systemd: CVE-2017-9217: systemd-resolved crashed with SIGSEGV in dns_packet_is_reply_for()

Debian Bug report logs - #863277
systemd: CVE-2017-9217: systemd-resolved crashed with SIGSEGV in dns_packet_is_reply_for()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: systemd: CVE-2017-9217: systemd-resolved crashed with SIGSEGV in dns_packet_is_reply_for()

Date: Wed, 24 May 2017 20:27:22 +0200

Source: systemd
Version: 232-23
Severity: important
Tags: patch upstream security
Forwarded: https://github.com/systemd/systemd/pull/5998

Hi,

the following vulnerability was published for systemd.

CVE-2017-9217[0]:
| systemd-resolved through 233 allows remote attackers to cause a denial
| of service (daemon crash) via a crafted DNS response with an empty
| question section.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9217
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9217
[1] https://github.com/systemd/systemd/pull/5998
[2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
[3] https://bugzilla.novell.com/show_bug.cgi?id=1040614

Please adjust the affected versions in the BTS as needed. I think the
version in jessie should not be affected; unless I'm wrong (and then
please correct me) the resolved: DNS client stub resolver was only
introduced post v216, and the issue maybe even later (post v219). But
would be greatly appreciated if you can confirm that.

Regards,
Salvatore

Message #10 received at 863277@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 863277@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: systemd: CVE-2017-9217: systemd-resolved crashed with SIGSEGV in dns_packet_is_reply_for()

Date: Mon, 29 May 2017 14:04:17 +0200

[Message part 1 (text/plain, inline)]

Hi Salvatore!

On Wed, 24 May 2017 20:27:22 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: systemd
> Version: 232-23
> Severity: important
> Tags: patch upstream security
> Forwarded: https://github.com/systemd/systemd/pull/5998
> 
> Hi,
> 
> the following vulnerability was published for systemd.
> 
> CVE-2017-9217[0]:
> | systemd-resolved through 233 allows remote attackers to cause a denial
> | of service (daemon crash) via a crafted DNS response with an empty
> | question section.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-9217
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9217
> [1] https://github.com/systemd/systemd/pull/5998
> [2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
> [3] https://bugzilla.novell.com/show_bug.cgi?id=1040614
> 
> Please adjust the affected versions in the BTS as needed. I think the
> version in jessie should not be affected; unless I'm wrong (and then
> please correct me) the resolved: DNS client stub resolver was only
> introduced post v216, and the issue maybe even later (post v219). But
> would be greatly appreciated if you can confirm that.

I've marked it as found in v217-1, as this was the first version after
v216 uploaded to the archive. It doesn't matter to much if it's v217 or
v219 I think. Those uploads all landed in experimental at that time.

As for the bug itself: We don't enable resolved by default in Debian: Do
you think this bug is important enough that we should get this into 9.0?
I'd have to ask for an unlock request then.

Otherwise I'd just queue this fix in the stretch branch and try to get
this into 9.1.

For now, I'll apply this fix to v233 which is currently in experimental.

Regards,
Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 863277@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Michael Biebl <biebl@debian.org>

Cc: 863277@bugs.debian.org

Subject: Re: systemd: CVE-2017-9217: systemd-resolved crashed with SIGSEGV in dns_packet_is_reply_for()

Date: Mon, 29 May 2017 14:10:26 +0200

Hi Michael,

On Mon, May 29, 2017 at 02:04:17PM +0200, Michael Biebl wrote:
> Hi Salvatore!
> 
> On Wed, 24 May 2017 20:27:22 +0200 Salvatore Bonaccorso
> <carnil@debian.org> wrote:
> > Source: systemd
> > Version: 232-23
> > Severity: important
> > Tags: patch upstream security
> > Forwarded: https://github.com/systemd/systemd/pull/5998
> > 
> > Hi,
> > 
> > the following vulnerability was published for systemd.
> > 
> > CVE-2017-9217[0]:
> > | systemd-resolved through 233 allows remote attackers to cause a denial
> > | of service (daemon crash) via a crafted DNS response with an empty
> > | question section.
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2017-9217
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9217
> > [1] https://github.com/systemd/systemd/pull/5998
> > [2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
> > [3] https://bugzilla.novell.com/show_bug.cgi?id=1040614
> > 
> > Please adjust the affected versions in the BTS as needed. I think the
> > version in jessie should not be affected; unless I'm wrong (and then
> > please correct me) the resolved: DNS client stub resolver was only
> > introduced post v216, and the issue maybe even later (post v219). But
> > would be greatly appreciated if you can confirm that.
> 
> I've marked it as found in v217-1, as this was the first version after
> v216 uploaded to the archive. It doesn't matter to much if it's v217 or
> v219 I think. Those uploads all landed in experimental at that time.

Ack thanks.

> As for the bug itself: We don't enable resolved by default in Debian: Do
> you think this bug is important enough that we should get this into 9.0?
> I'd have to ask for an unlock request then.
> 
> Otherwise I'd just queue this fix in the stretch branch and try to get
> this into 9.1.

*If* you have other fixes which should go in stretch, then it might be
good to include it. Otherwise I agree, can be fixed in buster and then
in stretch via a point release!

> For now, I'll apply this fix to v233 which is currently in experimental.

Ok!

Regards,
Salvatore

Message #20 received at 863277@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 863277@bugs.debian.org

Subject: Re: Bug#863277: systemd: CVE-2017-9217: systemd-resolved crashed with SIGSEGV in dns_packet_is_reply_for()

Date: Mon, 29 May 2017 14:17:52 +0200

[Message part 1 (text/plain, inline)]

Am 29.05.2017 um 14:10 schrieb Salvatore Bonaccorso:
> On Mon, May 29, 2017 at 02:04:17PM +0200, Michael Biebl wrote:

>> As for the bug itself: We don't enable resolved by default in Debian: Do
>> you think this bug is important enough that we should get this into 9.0?
>> I'd have to ask for an unlock request then.
>>
>> Otherwise I'd just queue this fix in the stretch branch and try to get
>> this into 9.1.
> 
> *If* you have other fixes which should go in stretch, then it might be
> good to include it. Otherwise I agree, can be fixed in buster and then
> in stretch via a point release!

There are a few fixes in the stretch branch which aren't uploaded yet.
They are not terribly urgent. That said, I'll just ask the release / d-i
team if they are ok with the upload, I guess.
If they have concerns, I'm happy to defer this to 9.1

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #27 received at 863277-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 863277-close@bugs.debian.org

Subject: Bug#863277: fixed in systemd 233-8

Date: Mon, 29 May 2017 13:19:08 +0000

Source: systemd
Source-Version: 233-8

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863277@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 29 May 2017 14:12:08 +0200
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 233-8
Distribution: experimental
Urgency: medium
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
 libnss-myhostname - nss module providing fallback resolution for the current hostname
 libnss-mymachines - nss module to resolve hostnames for local container instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libnss-systemd - nss module providing dynamic user and group name resolution
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 systemd-tests - tests for systemd
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Closes: 861769 863277
Changes:
 systemd (233-8) experimental; urgency=medium
 .
   * Bump debhelper compatibility level to 10
   * Drop versioned Build-Depends on dpkg-dev.
     It's no longer necessary as even Jessie ships a new enough version.
   * timesyncd: don't use compiled-in list if FallbackNTP has been configured
     explicitly (Closes: #861769)
   * resolved: fix null pointer p->question dereferencing.
     This fixes a bug which allowed a remote DoS (daemon crash) via a crafted
     DNS response with an empty question section.
     Fixes: CVE-2017-9217 (Closes: #863277)
Checksums-Sha1:
 ebf12c8f5ca0eb96d511d89b15a2e8edd8871b72 4833 systemd_233-8.dsc
 41b4dbdd6f8415a417493d3057d33dc55cb0ad5f 142576 systemd_233-8.debian.tar.xz
 799b9e47b482a4310b0ff590c243e7ae3289f675 10026 systemd_233-8_source.buildinfo
Checksums-Sha256:
 d5512586472d21601e4ce164a4a3cd27de4ee099773f1e705287a73b5d325958 4833 systemd_233-8.dsc
 6316a7e78613bcd4cc816d70c01cb82604c83034a09a378422294fd3fdd42580 142576 systemd_233-8.debian.tar.xz
 0982820894677aca6515b27eb390c56be605dd0a306444ab0793eb26ce0d94e7 10026 systemd_233-8_source.buildinfo
Files:
 a39c51f94ec5f6eb951c60098dd60e24 4833 admin optional systemd_233-8.dsc
 652310a2cf055166b9b0bc8775040def 142576 admin optional systemd_233-8.debian.tar.xz
 2a55827aa628365f5503b1a10036a499 10026 admin optional systemd_233-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlksGw0ACgkQauHfDWCP
Ity8YQ//VL3M2dCz4FK3gG5WtsgctkUM53tftMCdE5sBB2KkWvoteqLEc0N8F9i+
N9ifobEU8d9mKwTxmsF0j9ZI8YObokL7k0M93AHt8t3eg08yh7Cw5PlIt7JM+p0a
6mEfc2xtDR8vo9CG6123EmxtHixSJ87vAlu4yVt1UVinJkJyMhORap32kVDIK3QI
DnH8uD/+t4Av06T/V76f1+tXRUTQ1WtE9Msjpdp0CP8dYpmeLXTGdgL4DtM/IM/8
I7+++IWPbY9A9/HNePoEDDoyvUiUBc8WJSJw2SSzfRO9o0khGTEiBeEU2BcBTA3o
L2PgLQeOQrQag6JI2Y70KWZtZ4mZqZSiBnBqPZRfDDQSFdSNCn8stz97ftbs0wQH
W4vssUJIwekRzXnMwWGlUxtYVPVi4Y7nFo722ix9C3MqyG+GUANOIGvqKmOK45xS
07gnQ8XLxpRZQneW3gFIfm24L2zHUVyFAXFG7FR6hv46fMy1t0H6qtwZ8ww5Dh48
RSyIdsoX5JOkx/Y+q7XXxxHP+t3+l9S00gZjbJiYqZ3zWgXXfU0xatAw+4BKFpvl
atzdSjraaoGUtcdVsYZcYe21MBmuOw0Lr/FrGmReblUPthvtUevq2lOSyOo82hDX
jE6CpySAW8K9Go1clUQ3GS3p4nZaYZNLitEeayCSft3JGho0fEc=
=RsXR
-----END PGP SIGNATURE-----

Message #32 received at 863277-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 863277-close@bugs.debian.org

Subject: Bug#863277: fixed in systemd 232-24

Date: Mon, 29 May 2017 22:18:52 +0000

Source: systemd
Source-Version: 232-24

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863277@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 29 May 2017 16:25:43 +0200
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 232-24
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
 libnss-myhostname - nss module providing fallback resolution for the current hostname
 libnss-mymachines - nss module to resolve hostnames for local container instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libnss-systemd - nss module providing dynamic user and group name resolution
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Closes: 862292 863277
Changes:
 systemd (232-24) unstable; urgency=medium
 .
   [ Felipe Sateler ]
   * Specify nobody user and group.
     Otherwise nss-systemd will translate to group 'nobody', which doesn't
     exist on debian systems.
 .
   [ Michael Biebl ]
   * Add Depends: procps to systemd.
     It's required by /usr/lib/systemd/user/systemd-exit.service which calls
     /bin/kill to stop the systemd --user instance. (Closes: #862292)
   * resolved: fix null pointer p->question dereferencing.
     This fixes a bug which allowed a remote DoS (daemon crash) via a crafted
     DNS response with an empty question section.
     Fixes: CVE-2017-9217 (Closes: #863277)
Checksums-Sha1:
 75d94a757951e500c2aeb90e85430e366d43a1f1 4769 systemd_232-24.dsc
 39d75ae7fa58b95d84207ad5bcf4c59abf0f2052 200176 systemd_232-24.debian.tar.xz
 1c0aa4ac81f23e5a05bde7984365aa142614e486 9707 systemd_232-24_source.buildinfo
Checksums-Sha256:
 575c4c682fe7c405a78a0a6c6f10a55e1e88f2b62c956548779f20eaf2e3fb52 4769 systemd_232-24.dsc
 4d65e7a038e9d1132f0a3088ba2658d08358c2d090bee1989dba5f10a1dd0d55 200176 systemd_232-24.debian.tar.xz
 f078f443f7634f5e48bc06bb2e668b03c1ad6156d4450cc76364df91a412111f 9707 systemd_232-24_source.buildinfo
Files:
 1e1bb4455c3689a01b8d302245f5c4db 4769 admin optional systemd_232-24.dsc
 471a22a30f780b16b48e9d443ec92245 200176 admin optional systemd_232-24.debian.tar.xz
 de0f3ba9a9bf6d8258a1c4db6444a096 9707 admin optional systemd_232-24_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlksnBcACgkQauHfDWCP
ItyIUBAAlPLmU+tx3Ntx/PVpOb192fYbIhtwv/kYKNHHqO8ELBFvxxuZsktPtMeb
Zap6wZLIHw715h0uDqvjA47QB5erI4V/HWfCpR0h5ORokHkzEW/JfaL2QngptWt2
5ZeQZpGhsZAAfrlG+iNQKPdwHH8yWZNeHIjcfTWWtddCDrx38ufZ8lyFNTdqA68Q
0bMgV1d2RlTtB6jNRCkiemRWxQu2wov0lUZ0hM97Rm7cpcQ/vNuEhuem6S9E2AFe
VGVonOduD8X0bJ0T0UgJMliTylPHBtr1wsb+SWp2/Qg1ZwVPDngMDr9vz82OO9zt
+K26f5WlUoSds30eHSX5xE1ohx6vguHMoV+UCgCaVApsG/lRoufexD5I8etFqKuC
b7/YeZnajZyvN4x/hHfzBcSfxr0lPCr6JrrN59KsVyu49AiuEjvQQr4iw+DwYim1
7JYukxfssNTycZLCnYIlnb/zc2M6TKUU6W2fzNmwNcLXgk0pwO46FMVr9ppPNADJ
busd2gIWsBa2bfQ6AJuWYrqyfyfBSBbijisZJObDn2rNliwiShp2hWCj8SH7GjSC
sROrsW2fgQHxGXWwKHYjfi8dz5vTT4iVH7pMkLxYxEvVRS/hX6l9yBSLChx2aeSr
cXAk9cOG6addlq3v4Yh5sqqi7IzUSgO0Grt4QAigPtacXCZDrFM=
=LUvL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.