systemd: CVE-2018-15688: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling

Debian Bug report logs - #912008
systemd: CVE-2018-15688: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: systemd: CVE-2018-15688: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling

Date: Sat, 27 Oct 2018 09:59:17 +0200

Source: systemd
Version: 232-25
Severity: important
Tags: security upstream
Control: found -1 232-25+deb9u4
Control: found -1 239-10

Hi,

The following vulnerability was published for systemd.

CVE-2018-15688[0]:
| A buffer overflow vulnerability in the dhcp6 client of systemd allows
| a malicious dhcp6 server to overwrite heap memory in systemd-networkd.
| Affected releases are systemd: versions up to and including 239.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-15688
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15688
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1639067
[2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921
[3] https://github.com/systemd/systemd/commit/49653743f69658aeeebdb14faf1ab158f1f2cb20

Please adjust the affected versions in the BTS as needed, both stretch
up to sid should be affected source wise, we do though not enable
systemd-networkd by default.

Regards,
Salvatore

Message #14 received at 912008-submitter@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 912008-submitter@bugs.debian.org

Subject: Bug #912008 in systemd marked as pending

Date: Sun, 28 Oct 2018 11:45:37 +0000

Control: tag -1 pending

Hello,

Bug #912008 in systemd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/systemd-team/systemd/commit/5f5cf5c48217d81c5f72fcc64887adc07cf074ef

------------------------------------------------------------------------
dhcp6: Make sure we have enough space for the DHCP6 option header

Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option
handling.

CVE-2018-15688
LP: #1795921
Closes: #912008

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/912008

Message #21 received at 912008-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 912008-close@bugs.debian.org

Subject: Bug#912008: fixed in systemd 239-11

Date: Sun, 28 Oct 2018 14:48:24 +0000

Source: systemd
Source-Version: 239-11

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 912008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 28 Oct 2018 13:02:18 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 239-11
Distribution: unstable
Urgency: high
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
 libnss-myhostname - nss module providing fallback resolution for the current hostname
 libnss-mymachines - nss module to resolve hostnames for local container instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libnss-systemd - nss module providing dynamic user and group name resolution
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 systemd-tests - tests for systemd
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Closes: 906429 912007 912008
Changes:
 systemd (239-11) unstable; urgency=high
 .
   [ Michael Biebl ]
   * debian/tests/upstream: Clean up after each test run.
     Otherwise the loopback images used by qemu are not properly released and
     we might run out of disk space.
   * dhcp6: Make sure we have enough space for the DHCP6 option header.
     Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option
     handling.
     (CVE-2018-15688, LP: #1795921, Closes: #912008)
   * chown-recursive: Rework the recursive logic to use O_PATH.
     Fixes a race condition in chown_one() which allows an attacker to cause
     systemd to set arbitrary permissions on arbitrary files.
     (CVE-2018-15687, LP: #1796692, Closes: #912007)
 .
   [ Martin Pitt ]
   * debian/tests/boot-and-services: Use gdm instead of lightdm.
     This seems to work more reliably, on Ubuntu CI's i386 instances lightdm
     fails.
 .
   [ Manuel A. Fernandez Montecelo ]
   * Run "meson test" instead of "ninja test"
     Upstream developers of meson recommend to run it in this way, because
     "ninja test" just calls "meson test", and by using meson directly and
     using extra command line arguments it is possible to control aspects of
     how the tests are run.
   * Increase timeout for test in riscv64.
     The buildds for the riscv64 arch used at the moment are slow, so increase
     the timeouts for this arch by a factor of 10, for good measure.
     (Closes: #906429)
Checksums-Sha1:
 d78b830b51c7219c3a3c40258ab149a649cea688 4817 systemd_239-11.dsc
 45f54957dd21e429e78e2d7b987a59a1d5aa3156 154748 systemd_239-11.debian.tar.xz
 84bf5b119ebc4a2689e93f2f0b01a1767bc4b14d 9355 systemd_239-11_source.buildinfo
Checksums-Sha256:
 833a319ba82a62d2ea8e2f53fa9ba5706f442192f9b4ac128e9847da21171d35 4817 systemd_239-11.dsc
 2c99b4f5f200f4603b51f421910056bd7feba510ce0e19b386510b3f73a42e47 154748 systemd_239-11.debian.tar.xz
 53b1fdef5fc6b52f03c0ec17576ca663bec655f3a13da2ffffc6f2156f0f93e4 9355 systemd_239-11_source.buildinfo
Files:
 12288c30403e757d6e46adb5cca13411 4817 admin optional systemd_239-11.dsc
 1a4b9cb7e6e9804f62f1b0dfa6abb1a5 154748 admin optional systemd_239-11.debian.tar.xz
 b1b344e0cb1d00a9dc93ad65a7e6177e 9355 admin optional systemd_239-11_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlvVv2gACgkQauHfDWCP
ItwFtA//bvEHtNufl4SLqLFe35BGY0a/FHJKQkxrAdbz5wP4W4G0vMdYNnlefggm
gnLhQXZhjK6oLQF45RR6lOyfTZlRToLVVWLRa3YBUETe1N+LeZLY138xDvGAnnsW
fJUwPgoWvvQ/n7dhTQ4G+6q85eKIGarJvZj9nHAj4+IKVzfq/iVIjLHbCocNbcbO
+ex5amRCGTTzBMXKgHHQfYDlly/x0/t6cbHRoqHS/9Zi2BUbqDgpG0Pa/KPg6uah
+l4uzjbKpQYsKJDh0iwF8fQ0MZAoglUj0s6aWQjxWH6KFO/UXdGNy9La2P4zAZ5M
SVq7V+Q3zFljvaD2DSPqLVS3B0LOv7aOps8+drQoB3AQGoeD0acLte+1mS22tA3R
yLkEdgVhFgdHJTRE7KRR7o5szYFrlDH6cJhQvSSG56bw4e8Q/8RHTzQTHGkyehH2
U67VRbAn8w4J+ZBhjK9Ogvekhm4w7UZKlYrfTAuFNG0Uosq3t7WmUfKm3+KwpLE/
rdeZmQ5pZUdDXQmxOJ0OmrXGYzlNc59tbQzembH+8PxdjunxHCiNi0szr63RM42Y
KmMnoIVu/IMm6UXYtkNexyPMbPBTIbZrZIZnj0GmKrrR2qKiiXzUL5S+L0YGVhAi
14rUQb2i6E90mJ/Frxo5vwYlLl68UsWxAIBe1CARNRX4VrJawu0=
=HvWg
-----END PGP SIGNATURE-----

Message #26 received at 912008-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 912008-close@bugs.debian.org

Subject: Bug#912008: fixed in systemd 232-25+deb9u6

Date: Fri, 02 Nov 2018 22:02:12 +0000

Source: systemd
Source-Version: 232-25+deb9u6

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 912008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 28 Oct 2018 18:02:10 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 232-25+deb9u6
Distribution: stretch
Urgency: medium
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
 libnss-myhostname - nss module providing fallback resolution for the current hostname
 libnss-mymachines - nss module to resolve hostnames for local container instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libnss-systemd - nss module providing dynamic user and group name resolution
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Closes: 912008
Changes:
 systemd (232-25+deb9u6) stretch; urgency=medium
 .
   * dhcp6: Make sure we have enough space for the DHCP6 option header.
     Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option
     handling.
     (CVE-2018-15688, LP: #1795921, Closes: #912008)
Checksums-Sha1:
 c1fa097a41605918132660ea804f28708f26b41a 4797 systemd_232-25+deb9u6.dsc
 50592fcd68160925f9fa3d505c0926713ff74b7c 210268 systemd_232-25+deb9u6.debian.tar.xz
 e437ad50ea11809b09e277d054e9f4d24810b1c6 9472 systemd_232-25+deb9u6_source.buildinfo
Checksums-Sha256:
 7f714e67a8b37c8edfa6a9e10b2d3e860ec5cd392312df7ddf857f6a7284682f 4797 systemd_232-25+deb9u6.dsc
 8ef9e34c7b928a4a1191257e889a4df8649bf94e1f62d6646d2c21541fd813c2 210268 systemd_232-25+deb9u6.debian.tar.xz
 c51fd7dec5297b658650fa2d9956b91ba6ffaf8aebc750f964d75608dd34b845 9472 systemd_232-25+deb9u6_source.buildinfo
Files:
 024a612232ec211c85086ffaefb60a05 4797 admin optional systemd_232-25+deb9u6.dsc
 27eb63246c8cda66f68df47c752fa1d5 210268 admin optional systemd_232-25+deb9u6.debian.tar.xz
 7e5879d0fd919294855f298943b77040 9472 admin optional systemd_232-25+deb9u6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlvbac4ACgkQauHfDWCP
ItwcAw/+MzUdUyIjEGFfD+nAz2rW9Wmufodao97IokHifcT+Kz87aGm/g+2NhBe7
voACVh4eleORW7vYCyuG1gRij3c+UC1121LhpwZHEZjbiKTQKFYyCb53IvcgcsV+
FyR2LFsQSpZWC46wtIIOAVmY/cNAylo5Ed5jzblj/i5kZSHtM1+STRi4mzBlNBDl
tF+vQXJuqKL5WywliZdX7jIEs4UpJS7/xQwlZYU6QFhR8+9/l0KiG6QN5Xr0TFRq
WKx3uNBqSBearPMA2nJ0MbYBWdPTd+bQo51E0gzNuT1uSfgskqmASkYje5XWUvrf
hq7PZDqKqyn1zjTsmFQbhy/a/osPmQeDVZfwjyFDbMootOo37fb//lFNt3TqFrxP
PVztaZGVJxbMlbIIyYYarz94b6Ad3ihsjHYrQ+/pxEUyddEBa1PyyyD0w4aKkilV
4s6RD3ntpv7RVN8lMp+jvtRNFwRTU4APHBHplTZD/hYaqkcbjyK2pmROS/V5AWvL
4fm5qNuFtqyuBNXIEc13QMxgL8uJwmlbSJFg0Q8xC8ngO9LBzS19IAJ9jC9Up/Mr
YVdiSnmZAIQCDJHUM4ULsS2pymqs+ljEPECINRM5dFl3XSI5+oyH16rKvgEq9btS
oFPIF0GrY5Il67PollHuP0Ubt1RNX3OdwxOKFXdPw6rT+25DPHQ=
=Lxbm
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.