systemd
Version: 241-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/systemd/systemd/pull/12378
Hi,
The following vulnerability was published for systemd.
CVE-2018-20839[0]:
| systemd 242 changes the VT1 mode upon a logout, which allows attackers
| to read cleartext passwords in certain circumstances, such as watching
| a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because
| the KDGKBMODE (aka current keyboard mode) check is mishandled.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20839
[1] https://github.com/systemd/systemd/pull/12378
[2] https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f
[3] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#929116.
(Fri, 17 May 2019 19:27:12 GMT) (full text, mbox, link).
Message #8 received at 929116-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #929116 in systemd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/systemd-team/systemd/commit/5a564c6ef3906c0f3885a3a2aafce772393f760a
------------------------------------------------------------------------
Add check to switch VTs only between K_XLATE or K_UNICODE
Switching to K_UNICODE from other than L_XLATE can make the keyboard
unusable and possibly leak keypresses from X.
CVE-2018-20839
Closes: #929116
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/929116
Added tag(s) pending.
Request was from Michael Biebl <noreply@salsa.debian.org>
to 929116-submitter@bugs.debian.org.
(Fri, 17 May 2019 19:27:12 GMT) (full text, mbox, link).
Reply sent
to Michael Biebl <biebl@debian.org>:
You have taken responsibility.
(Fri, 17 May 2019 19:39:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 17 May 2019 19:39:11 GMT) (full text, mbox, link).
Message #15 received at 929116-close@bugs.debian.org (full text, mbox, reply):
Source: systemd
Source-Version: 241-4
We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929116@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 May 2019 21:16:33 +0200
Source: systemd
Architecture: source
Version: 241-4
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Closes: 921267 926886 927008 928659 929116
Changes:
systemd (241-4) unstable; urgency=medium
.
* journal-remote: Do not request Content-Length if Transfer-Encoding is
chunked (Closes: #927008)
* systemctl: Restore "systemctl reboot ARG" functionality.
Fixes a regression introduced in v240. (Closes: #928659)
* random-util: Eat up bad RDRAND values seen on AMD CPUs.
Some AMD CPUs return bogus data via RDRAND after a suspend/resume cycle
while still reporting success via the carry flag.
Filter out invalid data like -1 (and also 0, just to be sure).
(Closes: #921267)
* Add check to switch VTs only between K_XLATE or K_UNICODE.
Switching to K_UNICODE from other than L_XLATE can make the keyboard
unusable and possibly leak keypresses from X.
(CVE-2018-20839, Closes: #929116)
* Document that DRM render nodes are now owned by group "render"
(Closes: #926886)
Checksums-Sha1:
1848c460c3a4494def3e8d4f0f08231550c80608 4914 systemd_241-4.dsc
3110cb176b53e279ae1d30f5fb50970a9dd5a92b 156456 systemd_241-4.debian.tar.xz
f9059c9b4cfb3e4c4e32a4673c3ec60aa270d7e7 9043 systemd_241-4_source.buildinfo
Checksums-Sha256:
21dd78ccdc31d3a6c0cfba10bedb961fce5de4cd9589cc8d38cfafd8a674eaa5 4914 systemd_241-4.dsc
702ef4372af3c6c128bcc56a7d5556f40b7f27c707aa2c0f633a413025bf019a 156456 systemd_241-4.debian.tar.xz
170f670cef8892f860c6585b99f2af132fa6e8905f8fd01165264c72cbbd2a54 9043 systemd_241-4_source.buildinfo
Files:
21265df2f9b89158b750e699da538cf1 4914 admin optional systemd_241-4.dsc
02110f8b3deaf160c39b5db54f146a9a 156456 admin optional systemd_241-4.debian.tar.xz
0179673fdd93d44365b8cd967f2c82e5 9043 admin optional systemd_241-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlzfCRUACgkQauHfDWCP
Itw9rBAAgWowyR134RJNVlmalQwT5fyP5FGmUJ93Ci4/P0YpKNYGGlMJBLaBPrWz
jWw+4VSzr9aNyn8KcneDSlXslYSQM7ktMknDPCCQLos88r1jmaKwgfy9FkAJNAds
BX9eFOcFc8MOO8BtMLc1PdvnN9o+gxLJV3Mda47sGHgXMPd+7Z1p0Sgvq1L1cXnf
ISJMabOMgHnrFuGoemEHaeDF40dEwXcU/Y2MoUBJlFbir/EupjArGVe7R/H4u7zG
20P0X/17nSiZ3MVvH00GSCt2lWuDkdBKkxTdncZzuz9veQjOxSzJDhpCHqYjqD42
JVWKkzNynAGhcSxpef8ydrujLsrFp96KNUTaqUMYzK5zQ6ET9sa49zlvS4l0DmqS
DUCWWlC9iHrPwFVVPKM6Kqha2SKhw3DwBAFTso4CmN99k3+9zwX+2/saujh0ODsh
cWbdO5nOScPDh89/RwrfyHHtdyzwBzQAsuli+zbbPDa2dALxMmz/WaC37T5ysmOA
HfGOCIz51jJB+6/AIYZB3yba+EAkT5cQI9jY3lAdqFyGGBQnnasGcZ4Jr8e+36yv
f3P8h9yRoueR4yp9m9z7oq5blxENfScwJcYh+paCJHMX4kVECLC1TBSA5zBwQ13P
RII8l94OJBdTCJswneMINA/xlLA9tJGG2Vsrrjix/XI4X5UkoW8=
=a2mx
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#929116; Package src:systemd.
(Sat, 25 May 2019 07:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Sat, 25 May 2019 07:24:03 GMT) (full text, mbox, link).
Message #20 received at 929116@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
241-5 reverted the patch for this issue, so I guess this bug report should
be reopened.
Salvatore: tracker should be updated as well, right?
regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
[signature.asc (application/pgp-signature, inline)]
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 25 May 2019 07:39:02 GMT) (full text, mbox, link).
No longer marked as fixed in versions systemd/241-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 25 May 2019 07:39:03 GMT) (full text, mbox, link).
Marked as found in versions systemd/241-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 25 May 2019 07:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#929116; Package src:systemd.
(Sat, 25 May 2019 07:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Sat, 25 May 2019 07:45:03 GMT) (full text, mbox, link).
Message #31 received at 929116@bugs.debian.org (full text, mbox, reply):
Hi Hugo,
On Sat, May 25, 2019 at 09:20:59AM +0200, Hugo Lefeuvre wrote:
> Salvatore: tracker should be updated as well, right?
Yes indeed, actually just commited the change and reflecting in a note
that the fix was reverted with 241-5.
Regards,
Salvatore
Marked as fixed in versions systemd/241-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 25 May 2019 07:45:06 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 27 May 2019 19:30:06 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#929116.
(Fri, 07 Jun 2019 21:30:05 GMT) (full text, mbox, link).
Message #38 received at 929116-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #929116 in systemd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/systemd-team/systemd/commit/5a564c6ef3906c0f3885a3a2aafce772393f760a
------------------------------------------------------------------------
Add check to switch VTs only between K_XLATE or K_UNICODE
Switching to K_UNICODE from other than L_XLATE can make the keyboard
unusable and possibly leak keypresses from X.
CVE-2018-20839
Closes: #929116
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/929116
Added tag(s) pending.
Request was from Michael Biebl <noreply@salsa.debian.org>
to 929116-submitter@bugs.debian.org.
(Fri, 07 Jun 2019 21:30:05 GMT) (full text, mbox, link).
Removed tag(s) pending.
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org.
(Fri, 07 Jun 2019 21:39:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:04:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon