Summary: | sys-apps/systemd: privilege escalation through world writable suid files | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | systemd |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2017/01/24/4 | ||
See Also: | https://bugzilla.suse.com/show_bug.cgi?id=1020601 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2017-01-24 11:36:37 UTC
@ Maintainer(s): Can we stabilize =sys-apps/systemd-232 (due to bug 595476)? Or will you rev bump and backport the fix? The affected code is present since https://github.com/systemd/systemd/commit/f4f15635ec05293ffcc83a5b39f624bbabbd8fd0 so our current stable version *could* be unaffected. But given that this was a large rewrite, this needs further investigation. Our stable version should be affected, see https://github.com/systemd/systemd/commit/c38dfac9ed6c1c3beb3dd88ebf82a13d1e561ff8 No, systemd-231 and systemd-232 are both unsuitable for stabilization. There are already a few security bugs filed against systemd. I am waiting for upstream to cut a release that doesn't have major functional regressions. From what I can tell, v226 never calls touch_file with MODE_INVALID. Instead, it uses 0 as a sentinel value, which results in files being created with mode 0644. In other words, our stable version is unaffected by this issue. I agree, > # grep -Fr 'touch_file' /tmp/sys-apps/systemd-226-r2/work > tmp/sys-apps/systemd-226-r2/work/systemd-226/src/timesync/timesyncd.c: touch_file("/var/lib/systemd/clock", true, min, uid, gid, 0644); > tmp/sys-apps/systemd-226-r2/work/systemd-226/src/basic/util.h:int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode); > tmp/sys-apps/systemd-226-r2/work/systemd-226/src/basic/util.c:int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) { > tmp/sys-apps/systemd-226-r2/work/systemd-226/src/basic/util.c: return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, 0); > tmp/sys-apps/systemd-226-r2/work/systemd-226/src/libsystemd/sd-device/device-private.c: r = touch_file(path, true, USEC_INFINITY, UID_INVALID, GID_INVALID, 0444); > tmp/sys-apps/systemd-226-r2/work/systemd-226/src/core/timer.c: touch_file(t->stamp_path, true, t->last_trigger.realtime, UID_INVALID, GID_INVALID, 0); > tmp/sys-apps/systemd-226-r2/work/systemd-226/src/core/timer.c: touch_file(t->stamp_path, true, USEC_INFINITY, UID_INVALID, GID_INVALID, 0); > tmp/sys-apps/systemd-226-r2/work/systemd-226/src/test/test-conf-files.c: assert_se(touch_file(path, true, USEC_INFINITY, UID_INVALID, GID_INVALID, 0) == 0); > OpenSUSE thinks this was introduced by https://github.com/systemd/systemd/commit/ee735086f8670be1591fa9593e80dd60163a7a2f So Gentoo is not affected, no vulnerable version in repository. Closing as invalid. |