Debian Bug report logs -
#912008
systemd: CVE-2018-15688: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 27 Oct 2018 08:03:01 UTC
Severity: important
Tags: security, upstream
Found in versions systemd/232-19, systemd/232-25+deb9u4, systemd/239-10, systemd/232-25
Fixed in versions systemd/239-11, systemd/232-25+deb9u6
Done: Michael Biebl <biebl@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
:
Bug#912008
; Package src:systemd
.
(Sat, 27 Oct 2018 08:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
.
(Sat, 27 Oct 2018 08:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: systemd
Version: 232-25
Severity: important
Tags: security upstream
Control: found -1 232-25+deb9u4
Control: found -1 239-10
Hi,
The following vulnerability was published for systemd.
CVE-2018-15688[0]:
| A buffer overflow vulnerability in the dhcp6 client of systemd allows
| a malicious dhcp6 server to overwrite heap memory in systemd-networkd.
| Affected releases are systemd: versions up to and including 239.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-15688
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15688
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1639067
[2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921
[3] https://github.com/systemd/systemd/commit/49653743f69658aeeebdb14faf1ab158f1f2cb20
Please adjust the affected versions in the BTS as needed, both stretch
up to sid should be affected source wise, we do though not enable
systemd-networkd by default.
Regards,
Salvatore
Marked as found in versions systemd/232-25+deb9u4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sat, 27 Oct 2018 08:03:04 GMT) (full text, mbox, link).
Marked as found in versions systemd/239-10.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sat, 27 Oct 2018 08:03:05 GMT) (full text, mbox, link).
Marked as found in versions systemd/232-19.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 27 Oct 2018 08:09:04 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#912008.
(Sun, 28 Oct 2018 11:48:06 GMT) (full text, mbox, link).
Message #14 received at 912008-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #912008 in systemd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/systemd-team/systemd/commit/5f5cf5c48217d81c5f72fcc64887adc07cf074ef
------------------------------------------------------------------------
dhcp6: Make sure we have enough space for the DHCP6 option header
Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option
handling.
CVE-2018-15688
LP: #1795921
Closes: #912008
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/912008
Added tag(s) pending.
Request was from Michael Biebl <biebl@debian.org>
to 912008-submitter@bugs.debian.org
.
(Sun, 28 Oct 2018 11:48:06 GMT) (full text, mbox, link).
Reply sent
to Michael Biebl <biebl@debian.org>
:
You have taken responsibility.
(Sun, 28 Oct 2018 14:51:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 28 Oct 2018 14:51:20 GMT) (full text, mbox, link).
Message #21 received at 912008-close@bugs.debian.org (full text, mbox, reply):
Source: systemd
Source-Version: 239-11
We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 912008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 28 Oct 2018 13:02:18 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 239-11
Distribution: unstable
Urgency: high
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
libnss-myhostname - nss module providing fallback resolution for the current hostname
libnss-mymachines - nss module to resolve hostnames for local container instances
libnss-resolve - nss module to resolve names via systemd-resolved
libnss-systemd - nss module providing dynamic user and group name resolution
libpam-systemd - system and service manager - PAM module
libsystemd-dev - systemd utility library - development files
libsystemd0 - systemd utility library
libudev-dev - libudev development files
libudev1 - libudev shared library
libudev1-udeb - libudev shared library (udeb)
systemd - system and service manager
systemd-container - systemd container/nspawn tools
systemd-coredump - tools for storing and retrieving coredumps
systemd-journal-remote - tools for sending and receiving remote journal logs
systemd-sysv - system and service manager - SysV links
systemd-tests - tests for systemd
udev - /dev/ and hotplug management daemon
udev-udeb - /dev/ and hotplug management daemon (udeb)
Closes: 906429 912007 912008
Changes:
systemd (239-11) unstable; urgency=high
.
[ Michael Biebl ]
* debian/tests/upstream: Clean up after each test run.
Otherwise the loopback images used by qemu are not properly released and
we might run out of disk space.
* dhcp6: Make sure we have enough space for the DHCP6 option header.
Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option
handling.
(CVE-2018-15688, LP: #1795921, Closes: #912008)
* chown-recursive: Rework the recursive logic to use O_PATH.
Fixes a race condition in chown_one() which allows an attacker to cause
systemd to set arbitrary permissions on arbitrary files.
(CVE-2018-15687, LP: #1796692, Closes: #912007)
.
[ Martin Pitt ]
* debian/tests/boot-and-services: Use gdm instead of lightdm.
This seems to work more reliably, on Ubuntu CI's i386 instances lightdm
fails.
.
[ Manuel A. Fernandez Montecelo ]
* Run "meson test" instead of "ninja test"
Upstream developers of meson recommend to run it in this way, because
"ninja test" just calls "meson test", and by using meson directly and
using extra command line arguments it is possible to control aspects of
how the tests are run.
* Increase timeout for test in riscv64.
The buildds for the riscv64 arch used at the moment are slow, so increase
the timeouts for this arch by a factor of 10, for good measure.
(Closes: #906429)
Checksums-Sha1:
d78b830b51c7219c3a3c40258ab149a649cea688 4817 systemd_239-11.dsc
45f54957dd21e429e78e2d7b987a59a1d5aa3156 154748 systemd_239-11.debian.tar.xz
84bf5b119ebc4a2689e93f2f0b01a1767bc4b14d 9355 systemd_239-11_source.buildinfo
Checksums-Sha256:
833a319ba82a62d2ea8e2f53fa9ba5706f442192f9b4ac128e9847da21171d35 4817 systemd_239-11.dsc
2c99b4f5f200f4603b51f421910056bd7feba510ce0e19b386510b3f73a42e47 154748 systemd_239-11.debian.tar.xz
53b1fdef5fc6b52f03c0ec17576ca663bec655f3a13da2ffffc6f2156f0f93e4 9355 systemd_239-11_source.buildinfo
Files:
12288c30403e757d6e46adb5cca13411 4817 admin optional systemd_239-11.dsc
1a4b9cb7e6e9804f62f1b0dfa6abb1a5 154748 admin optional systemd_239-11.debian.tar.xz
b1b344e0cb1d00a9dc93ad65a7e6177e 9355 admin optional systemd_239-11_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlvVv2gACgkQauHfDWCP
ItwFtA//bvEHtNufl4SLqLFe35BGY0a/FHJKQkxrAdbz5wP4W4G0vMdYNnlefggm
gnLhQXZhjK6oLQF45RR6lOyfTZlRToLVVWLRa3YBUETe1N+LeZLY138xDvGAnnsW
fJUwPgoWvvQ/n7dhTQ4G+6q85eKIGarJvZj9nHAj4+IKVzfq/iVIjLHbCocNbcbO
+ex5amRCGTTzBMXKgHHQfYDlly/x0/t6cbHRoqHS/9Zi2BUbqDgpG0Pa/KPg6uah
+l4uzjbKpQYsKJDh0iwF8fQ0MZAoglUj0s6aWQjxWH6KFO/UXdGNy9La2P4zAZ5M
SVq7V+Q3zFljvaD2DSPqLVS3B0LOv7aOps8+drQoB3AQGoeD0acLte+1mS22tA3R
yLkEdgVhFgdHJTRE7KRR7o5szYFrlDH6cJhQvSSG56bw4e8Q/8RHTzQTHGkyehH2
U67VRbAn8w4J+ZBhjK9Ogvekhm4w7UZKlYrfTAuFNG0Uosq3t7WmUfKm3+KwpLE/
rdeZmQ5pZUdDXQmxOJ0OmrXGYzlNc59tbQzembH+8PxdjunxHCiNi0szr63RM42Y
KmMnoIVu/IMm6UXYtkNexyPMbPBTIbZrZIZnj0GmKrrR2qKiiXzUL5S+L0YGVhAi
14rUQb2i6E90mJ/Frxo5vwYlLl68UsWxAIBe1CARNRX4VrJawu0=
=HvWg
-----END PGP SIGNATURE-----
Reply sent
to Michael Biebl <biebl@debian.org>
:
You have taken responsibility.
(Fri, 02 Nov 2018 22:06:25 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 02 Nov 2018 22:06:25 GMT) (full text, mbox, link).
Message #26 received at 912008-close@bugs.debian.org (full text, mbox, reply):
Source: systemd
Source-Version: 232-25+deb9u6
We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 912008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 28 Oct 2018 18:02:10 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 232-25+deb9u6
Distribution: stretch
Urgency: medium
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
libnss-myhostname - nss module providing fallback resolution for the current hostname
libnss-mymachines - nss module to resolve hostnames for local container instances
libnss-resolve - nss module to resolve names via systemd-resolved
libnss-systemd - nss module providing dynamic user and group name resolution
libpam-systemd - system and service manager - PAM module
libsystemd-dev - systemd utility library - development files
libsystemd0 - systemd utility library
libudev-dev - libudev development files
libudev1 - libudev shared library
libudev1-udeb - libudev shared library (udeb)
systemd - system and service manager
systemd-container - systemd container/nspawn tools
systemd-coredump - tools for storing and retrieving coredumps
systemd-journal-remote - tools for sending and receiving remote journal logs
systemd-sysv - system and service manager - SysV links
udev - /dev/ and hotplug management daemon
udev-udeb - /dev/ and hotplug management daemon (udeb)
Closes: 912008
Changes:
systemd (232-25+deb9u6) stretch; urgency=medium
.
* dhcp6: Make sure we have enough space for the DHCP6 option header.
Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option
handling.
(CVE-2018-15688, LP: #1795921, Closes: #912008)
Checksums-Sha1:
c1fa097a41605918132660ea804f28708f26b41a 4797 systemd_232-25+deb9u6.dsc
50592fcd68160925f9fa3d505c0926713ff74b7c 210268 systemd_232-25+deb9u6.debian.tar.xz
e437ad50ea11809b09e277d054e9f4d24810b1c6 9472 systemd_232-25+deb9u6_source.buildinfo
Checksums-Sha256:
7f714e67a8b37c8edfa6a9e10b2d3e860ec5cd392312df7ddf857f6a7284682f 4797 systemd_232-25+deb9u6.dsc
8ef9e34c7b928a4a1191257e889a4df8649bf94e1f62d6646d2c21541fd813c2 210268 systemd_232-25+deb9u6.debian.tar.xz
c51fd7dec5297b658650fa2d9956b91ba6ffaf8aebc750f964d75608dd34b845 9472 systemd_232-25+deb9u6_source.buildinfo
Files:
024a612232ec211c85086ffaefb60a05 4797 admin optional systemd_232-25+deb9u6.dsc
27eb63246c8cda66f68df47c752fa1d5 210268 admin optional systemd_232-25+deb9u6.debian.tar.xz
7e5879d0fd919294855f298943b77040 9472 admin optional systemd_232-25+deb9u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlvbac4ACgkQauHfDWCP
ItwcAw/+MzUdUyIjEGFfD+nAz2rW9Wmufodao97IokHifcT+Kz87aGm/g+2NhBe7
voACVh4eleORW7vYCyuG1gRij3c+UC1121LhpwZHEZjbiKTQKFYyCb53IvcgcsV+
FyR2LFsQSpZWC46wtIIOAVmY/cNAylo5Ed5jzblj/i5kZSHtM1+STRi4mzBlNBDl
tF+vQXJuqKL5WywliZdX7jIEs4UpJS7/xQwlZYU6QFhR8+9/l0KiG6QN5Xr0TFRq
WKx3uNBqSBearPMA2nJ0MbYBWdPTd+bQo51E0gzNuT1uSfgskqmASkYje5XWUvrf
hq7PZDqKqyn1zjTsmFQbhy/a/osPmQeDVZfwjyFDbMootOo37fb//lFNt3TqFrxP
PVztaZGVJxbMlbIIyYYarz94b6Ad3ihsjHYrQ+/pxEUyddEBa1PyyyD0w4aKkilV
4s6RD3ntpv7RVN8lMp+jvtRNFwRTU4APHBHplTZD/hYaqkcbjyK2pmROS/V5AWvL
4fm5qNuFtqyuBNXIEc13QMxgL8uJwmlbSJFg0Q8xC8ngO9LBzS19IAJ9jC9Up/Mr
YVdiSnmZAIQCDJHUM4ULsS2pymqs+ljEPECINRM5dFl3XSI5+oyH16rKvgEq9btS
oFPIF0GrY5Il67PollHuP0Ubt1RNX3OdwxOKFXdPw6rT+25DPHQ=
=Lxbm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 03 Apr 2019 07:25:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:02:47 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.