systemd: CVE-2018-16865

Debian Bug report logs - #918848
systemd: CVE-2018-16865

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: systemd: CVE-2018-16865

Date: Wed, 09 Jan 2019 21:02:22 +0100

Source: systemd
Version: 43-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 232-25+deb9u6
Control: found -1 240-2

Hi,

The following vulnerability was published for systemd, opening
tracking bug.

CVE-2018-16865[0]:
memory corruption

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16865
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16865
[1] https://www.openwall.com/lists/oss-security/2019/01/09/3

Regards,
Salvatore

Message #12 received at 918848-submitter@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 918848-submitter@bugs.debian.org

Subject: Bug #918848 in systemd marked as pending

Date: Sat, 12 Jan 2019 21:11:33 +0000

Control: tag -1 pending

Hello,

Bug #918848 in systemd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/systemd-team/systemd/commit/ce0e48e43979e955df2413dca23c64088a729ed8

------------------------------------------------------------------------
Import patches from v240-stable branch (up to f02b5472c6)

- Fixes a problem in logind closing the controlling terminal when using
  startx. (Closes: #918927)
- Fixes various journald vulnerabilities via attacker controlled alloca.
  (CVE-2018-16864, CVE-2018-16865, Closes: #918841, Closes: #918848)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/918848

Message #19 received at 918848-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 918848-close@bugs.debian.org

Subject: Bug#918848: fixed in systemd 240-4

Date: Sat, 12 Jan 2019 23:16:47 +0000

Source: systemd
Source-Version: 240-4

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 12 Jan 2019 21:49:44 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 240-4
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
 libnss-myhostname - nss module providing fallback resolution for the current hostname
 libnss-mymachines - nss module to resolve hostnames for local container instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libnss-systemd - nss module providing dynamic user and group name resolution
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 systemd-tests - tests for systemd
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Closes: 909396 917607 918841 918848 918927
Changes:
 systemd (240-4) unstable; urgency=medium
 .
   [ Benjamin Drung ]
   * Fix shellcheck issues in initramfs-tools scripts
 .
   [ Michael Biebl ]
   * Import patches from v240-stable branch (up to f02b5472c6)
     - Fixes a problem in logind closing the controlling terminal when using
       startx. (Closes: #918927)
     - Fixes various journald vulnerabilities via attacker controlled alloca.
       (CVE-2018-16864, CVE-2018-16865, Closes: #918841, Closes: #918848)
   * sd-device-monitor: Fix ordering of setting buffer size.
     Fixes an issue with uevents not being processed properly during coldplug
     stage and some kernel modules not being loaded via "udevadm trigger".
     (Closes: #917607)
   * meson: Stop setting -fPIE globally.
     Setting -fPIE globally can lead to miscompilations on certain
     architectures. Instead use the b_pie=true build option, which was
     introduced in meson 0.49. Bump the Build-Depends accordingly.
     (Closes: #909396)
Checksums-Sha1:
 71e37bb2f12272a16b7b50f45f77d47518e8c5a0 4898 systemd_240-4.dsc
 e8160f259001a6563c5a7523aa22e58a90883f9c 164740 systemd_240-4.debian.tar.xz
 b70e6881b2d011a8afe72697b004e1333084660f 9092 systemd_240-4_source.buildinfo
Checksums-Sha256:
 0f6d3af3272098320cde66d8cef56b8dba42674e3279d5f01a6e41d2a7b8d945 4898 systemd_240-4.dsc
 89de641b06c125bdf4c75249673fa4c6d38b1289cd781e97e897e5af12c9cb87 164740 systemd_240-4.debian.tar.xz
 6f8b4fca0da2c314663c72eadf02537f96725a770728e19d2b991de7853ef3ac 9092 systemd_240-4_source.buildinfo
Files:
 d1b15187721bd4aa3972477c23f8832e 4898 admin optional systemd_240-4.dsc
 8921999d026f783853e9b385e4c3504a 164740 admin optional systemd_240-4.debian.tar.xz
 4d48b2431f3af586c55fff6447e43913 9092 admin optional systemd_240-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlw6bjoACgkQauHfDWCP
Itww6Q/+LLeP3LH1IKYoNJcmsAXpPMj4VTG5AtSoGcw972v7tB8U1DXpzp/68BwW
DO+lrPCwStUWNCWsbsu1jrgD3Rm+siGPeJ0JTQ/Qu+fr+jUhgIWYDXxDJ2v6iHGy
LlC1u29mRoKGddICgzls/7OMhCg2z/OcC0Hnxfa2kGV/cuxWQ3uBCjgoFlbSgJdI
dKTdS+kL0n1TCh55gIw/HUdCLWq12w4vJM6lOdoM6nrGw8NNQ89ehQHgDrP+0+Sw
JjLxapTou1Ijvj/yK2PF88z/HyXvzVf57X8HPrzgmhog4Wks3zVVak7DB4m/+oRe
3UTezDPJE/K4w2s1ZpUJgPPxM7vXhHtmznf0t376jrYwdVwu70rEPrWg/MiEcgIu
/0+QiMNRc/wwcdNBWKRXp0+iPCt5Dbk7kfTdEo6Ba9MrXYiw0aHIH2gThXmXoYMq
r0LKYOEp0U7edcjDkCEb63HrTzjTmFHg1NWKm6F7tA4eha/V3U9RfFnuC6X8Vpcw
65ITGEhTYfPSTd+UsaKv0b8CHs+c3QXAASbeDvMLQ7n89UUtTxNeIsgwsNpU0pC1
AjT1jxOw3Qno5dmGcxeQw9FBjRNPofjQ1osU5zzu9edf/JQSqCAR5FGSOtrrZ9ia
VUSws6F14EEQEKPAvKE/3s7GgaHyi4mtzo0TScyioSCCp4DMx04=
=SQ3h
-----END PGP SIGNATURE-----

Message #24 received at 918848@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: Michael Biebl <biebl@debian.org>, 918848@bugs.debian.org

Subject: Plans for stretch-backports wrt. CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866?

Date: Sun, 13 Jan 2019 10:46:26 +0100

Hi!

In Tails we're shipping systemd/stretch-backports. We will freeze our
code base (and the APT repositories we use) on Jan 18 for our next
major release, so in the current state of things we would ship
239-12~bpo9+1, which is vulnerable to these 3 vulnerabilities. So I've
started researching our options and I'm wondering:

What's your plan wrt. stretch-backports? 

I realize that with the serious regressions brought by v240 — that
I see upstream and you are quickly fixing, woohoo! — you might want to
let v240 mature a bit longer in testing/sid before backporting, so
I would understand if you're reluctant to upload 240-4 to
stretch-backports as soon as it migrates to testing.

But maybe you plan to upload 239-12~bpo9+2 with the fixes backported?

FWIW, on the Tails side I'll build a custom backport of 240-4 and will
run it through the Tails integration test suite, because we have other
incentives to upgrade (getting the fixes for
https://github.com/systemd/systemd/issues/9461) and I'd rather do this
upgrade now in a controlled, relaxed way, than at the last minute
before our freeze (if v240 is uploaded to stretch-backports on
Jan 17-18).

Thanks a *lot* for your amazing work on the systemd package!

Cheers,
-- 
intrigeri

Message #29 received at 918848@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: intrigeri <intrigeri@debian.org>, 918848@bugs.debian.org

Subject: Re: Bug#918848: Plans for stretch-backports wrt. CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866?

Date: Sun, 13 Jan 2019 16:45:35 +0100

[Message part 1 (text/plain, inline)]

Am 13.01.19 um 10:46 schrieb intrigeri:
> Hi!
> 
> In Tails we're shipping systemd/stretch-backports. We will freeze our
> code base (and the APT repositories we use) on Jan 18 for our next
> major release, so in the current state of things we would ship
> 239-12~bpo9+1, which is vulnerable to these 3 vulnerabilities. So I've
> started researching our options and I'm wondering:
> 
> What's your plan wrt. stretch-backports? 

I do think we nailed the worst regressions by now, so my plan was to
wait until 240-4 has migrated to testing and then upload that to
stretch-backports, for the simple reason that this means less effort for
me. If someone want's to backport the fixes to 239-12~bpo9+1, that would
obviously ok with me as well.

> FWIW, on the Tails side I'll build a custom backport of 240-4 and will
> run it through the Tails integration test suite, because we have other
> incentives to upgrade (getting the fixes for
> https://github.com/systemd/systemd/issues/9461) and I'd rather do this
> upgrade now in a controlled, relaxed way, than at the last minute
> before our freeze (if v240 is uploaded to stretch-backports on
> Jan 17-18).

Please let us know about the results of those tests.
If 240-4 fails horribly, we could revisit the decision to upload this
version to stretch-backports.

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #34 received at 918848@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: Michael Biebl <biebl@debian.org>, 918848@bugs.debian.org

Subject: Re: Bug#918848: Plans for stretch-backports wrt. CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866?

Date: Sun, 13 Jan 2019 17:11:43 +0100

Hi Michael!

Thanks for the quick answer.

Michael Biebl:
> Am 13.01.19 um 10:46 schrieb intrigeri:
>> What's your plan wrt. stretch-backports? 

> I do think we nailed the worst regressions by now, so my plan was to
> wait until 240-4 has migrated to testing and then upload that to
> stretch-backports, for the simple reason that this means less effort for
> me.

This is reassuring.

> If someone want's to backport the fixes to 239-12~bpo9+1, that would
> obviously ok with me as well.

*If* we decide to fall back to this option for Tails, I'll happily
share the Git branch (and even upload to stretch-backports after
someone reviews it). But I do hope we won't have to go that way.

>> FWIW, on the Tails side I'll build a custom backport of 240-4 and will
>> run it through the Tails integration test suite, because we have other
>> incentives to upgrade (getting the fixes for
>> https://github.com/systemd/systemd/issues/9461) and I'd rather do this
>> upgrade now in a controlled, relaxed way, than at the last minute
>> before our freeze (if v240 is uploaded to stretch-backports on
>> Jan 17-18).

> Please let us know about the results of those tests.
> If 240-4 fails horribly, we could revisit the decision to upload this
> version to stretch-backports.

Will do!

Cheers,
-- 
intrigeri

Message #39 received at 918848@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: 918848@bugs.debian.org, Michael Biebl <biebl@debian.org>

Subject: Re: Bug#918848: Plans for stretch-backports wrt. CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866?

Date: Sun, 13 Jan 2019 20:49:54 +0100

intrigeri:
> Michael Biebl:
>> Please let us know about the results of those tests.

> Will do!

All green from the perspective of Tails' integration test suite :)

I'll let you know if the reviewer for this Tails proposed change (most
likely lamby) finds issues relevant to Debian.

The backport was totally trivial (start from your stretch backports
branch, merge the newest sid packaging tag, boom):
https://salsa.debian.org/tails-team/systemd/

Cheers,
-- 
intrigeri

Message #44 received at 918848@bugs.debian.org (full text, mbox, reply):

From: Nye Liu <nyet@nyet.org>

To: 918848@bugs.debian.org

Subject: Really bad regression

Date: Sat, 19 Jan 2019 23:40:51 -0800

https://github.com/systemd/systemd/issues/11502

Message #49 received at 918848-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 918848-close@bugs.debian.org

Subject: Bug#918848: fixed in systemd 232-25+deb9u7

Date: Tue, 29 Jan 2019 13:02:18 +0000

Source: systemd
Source-Version: 232-25+deb9u7

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 12 Jan 2019 09:38:38 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 232-25+deb9u7
Distribution: stretch-security
Urgency: high
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 918841 918848
Description: 
 libnss-myhostname - nss module providing fallback resolution for the current hostname
 libnss-mymachines - nss module to resolve hostnames for local container instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libnss-systemd - nss module providing dynamic user and group name resolution
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Changes:
 systemd (232-25+deb9u7) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * journald: do not store the iovec entry for process commandline on stack
     (CVE-2018-16864) (Closes: #918841)
   * journald: set a limit on the number of fields (1k) (CVE-2018-16865)
     (Closes: #918848)
   * journal-remote: set a limit on the number of fields in a message
     (CVE-2018-16865) (Closes: #918848)
   * journal: fix syslog_parse_identifier() (CVE-2018-16866)
   * journal: do not remove multiple spaces after identifier in syslog message
     (CVE-2018-16866)
Package-Type: udeb
Checksums-Sha1: 
 b4ca041a73cb8775c90bbcc92c080cd7ac58dfe4 4952 systemd_232-25+deb9u7.dsc
 74178b96d631058236cf79f5b0cc3953382f12b5 4529048 systemd_232.orig.tar.gz
 4b7fbdd4005aa0340dca1cc37603cbd520343e31 214680 systemd_232-25+deb9u7.debian.tar.xz
Checksums-Sha256: 
 1dea5088456636c50c3135ae5cd00f92ee8559360c907a22e1ed05a3e0016646 4952 systemd_232-25+deb9u7.dsc
 1172c7c7d5d72fbded53186e7599d5272231f04cc8b72f9a0fb2c5c20dfc4880 4529048 systemd_232.orig.tar.gz
 653cf8bb0b33b01c08484a3a3c8de4de1bb875b56f869ef389b17760442a8e7f 214680 systemd_232-25+deb9u7.debian.tar.xz
Files: 
 45cf746f8e5721bffbdbd80e2c38c4e8 4952 admin optional systemd_232-25+deb9u7.dsc
 3e3a0b14050eff62e68be72142181730 4529048 admin optional systemd_232.orig.tar.gz
 6a58324e6574cf198db06db655f29f6e 214680 admin optional systemd_232-25+deb9u7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlw6SrZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ERJAP/jeXZ/yRfhlQ5wB1c0qS0pskC5Wxn5ge
OR4i0rodEFi8HVoPzEqYgO9NbiReKWDfkWfaecgIZyrtnTFSj6jVlZs9zzb0ulSx
GI0reZ8gbWaHkMWb2G3wRBMsa6VL9+zZ71GvHBciryx1ms0qGpQ2F7YwxcD/KdEW
PGnn1ohFykxDXcjpo/Q2SqdXVszDbC5yTJw3pxW5ZJa6oHpFDpirTiruj5QatSNJ
WwMcI2gQye+UJ/krXxs+12Bx/Cg83GwbIe4ABsxnqjfDsU1TMuiyUBAED+CdIRB0
+wPR4PqSkYiRjh4/tZRr5v6NGbyxaAnUx/JPJ3qFhZ2Gf2kuU3tdPy0lmHnCp2UB
EcO/+D06uRozRKxFFUHr3OwJi3+ug3aVIupErtzv/UwB1Oc/EroEk/pHk8sPNTnG
Xk7Pa6363epscGbWgtwEDr2YuI6mv7M64F9UM0Wxlu+kX66fbO17/noJD1tuylm9
nJzsj3I9q+vOUMND1ykZMJkCbWfRtv6zAk7VY9PmpIGULD7djMEOFfh4dswBPXg2
eJGM+HBhzuFvP2cNoEKKc2bKwjCaZgJIxkM/3M8ldYVsOBaVmIP7OHL1hfacGE0N
nNrSL05x1/SF+O/VSaYUY7Am7T/m9VCCbQ3PjKXNMEuESL3nkuocvtKTCZYosC0U
TLRx4R8nlEkb
=g+xr
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.