Bug 647956 (CVE-2018-1049)

Summary:	<sys-apps/systemd-236-r5: race condition between .mount and .automount units
Product:	Gentoo Security	Reporter:	Dimitris Nakos (sokan) <sokan>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	systemd
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1534701
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:	638972
Bug Blocks:

Description Dimitris Nakos (sokan) 2018-02-17 21:14:02 UTC

In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted.

Does this affect us?

-Gentoo Security Padawan-

Comment 1 Mike Gilbert gentoo-dev

2018-02-26 16:22:11 UTC

We were probably affected at some point.

systemd-236 is being stabilized in bug 638972, and that version should be unaffected.

Comment 2 Mart Raudsepp gentoo-dev

2018-05-01 11:20:28 UTC

Last security supported arch was done stabling over a month ago, something to proceed here?

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-05-03 00:08:10 UTC

GLSA Vote: No

Tree is clean.