systemd: CVE-2018-15686: reexec state injection: fgets() on overlong lines leads to line splitting

Debian Bug report logs - #912005
systemd: CVE-2018-15686: reexec state injection: fgets() on overlong lines leads to line splitting

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: systemd: CVE-2018-15686: reexec state injection: fgets() on overlong lines leads to line splitting

Date: Sat, 27 Oct 2018 09:37:58 +0200

Source: systemd
Version: 239-10
Severity: important
Tags: security upstream
Forwarded: https://github.com/systemd/systemd/pull/10519

Hi,

The following vulnerability was published for systemd.

CVE-2018-15686[0]:
| A vulnerability in unit_deserialize of systemd allows an attacker to
| supply arbitrary state across systemd re-execution via NotifyAccess.
| This can be used to improperly influence systemd execution and
| possibly lead to root privilege escalation. Affected releases are
| systemd versions up to and including 239.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-15686
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686
[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1687
[2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796402
[3] https://github.com/systemd/systemd/pull/10519

Please adjust the affected versions in the BTS as needed, the version
in stretch might as well be affected.

Regards,
Salvatore

Message #14 received at 912005-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 912005-close@bugs.debian.org

Subject: Bug#912005: fixed in systemd 239-12

Date: Sat, 17 Nov 2018 21:02:15 +0000

Source: systemd
Source-Version: 239-12

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 912005@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 17 Nov 2018 18:39:21 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 239-12
Distribution: unstable
Urgency: high
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
 libnss-myhostname - nss module providing fallback resolution for the current hostname
 libnss-mymachines - nss module to resolve hostnames for local container instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libnss-systemd - nss module providing dynamic user and group name resolution
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 systemd-tests - tests for systemd
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Closes: 905381 907054 911231 912005 912525
Changes:
 systemd (239-12) unstable; urgency=high
 .
   [ Martin Pitt ]
   * Enable QEMU on more architectures in "upstream" autopkgtest.
     Taken from the Ubuntu package, so apparently QEMU works well enough on
     these architectures now.
   * autopkgtest: Avoid test bed reset for boot-smoke.
     Make "boot-smoke"'s dependencies a strict superset of "upstream"'s, so
     that autopkgtest doesn't have to provide a new testbed.
   * Fix wrong "nobody" group from sysusers.d.
     Fix our make-sysusers-basic sysusers.d generator to special-case the
     nobody group. "nobody" user and "nogroup" group both have the same ID
     65534, which is the only special case for Debian's static users/groups.
     So specify the gid explicitly, to avoid systemd-sysusers creating a
     dynamic system group for "nobody".
     Also clean up the group on upgrades.
     Thanks to Keh-Ming Luoh for the original patch! (Closes: #912525)
 .
   [ Michael Biebl ]
   * autopkgtest: Use shutil.which() which is provided by Python 3
   * Drop non-existing gnuefi=false build option.
     This was mistakenly added when converting from autotools to meson.
   * core: When deserializing state always use read_line(…, LONG_LINE_MAX, …)
     Fixes a vulnerability in unit_deserialize which allows an attacker to
     supply arbitrary state across systemd re-execution via NotifyAccess.
     (CVE-2018-15686, Closes: #912005)
   * meson: Use the host architecture compiler/linker for src/boot/efi.
     Fixes cross build failure for arm64. (Closes: #905381)
   * systemd: Do not pass .wants fragment path to manager_load_unit.
     Fixes an issue with overridden units in /etc not being used due to a
     .wants/ symlink pointing to /lib. (Closes: #907054)
   * machined: When reading os-release file, join PID namespace too.
     This ensures that we properly acquire the os-release file from containers.
     (Closes: #911231)
Checksums-Sha1:
 d1453a642870ae691b8ec67dc68c547155a060f6 4853 systemd_239-12.dsc
 83f5eb19a92f224df04839478637a865d61ee9f4 161540 systemd_239-12.debian.tar.xz
 165ede281838b1c1e46d01b8951e2a2ac979cd81 9210 systemd_239-12_source.buildinfo
Checksums-Sha256:
 3a34f333b5afd87e9db754a12c036618b0ee49ab9c784a7a17792572193dc567 4853 systemd_239-12.dsc
 acbe0175db532502fa957dccf2df44bbe57b38663e14705eaea8e9c00362c7f3 161540 systemd_239-12.debian.tar.xz
 ac5f66dee94d2a5d885becbbd5508473cd4d67e8eb2c16302ee22698e1f1dca5 9210 systemd_239-12_source.buildinfo
Files:
 874c0208e9032acf5fbcb09355420687 4853 admin optional systemd_239-12.dsc
 6c26490fa35e9a00f61de85dd894c304 161540 admin optional systemd_239-12.debian.tar.xz
 b665047e7eb4cbd3151fcdbf5048c8f8 9210 admin optional systemd_239-12_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlvwd3sACgkQauHfDWCP
ItxD7g/9Ed9CkJXd/el3v9J8ooNeeEanGLPKbI7h0E7uWfi2SRIwishv87OZ3gXd
gPIAZMy0WMxGfSBokxhIQv7rcTPKmzZEftJGVPYAs5Kmzv55/uFw5Vdl+zqnch/5
ZpQm+b0Go62uICGPqOoVApzbS2TnvatsDzzs+7Ho5YuxtXBYWCOIe3NxYoRfLJxF
Do6DfheAbwmFM0wg7PTfx1H2jo+3KZ4D77PeVQW37Ye6xXhh97P8E1DmUjJYZihO
llVR42IcsELYRIK9HqzWbEWGa/3MTAe5YpfapMzuUPvWlTB9WRu88qyDO++MDLTc
kS8WUXjL2iguNFhf/nlnF9aMpL6k1tADuGKeQGTR9xuxcDHdy+rCaMmKCUBPfblC
mhWNxW+E7VJl41x1Y6UQyVqylf+Dc7vLn+Bly567TqABbmFCI3jt5ZOhqkB/n3NL
zZk65x3J6rvPyuq+V315GDWHpoqzkJkEKDd5gdnwOBtlYRY73Tw6gT4GUemJFjup
Iq5+2V+LJbmbtF4aDAX9HKDWhaP84LTu2LE8cV5ej+8Eqm62bWr7S6IT22PJWodZ
LMOAziJb4IQElcLIOye5mt7Vn6KSIBOuyc8z342qhI362ORc6vMboHksr7ydx1Xi
aZY1543H0IjK5CjAcsbrmFiBqpx16CCCDdJG8hIPpiym0k15gpc=
=gYPq
-----END PGP SIGNATURE-----

Message #31 received at 912005-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 912005-close@bugs.debian.org

Subject: Bug#912005: fixed in systemd 232-25+deb9u10

Date: Thu, 04 Apr 2019 21:47:16 +0000

Source: systemd
Source-Version: 232-25+deb9u10

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 912005@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 10 Mar 2019 15:52:46 +0100
Source: systemd
Architecture: source
Version: 232-25+deb9u10
Distribution: stretch
Urgency: medium
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Closes: 912005 916880 917122 918400
Changes:
 systemd (232-25+deb9u10) stretch; urgency=medium
 .
   * journald: fix assertion failure on journal_file_link_data (Closes: #916880)
   * tmpfiles: fix "e" to support shell style globs (Closes: #918400)
   * mount-util: accept that name_to_handle_at() might fail with EPERM.
     Container managers frequently block name_to_handle_at(), returning
     EACCES or EPERM when this is issued. Accept that, and simply fall back
     to fdinfo-based checks. (Closes: #917122)
   * automount: ack automount requests even when already mounted.
     Fixes a race condition in systemd which could result in automount requests
     not being serviced and processes using them to hang, causing denial of
     service. (CVE-2018-1049)
   * core: when deserializing state always use read_line(…, LONG_LINE_MAX, …)
     Fixes improper serialization on upgrade which can influence systemd
     execution environment and lead to root privilege escalation.
     (CVE-2018-15686, Closes: #912005)
Checksums-Sha1:
 0d2b66bca4f77fe241a6a86dbb5937c62309a331 4801 systemd_232-25+deb9u10.dsc
 75c8368b5743fceb3796d536d5cac6757a3365c0 221104 systemd_232-25+deb9u10.debian.tar.xz
 423d25f95a764e175ed41459c9ed328020ea2779 9365 systemd_232-25+deb9u10_source.buildinfo
Checksums-Sha256:
 5c91567d1243df91e12b52b7f5ce1dac203f4fea3eedd448e6eae2e014fe8667 4801 systemd_232-25+deb9u10.dsc
 1f815ab415a62ab504084c2166f67e1b5623341ebda8dfe313146eff453df131 221104 systemd_232-25+deb9u10.debian.tar.xz
 c4167523d962f2591538fbf61e8bf9882182e1c43c4d0cff6cd4cd600b7a4639 9365 systemd_232-25+deb9u10_source.buildinfo
Files:
 0a3b3ce1e373a23731d5046b96f6f5c2 4801 admin optional systemd_232-25+deb9u10.dsc
 e1c3daf27ee3130b52599c9e1323809d 221104 admin optional systemd_232-25+deb9u10.debian.tar.xz
 6de8b6d7e1341d79ec4dc1d0db6ff4e6 9365 admin optional systemd_232-25+deb9u10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlyjx60ACgkQauHfDWCP
ItyOUA//TDjV84lrFKjQJhZngh4E1f98hPovRhBdoSRO7i7Dgs3XU27nmw/H/B0x
//JNoF5zZlHjwKwdDHmaHD5Y4gZJePz/m39cnXixBrQrVxyCPxXfmeT3C6DaH/gd
rhfakKfyjUR7mQAUecnyKdX/xjKg/HOdVj7Xu/KUgwVUHVJwrjI8YWOsfAVS3Xjk
QIxkBox36DVqPYcpsZVFL2eyIj/9Kzvhco4RJaRQvQQGCg7bO+5X5XlYp7A9yOC9
BUcDGTzCV2KagxkwjnZb1LABdcucbiIKE9yE/6avvbsTghLJIu3n1UahELBFW/kh
6iMKIN+p2DfRL3juDs7f4iuxP3FhIjgjJvauNX7SYR3EoZWtM6OFUZu99g+Pq2Ko
nRsVdt8lVhBF5NSOKfi7uRwqyfMR+Ffo8nOOWAzbbFIlEsfOuGD9DIR9wV4bD0jD
YhE//1smZU26jmAIy3X63s3fh5+W52k08bJqT24Dk9UjMBQWsHNk8UYDccKLgxmi
MdU+9bO18+tuFTAy56HMwKBrYrKfdIiaKMJzoyC64rB7HvZKa5l6dcmtU0IK9WIr
chffgYVO9IAp6Lo0T0QwGVMLtYYNlN3AeOQA48b7tzJ/BAjJwRZ3GnEb6QYPsz/K
ARS/3KakZOQNmXM3yE/QiyMH0w2htm7YsJo6N4dVF1CAQ3AuZHY=
=0oeB
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.