Debian Bug report logs -
#912007
systemd: CVE-2018-15687: chown_one() can dereference symlinks
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#912007; Package src:systemd.
(Sat, 27 Oct 2018 07:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Sat, 27 Oct 2018 07:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: systemd
Version: 239-10
Severity: important
Tags: security upstream
Forwarded: https://github.com/systemd/systemd/pull/10517
Hi,
The following vulnerability was published for systemd.
CVE-2018-15687[0]:
| A race condition in chown_one() of systemd allows an attacker to cause
| systemd to set arbitrary permissions on arbitrary files. Affected
| releases are systemd versions up to and including 239.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-15687
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15687
[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1689
[2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796692
[3] https://github.com/systemd/systemd/pull/10517
Please adjust the affected versions in the BTS as needed, stretch
should be unaffected as the vulnerable feature/code was introduced
later, but plese confirm if possible.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#912007.
(Sun, 28 Oct 2018 12:06:07 GMT) (full text, mbox, link).
Message #8 received at 912007-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #912007 in systemd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/systemd-team/systemd/commit/e3696255cf57ec98177b3144f6a3a0b4a8aac0a0
------------------------------------------------------------------------
chown-recursive: Rework the recursive logic to use O_PATH
Fixes a race condition in chown_one() which allows an attacker to cause
systemd to set arbitrary permissions on arbitrary files.
CVE-2018-15687
LP: #1796692
Closes: #912007
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/912007
Added tag(s) pending.
Request was from Michael Biebl <biebl@debian.org>
to 912007-submitter@bugs.debian.org.
(Sun, 28 Oct 2018 12:06:07 GMT) (full text, mbox, link).
Reply sent
to Michael Biebl <biebl@debian.org>:
You have taken responsibility.
(Sun, 28 Oct 2018 14:51:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 28 Oct 2018 14:51:18 GMT) (full text, mbox, link).
Message #15 received at 912007-close@bugs.debian.org (full text, mbox, reply):
Source: systemd
Source-Version: 239-11
We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 912007@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 28 Oct 2018 13:02:18 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 239-11
Distribution: unstable
Urgency: high
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
libnss-myhostname - nss module providing fallback resolution for the current hostname
libnss-mymachines - nss module to resolve hostnames for local container instances
libnss-resolve - nss module to resolve names via systemd-resolved
libnss-systemd - nss module providing dynamic user and group name resolution
libpam-systemd - system and service manager - PAM module
libsystemd-dev - systemd utility library - development files
libsystemd0 - systemd utility library
libudev-dev - libudev development files
libudev1 - libudev shared library
libudev1-udeb - libudev shared library (udeb)
systemd - system and service manager
systemd-container - systemd container/nspawn tools
systemd-coredump - tools for storing and retrieving coredumps
systemd-journal-remote - tools for sending and receiving remote journal logs
systemd-sysv - system and service manager - SysV links
systemd-tests - tests for systemd
udev - /dev/ and hotplug management daemon
udev-udeb - /dev/ and hotplug management daemon (udeb)
Closes: 906429 912007 912008
Changes:
systemd (239-11) unstable; urgency=high
.
[ Michael Biebl ]
* debian/tests/upstream: Clean up after each test run.
Otherwise the loopback images used by qemu are not properly released and
we might run out of disk space.
* dhcp6: Make sure we have enough space for the DHCP6 option header.
Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option
handling.
(CVE-2018-15688, LP: #1795921, Closes: #912008)
* chown-recursive: Rework the recursive logic to use O_PATH.
Fixes a race condition in chown_one() which allows an attacker to cause
systemd to set arbitrary permissions on arbitrary files.
(CVE-2018-15687, LP: #1796692, Closes: #912007)
.
[ Martin Pitt ]
* debian/tests/boot-and-services: Use gdm instead of lightdm.
This seems to work more reliably, on Ubuntu CI's i386 instances lightdm
fails.
.
[ Manuel A. Fernandez Montecelo ]
* Run "meson test" instead of "ninja test"
Upstream developers of meson recommend to run it in this way, because
"ninja test" just calls "meson test", and by using meson directly and
using extra command line arguments it is possible to control aspects of
how the tests are run.
* Increase timeout for test in riscv64.
The buildds for the riscv64 arch used at the moment are slow, so increase
the timeouts for this arch by a factor of 10, for good measure.
(Closes: #906429)
Checksums-Sha1:
d78b830b51c7219c3a3c40258ab149a649cea688 4817 systemd_239-11.dsc
45f54957dd21e429e78e2d7b987a59a1d5aa3156 154748 systemd_239-11.debian.tar.xz
84bf5b119ebc4a2689e93f2f0b01a1767bc4b14d 9355 systemd_239-11_source.buildinfo
Checksums-Sha256:
833a319ba82a62d2ea8e2f53fa9ba5706f442192f9b4ac128e9847da21171d35 4817 systemd_239-11.dsc
2c99b4f5f200f4603b51f421910056bd7feba510ce0e19b386510b3f73a42e47 154748 systemd_239-11.debian.tar.xz
53b1fdef5fc6b52f03c0ec17576ca663bec655f3a13da2ffffc6f2156f0f93e4 9355 systemd_239-11_source.buildinfo
Files:
12288c30403e757d6e46adb5cca13411 4817 admin optional systemd_239-11.dsc
1a4b9cb7e6e9804f62f1b0dfa6abb1a5 154748 admin optional systemd_239-11.debian.tar.xz
b1b344e0cb1d00a9dc93ad65a7e6177e 9355 admin optional systemd_239-11_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlvVv2gACgkQauHfDWCP
ItwFtA//bvEHtNufl4SLqLFe35BGY0a/FHJKQkxrAdbz5wP4W4G0vMdYNnlefggm
gnLhQXZhjK6oLQF45RR6lOyfTZlRToLVVWLRa3YBUETe1N+LeZLY138xDvGAnnsW
fJUwPgoWvvQ/n7dhTQ4G+6q85eKIGarJvZj9nHAj4+IKVzfq/iVIjLHbCocNbcbO
+ex5amRCGTTzBMXKgHHQfYDlly/x0/t6cbHRoqHS/9Zi2BUbqDgpG0Pa/KPg6uah
+l4uzjbKpQYsKJDh0iwF8fQ0MZAoglUj0s6aWQjxWH6KFO/UXdGNy9La2P4zAZ5M
SVq7V+Q3zFljvaD2DSPqLVS3B0LOv7aOps8+drQoB3AQGoeD0acLte+1mS22tA3R
yLkEdgVhFgdHJTRE7KRR7o5szYFrlDH6cJhQvSSG56bw4e8Q/8RHTzQTHGkyehH2
U67VRbAn8w4J+ZBhjK9Ogvekhm4w7UZKlYrfTAuFNG0Uosq3t7WmUfKm3+KwpLE/
rdeZmQ5pZUdDXQmxOJ0OmrXGYzlNc59tbQzembH+8PxdjunxHCiNi0szr63RM42Y
KmMnoIVu/IMm6UXYtkNexyPMbPBTIbZrZIZnj0GmKrrR2qKiiXzUL5S+L0YGVhAi
14rUQb2i6E90mJ/Frxo5vwYlLl68UsWxAIBe1CARNRX4VrJawu0=
=HvWg
-----END PGP SIGNATURE-----
Marked as found in versions systemd/239-7~bpo9+1.
Request was from intrigeri <intrigeri@debian.org>
to control@bugs.debian.org.
(Mon, 05 Nov 2018 14:15:06 GMT) (full text, mbox, link).
Marked as fixed in versions systemd/239-11~bpo9+1.
Request was from intrigeri <intrigeri@debian.org>
to control@bugs.debian.org.
(Mon, 05 Nov 2018 14:15:07 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 04 Dec 2018 07:26:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:16:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon