Debian Bug report logs -
#825059
CVE-2015-8842
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 23 May 2016 07:51:02 UTC
Severity: important
Tags: patch, security
Fixed in versions systemd/229-1, 215-1
Done: Michael Biebl <biebl@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#825059; Package systemd.
(Mon, 23 May 2016 07:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Mon, 23 May 2016 07:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: systemd
Version: 215-17+deb8u4
Severity: important
Tags: security patch
As discussed on IRC it would be great if CVE-2015-8842 could be fixed
in a jessie point release. Please see here for further links:
https://security-tracker.debian.org/tracker/CVE-2015-8842
Cheers,
Moritz
Marked as found in versions systemd/215-17.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 23 May 2016 08:18:24 GMT) (full text, mbox, link).
Marked as fixed in versions systemd/229-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 23 May 2016 08:18:24 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#825059; Package systemd.
(Fri, 01 Jul 2016 15:30:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Fri, 01 Jul 2016 15:30:10 GMT) (full text, mbox, link).
Message #14 received at 825059@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Moritz
On Mon, 23 May 2016 09:49:38 +0200 Moritz Muehlenhoff <jmm@debian.org>
wrote:
> Package: systemd
> Version: 215-17+deb8u4
> Severity: important
> Tags: security patch
>
> As discussed on IRC it would be great if CVE-2015-8842 could be fixed
> in a jessie point release. Please see here for further links:
> https://security-tracker.debian.org/tracker/CVE-2015-8842
I looked into this today.
The faulty commit was introduced in v213 by the commit referenced in the
security tracker.
There was a followup commit in v214:
commit 176f2acf8dee45fee832fd2ab07243f63783a238
Author: Lennart Poettering <lennart@poettering.net>
Date: Wed Jun 11 10:23:16 2014 +0200
tmpfiles: don't allow read access to journal files to users not in
systemd-journal
Also, don't apply access mode recursively to /var/log/journal/*/, since
that might be quite large, and should be correct anyway.
This means, users who installed jessie from scratch and never had 214-1
installed, won't be affected.
Only if a (unstable) user had /var/log/journal enabled and 214-1
installed in the past, he might end up with a systemd.journal which has
the wrong permissions.
The commit [1] basically fixes up borked permissions of existing
system.journal files. And if he's an (up-to-date) unstable user, he has
already received the update in 230-1.
So, considering this, I don't think this will be an issue in practice
and I think we can safely close this issue.
Waiting for your confirmation though, before doing so.
Regards,
Michael
[1]
https://github.com/systemd/systemd/commit/afae249efa4774c6676738ac5de6aeb4daf4889f
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Michael Biebl <biebl@debian.org>:
You have taken responsibility.
(Sun, 03 Jul 2016 13:15:15 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 03 Jul 2016 13:15:15 GMT) (full text, mbox, link).
Message #19 received at 825059-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 215-1
Am 01.07.2016 um 17:28 schrieb Michael Biebl:
> This means, users who installed jessie from scratch and never had 214-1
> installed, won't be affected.
Or upgraded directly from wheezy to jessie
> Only if a (unstable) user had /var/log/journal enabled and 214-1
> installed in the past, he might end up with a systemd.journal which has
> the wrong permissions.
> The commit [1] basically fixes up borked permissions of existing
> system.journal files. And if he's an (up-to-date) unstable user, he has
> already received the update in 230-1.
>
> So, considering this, I don't think this will be an issue in practice
> and I think we can safely close this issue.
>
> Waiting for your confirmation though, before doing so.
After further consideration, I'm going to close this bug report.
The offending tmpfiles snippet was removed in 215, so we don't really
need the fixup from v229.
Moritz, can you mark the issue accordingly in the security tracker?
Regards,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#825059; Package systemd.
(Sun, 03 Jul 2016 15:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Sun, 03 Jul 2016 15:48:06 GMT) (full text, mbox, link).
Message #24 received at 825059@bugs.debian.org (full text, mbox, reply):
Hi Michael,
On Sun, Jul 03, 2016 at 01:15:15PM +0000, Debian Bug Tracking System wrote:
> After further consideration, I'm going to close this bug report.
> The offending tmpfiles snippet was removed in 215, so we don't really
> need the fixup from v229.
>
> Moritz, can you mark the issue accordingly in the security tracker?
I though think we are mixing two CVEs here. The commit you references
for 214 was assigned a different CVE:
Cf. CVE-2014-9770 vs. CVE-2015-8842.
But I have added a note additionally to the no-dsa that it does not
affect jessie installations in practice to the security-tracker notes.
Review welcome :-)
For referene the two CVE (which though are related):
https://security-tracker.debian.org/CVE-2014-9770
https://security-tracker.debian.org/CVE-2015-8842
It's a bit complex how MITRE has assigned the CVEs to the SuSE request
possibly. But the commits referenced for the two should reflect the
original assingment at
https://marc.info/?l=oss-security&m=146031729006090&w=2
Regards,
Salvatore
No longer marked as found in versions systemd/215-17.
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org.
(Mon, 04 Jul 2016 08:24:12 GMT) (full text, mbox, link).
No longer marked as found in versions systemd/215-17+deb8u4.
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org.
(Mon, 04 Jul 2016 08:24:18 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#825059; Package systemd.
(Wed, 13 Jul 2016 13:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Wed, 13 Jul 2016 13:27:04 GMT) (full text, mbox, link).
Message #33 received at 825059@bugs.debian.org (full text, mbox, reply):
On Sun, Jul 03, 2016 at 03:13:32PM +0200, Michael Biebl wrote:
> Version: 215-1
>
> Am 01.07.2016 um 17:28 schrieb Michael Biebl:
> > This means, users who installed jessie from scratch and never had 214-1
> > installed, won't be affected.
>
> Or upgraded directly from wheezy to jessie
>
> > Only if a (unstable) user had /var/log/journal enabled and 214-1
> > installed in the past, he might end up with a systemd.journal which has
> > the wrong permissions.
> > The commit [1] basically fixes up borked permissions of existing
> > system.journal files. And if he's an (up-to-date) unstable user, he has
> > already received the update in 230-1.
> >
> > So, considering this, I don't think this will be an issue in practice
> > and I think we can safely close this issue.
> >
> > Waiting for your confirmation though, before doing so.
>
> After further consideration, I'm going to close this bug report.
> The offending tmpfiles snippet was removed in 215, so we don't really
> need the fixup from v229.
>
> Moritz, can you mark the issue accordingly in the security tracker?
Confirmed. I have upgraded the security tracker.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 11 Aug 2016 07:33:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:46:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon