systemd: CVE-2019-3843 CVE-2019-3844

Debian Bug report logs - #928102
systemd: CVE-2019-3843 CVE-2019-3844

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: systemd: CVE-2019-3843 CVE-2019-3844

Date: Sun, 28 Apr 2019 09:14:06 +0200

Source: systemd
Version: 241-3
Severity: important
Tags: security upstream
Control: found -1 232-25+deb9u11
Control: found -1 232-1

Hi,

The following vulnerabilities were published for systemd.

CVE-2019-3843[0]:
| It was discovered that a systemd service that uses DynamicUser
| property can create a SUID/SGID binary that would be allowed to run as
| the transient service UID/GID even after the service is terminated. A
| local attacker may use this flaw to access resources that will be
| owned by a potentially different service in the future, when the
| UID/GID will be recycled.


CVE-2019-3844[1]:
| It was discovered that a systemd service that uses DynamicUser
| property can get new privileges through the execution of SUID
| binaries, which would allow to create binaries owned by the service
| transient group with the setgid bit set. A local attacker may use this
| flaw to access resources that will be owned by a potentially different
| service in the future, when the GID will be recycled.

More details are in [2] and [3].

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-3843
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3843
[1] https://security-tracker.debian.org/tracker/CVE-2019-3844
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3844
[2] https://bugs.chromium.org/p/project-zero/issues/detail?id=1771
[3] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596

Please adjust the affected versions in the BTS as needed. I think
affected versions are back to the one in  stretch were support for
DynamicUsers were added. Overall though the issue seems to be low
impacted, thus I have marked it as no-dsa for stretch, but let us know
if this is wrong assessment for severity.

Regards,
Salvatore

Message #14 received at 928102@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 928102@bugs.debian.org

Subject: Re: Bug#928102: systemd: CVE-2019-3843 CVE-2019-3844

Date: Sun, 28 Apr 2019 20:12:00 +0200

[Message part 1 (text/plain, inline)]

Hi

Am 28.04.19 um 09:14 schrieb Salvatore Bonaccorso:
> Please adjust the affected versions in the BTS as needed. I think
> affected versions are back to the one in  stretch were support for
> DynamicUsers were added. Overall though the issue seems to be low
> impacted, thus I have marked it as no-dsa for stretch, but let us know
> if this is wrong assessment for severity.


I agree with this assessment and don't plan to make a stable (or even
buster) upload for this.

Regards,
Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #19 received at 928102-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 928102-close@bugs.debian.org

Subject: Bug#928102: fixed in systemd 242-1

Date: Wed, 08 May 2019 00:04:52 +0000

Source: systemd
Source-Version: 242-1

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928102@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 08 May 2019 01:33:56 +0200
Source: systemd
Architecture: source
Version: 242-1
Distribution: experimental
Urgency: medium
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Closes: 852580 898892 919231 928102 928615
Changes:
 systemd (242-1) experimental; urgency=medium
 .
   * New upstream version 242
     - Change ownership/mode of the execution directories also for static users
       (Closes: #919231)
     - A new boolean sandboxing option RestrictSUIDSGID= has been added that is
       built on seccomp. When turned on, creation of SUID/SGID files is
       prohibited. The NoNewPrivileges= and the new RestrictSUIDSGID= options
       are now implied if DynamicUser= is turned on for a service.
       (Closes: #928102, CVE-2019-3843, CVE-2019-3844)
   * Drop Revert-udev-network-device-renaming-immediately-give.patch.
     This patch needs ongoing maintenance work to be adapted to new releases
     and fails to apply with v242. Instead of investing more time into it we
     are going to drop the patch as it was a hack anyway.
   * Rebase patches
   * Drop pre-stretch migration code
   * Drop /sbin/udevadm compat symlink (Closes: #852580)
   * socket-util: Make sure flush_accept() doesn't hang on unexpected
     EOPNOTSUPP
   * Enable regexp matching support in journalctl using pcre2 (Closes: #898892)
   * Switch from libidn to libidn2 (Closes: #928615)
Checksums-Sha1:
 4216ce513d44f7843fcdab0d2d1c1f45b27b09fb 4937 systemd_242-1.dsc
 7a4de314f0a281a1af383eb1daf1aef3edee4579 7831435 systemd_242.orig.tar.gz
 b56eff21f5ee9587975fece563c7136a86386a61 141348 systemd_242-1.debian.tar.xz
 22e81f7208552c8f5c63c69f68410cbd272b2459 9131 systemd_242-1_source.buildinfo
Checksums-Sha256:
 e089b45e330db11e372ebf9587e8af7db8d70479b6506f737f37da29bd70ab4d 4937 systemd_242-1.dsc
 ec22be9a5dd94c9640e6348ed8391d1499af8ca2c2f01109198a414cff6c6cba 7831435 systemd_242.orig.tar.gz
 0d3ccdf0bb8975d2c681e794306b9c3be7d14035f0abad9ef80fbd36221a3a0b 141348 systemd_242-1.debian.tar.xz
 69a502c4fb1984f95fa5a67102685b2da54a1b2d026e4b5178091fbe63578952 9131 systemd_242-1_source.buildinfo
Files:
 19e511dfe3f51a1e53ff9c7355252aee 4937 admin optional systemd_242-1.dsc
 5e004a4007cebbc4c7a06bfd2b9b3d4c 7831435 admin optional systemd_242.orig.tar.gz
 908bebbe30e249b85cf17a661107084d 141348 admin optional systemd_242-1.debian.tar.xz
 3ef220200f70e343cd78f294a4b9d0e6 9131 admin optional systemd_242-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlzSGPYACgkQauHfDWCP
Itwo5Q/+LwyWCdaaHr75Yqsb+A4f9LS8+13+QEf/pNzZpA6fpcJIEtGffaDTwXpR
xpoqY93kT+iQtsUERvRJlMqI89MH/xyAgrKh6cJaz5AgKX7WOlQftCL3+pqWotBS
bdUggkA1zK8lHZp3FsQjQqXN3dN4hk0aFlxkG5MsYXcX3Pi3bQLguvu4/24dc8gt
KcA3ZQA8TSPHWxGh+UW7lJfDRTmkaDXqF0IxL/dqW6xirpk3hmnUlkUASeC9cRIk
csXbsETchSw+cd+ZIgggpcvY2eGUXuWC+S4q8JWRUEAH/MOw2daV/+4uFEwI4WwJ
D7QSAIVkqUzhow+4BYxPUeKJEi8fgQZl4bgfA/3WR8iSGyGNHl1klfZ2Cf+S1e2I
dYeDou+OSSG0dYHLg2815jcmJePLXoBM89Q23aJQRBIIBfr/zNxrrbPUtYQe5VBh
UBb6BfHxV6TFxehviMAvX9JoHwOzDSWpe0DcJ7blpBQEfu4OdwriEZjEJxV8qIQa
uZmMkFKvgKtHLLjgR/mQMhfiOISqs6TRiLN0iq5ju1kULTuJ6OmyL2uOkfeIynZH
7GSxCLv8CBmKgCxWtfA3LpckAKcxsQCZjqXh05hHCIQczqKGyjXlQFEZXouuhic9
ZyW8I3FnGJ881VLpyxSLeHpZ0Osmz0AycZGESWsyMCxL4uaB9CI=
=01fH
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.