Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

systemd: CVE-2022-4415: systemd-coredump not respecting fs.suid_dumpable kernel setting

Related Vulnerabilities: CVE-2022-4415  

Source

Debian Bug report logs - #1026831
systemd: CVE-2022-4415: systemd-coredump not respecting fs.suid_dumpable kernel setting

version graph

Package: src:systemd; Maintainer for src:systemd is Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 21 Dec 2022 20:39:02 UTC

Severity: important

Tags: security, upstream

Found in versions systemd/247.3-7+deb11u1, systemd/247.3-7, systemd/252.3-2

Fixed in version systemd/252.4-1

Done: Luca Boccassi <bluca@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#1026831; Package src:systemd. (Wed, 21 Dec 2022 20:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>. (Wed, 21 Dec 2022 20:39:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: systemd: CVE-2022-4415: systemd-coredump not respecting fs.suid_dumpable kernel setting
Date: Wed, 21 Dec 2022 21:36:23 +0100
Source: systemd
Version: 252.3-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 247.3-7+deb11u1
Control: found -1 247.3-7

Hi,

The following vulnerability was published for systemd.

CVE-2022-4415[0]:
| systemd-coredump not respecting fs.suid_dumpable kernel setting

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-4415
    https://www.cve.org/CVERecord?id=CVE-2022-4415
[1] https://www.openwall.com/lists/oss-security/2022/12/21/3
[2] https://github.com/systemd/systemd-stable/commit/bb47600aeb38c68c857fbf0ee5f66c3144dd81ce

Regards,
Salvatore

Marked as found in versions systemd/247.3-7+deb11u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 21 Dec 2022 20:39:04 GMT) (full text, mbox, link).

Marked as found in versions systemd/247.3-7. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 21 Dec 2022 20:39:05 GMT) (full text, mbox, link).

Reply sent to Luca Boccassi <bluca@debian.org>:
You have taken responsibility. (Thu, 22 Dec 2022 12:39:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 22 Dec 2022 12:39:06 GMT) (full text, mbox, link).

Message #14 received at 1026831-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1026831-close@bugs.debian.org
Subject: Bug#1026831: fixed in systemd 252.4-1
Date: Thu, 22 Dec 2022 12:35:45 +0000
Source: systemd
Source-Version: 252.4-1
Done: Luca Boccassi <bluca@debian.org>

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1026831@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Boccassi <bluca@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 22 Dec 2022 12:26:41 +0100
Source: systemd
Architecture: source
Version: 252.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Luca Boccassi <bluca@debian.org>
Closes: 1023635 1026831
Changes:
 systemd (252.4-1) unstable; urgency=medium
 .
   * Enable p11kit. Backport patch to dlopen-ify p11kit support and enable
     it. (Closes: #1023635)
   * New upstream version 252.4. (Closes: #1026831 and fixes CVE-2022-4415)
   * Refresh patches
   * Bump Standards-Version to 4.6.2, no changes
Checksums-Sha1:
 6c86010973ddc1018d8f0efaf10b9d05154a9eec 6422 systemd_252.4-1.dsc
 c7845271caa24044a0a1397bc6b9cc6e6b0b9488 11753300 systemd_252.4.orig.tar.gz
 4b5f39552a91382e23bfbc6299c98385da3fa903 172708 systemd_252.4-1.debian.tar.xz
 3bdb61a90cfdc8fb402cca2d71cf93a54e8012c9 11377 systemd_252.4-1_source.buildinfo
Checksums-Sha256:
 c8fa461ee9df69a54eb0d5748ce98315842336e825a36ee6edf522085f53ac92 6422 systemd_252.4-1.dsc
 cf2d27e67663d599a045101c7178cf0ec63d9df2962a54adf7de0d0357724f00 11753300 systemd_252.4.orig.tar.gz
 867a347f5df22a6a7546ec6bb7b470e6986e4997d6e0e74a7f3f760d8936be65 172708 systemd_252.4-1.debian.tar.xz
 0d6a49ff7731ef9ed88d222dd311ff1892d10594503aea53ff176bc8afcef286 11377 systemd_252.4-1_source.buildinfo
Files:
 199015d47a8eb7884126eff2e9237a58 6422 admin optional systemd_252.4-1.dsc
 be1709332649a39c7a143d99a3b1043a 11753300 admin optional systemd_252.4.orig.tar.gz
 06836a6539b95a09dbd86f6d3b85ad77 172708 admin optional systemd_252.4-1.debian.tar.xz
 7ce157e808c601d3a834b88c33920aa5 11377 admin optional systemd_252.4-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEErCSqx93EIPGOymuRKGv37813JB4FAmOkS0kRHGJsdWNhQGRl
Ymlhbi5vcmcACgkQKGv37813JB4M8BAAoV75DQL4VC1sXWyPPs0iKt7K9OqHRppI
tGKC7mCxehBAPnFfk/9m2kiO7di02Cx2xlPnO0pDZ91K53HYIkWetVuEq83Abe4i
TRTPLagfqs/Qv3+d371MnICeqn1kvqwCjxeJauKsxoSbDvzAPLobGHnc9D31GLPy
iO22COz/z+c74zA27X+qtE6VJjEXHqwVfgYwyyx7ds6NqaSMZRz3gjz5xQ3IdELw
SZKJ/s1oeTQ2tDdplBY2EbwlWtrCLNIU1LXDBYWif3yE3EubcKbGynaxeQbKbaVJ
rJadNho+oYrxFnA1/Hxil3VcZs5byJd3ciQvabG3KEqI09bHqpbqdalIWbAMTmPQ
i2hzajulT1Gzzx/3qVFVfTwOuYWeHe8t/zIFcoB0TsGVDTn2HcJsHz8zSolzcziW
d1YMFdjJ0mCcgLssxvlNGDdGKMcldPo0tsv3DYw/sZqRcoIHbmjPvocNlH6RlneG
//ANx4WCZ1DdJ+t2OfHLtsjIYZP6gVBz7acjKDIlU0H4VS1X0wK5Ku3CuLqur8cJ
iYXhwSy563Z7lJ9GL7wVcOxQBCzj6qCXoXj1uYXJoauxaVeH+0z5bH/NQb2QPi4J
QCGIWI/QC5BMyM93Nbh4s4QPT6Iz0aGhkDX0eBXwLU+PeUaxkrvK03FukEWTjo96
DhvMn8FKmxU=
=inZW
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Dec 22 16:36:24 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started