Opened 6 years ago
Closed 6 years ago
#4377 closed task (fixed)
Generate systemd-239 Backported Stable Snapshot
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 8.4 |
| Component: | Book | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
DJ and I have discussed creating a systemd-snapshot containing backported fixes for security vulnerabilities. This would replace the patch that DJ crafted, and would save a lot of headache when upgrading to 240 when it comes out.
One of these vulnerabilities has to do with a RCE and PrivEsc over DHCPv6, and this MAY affect other DHCP clients as well (I do have a PoC, but haven't tried it against anything as I've been too busy trying to get updates completed to commit).
Change History (5)
comment:1 by , 6 years ago
| Priority: | normal → high |
|---|
comment:2 by , 6 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 6 years ago
http://anduin.linuxfromscratch.org/LFS/systemd-239-25d1ba1.tar.xz http://anduin.linuxfromscratch.org/LFS/systemd-man-pages-239-25d1ba1.tar.xz
New version will be 239-25d1ba1
Current plan is to commit this to LFS and BLFS simultaneously. This also counts for TCL and OpenSSL. I'd like to avoid version inconsistencies right now if I can.
comment:4 by , 6 years ago
Workaround ========== - CVE-2018-15688 Disable IPv6 by setting either LinkLocalAddressing=ipv4 or LinkLocalAddressing=no in the corresponding network configuration file. Description =========== - CVE-2018-15686 (privilege escalation) A security issue has been found in systemd up to and including 239, where the use of fgets() allows an attacker to escalate privilege via a crafted service with NotifyAccess. - CVE-2018-15687 (privilege escalation) A security issue has been found in systemd up to and including 239, where a race condition in the chown_one() function can be used to escalate privileges via a crafted symlink. - CVE-2018-15688 (arbitrary code execution) An out-of-bounds write has been found in the dhcpv6 option handing code of systemd-networkd up to and including v239. It was discovered that systemd-network does not correctly keep track of a buffer size in the dhcp6_option_append_ia() function, when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine. The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id >= 493 characters long. Impact ====== A remote attacker is able to cause arbitrary code execution by advertising itself as a DHCPv6 server with a specially crafted server- id. A local attacker can escalate privileges with a specially crafted service or a crafted symlink.
DJ crafted a tarball and placed it on Anduin. I'm going to proceed with this and other package updates.