Bug 677944 (CVE-2019-6454)

Summary:	<sys-apps/systemd-239-r4: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454)
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	bkohler, systemd
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://seclists.org/oss-sec/2019/q1/140
Whiteboard:	A3 [glsa+ cve]
Package list:	sys-apps/systemd-239-r4	Runtime testing required:	---

Description Thomas Deutschmann (RETIRED) gentoo-dev

2019-02-14 01:17:21 UTC

Incoming details.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2019-02-18 22:04:33 UTC

It was found that bus_process_object() in bus-objects.c allocates a buffer on the stack large enough to temporarily store the object path specified in the incoming message. A malicious unprivileged local user to send a message which results in the stack pointer moving outside of the bounds of the currently mapped stack region, jumping over the stack guard pages. A specifically crafted DBUS nessage could crash PID 1 and result in a subsequent kernel panic.

Comment 2 Larry the Git Cow gentoo-dev

2019-02-18 23:32:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8fdbe1769429ab4e0310916f85275f7a4e5b74e

commit b8fdbe1769429ab4e0310916f85275f7a4e5b74e
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2019-02-18 23:31:19 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-02-18 23:31:56 +0000

    sys-apps/systemd: apply fix for CVE-2019-6454 to 239
    
    Bug: https://bugs.gentoo.org/677944
    Package-Manager: Portage-2.3.59_p2, Repoman-2.3.12_p67
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-apps/systemd/files/CVE-2019-6454.patch | 198 +++++++++++++
 sys-apps/systemd/systemd-239-r4.ebuild     | 449 +++++++++++++++++++++++++++++
 2 files changed, 647 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27

commit c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2019-02-17 18:31:37 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-02-18 23:31:56 +0000

    sys-apps/systemd: backport patches for CVE-2019-6454
    
    Bug: https://bugs.gentoo.org/677944
    Package-Manager: Portage-2.3.59_p2, Repoman-2.3.12_p67
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 ...-message-paths-longer-than-BUS_PATH_SIZE_.patch |  48 +++
 ...mporary-strings-to-hold-dbus-paths-on-the.patch | 188 +++++++++
 ...e-receive-an-invalid-dbus-message-ignore-.patch |  54 +++
 sys-apps/systemd/systemd-241-r1.ebuild             | 461 +++++++++++++++++++++
 4 files changed, 751 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2019-02-19 15:27:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a5969530c37d52d675b5f34dc72c4ff6fbcef6b

commit 7a5969530c37d52d675b5f34dc72c4ff6fbcef6b
Author:     Richard Freeman <rich0@gentoo.org>
AuthorDate: 2019-02-19 15:27:23 +0000
Commit:     Richard Freeman <rich0@gentoo.org>
CommitDate: 2019-02-19 15:27:23 +0000

    sys-apps/systemd: amd64 stable
    
    Bug: https://bugs.gentoo.org/677944
    Signed-off-by: Richard Freeman <rich0@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 sys-apps/systemd/systemd-239-r4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 4 Mart Raudsepp gentoo-dev

2019-02-19 15:47:19 UTC

arm64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2019-02-19 18:47:46 UTC

x86 stable

Comment 6 Mikle Kolyada (RETIRED) archtester

2019-02-20 13:10:29 UTC

arm stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2019-02-23 20:49:27 UTC

ia64 stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2019-02-23 21:00:29 UTC

ppc64 stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2019-02-23 21:02:50 UTC

ppc stable

Comment 10 Mikle Kolyada (RETIRED) archtester

2019-03-10 15:28:12 UTC

alpha stable

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2019-03-10 19:33:35 UTC

@systemd, please clean vulnerable.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2019-03-10 20:48:26 UTC

This issue was resolved and addressed in
 GLSA 201903-07 at https://security.gentoo.org/glsa/201903-07
by GLSA coordinator Aaron Bauman (b-man).

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2019-03-10 20:48:55 UTC

re-opened for cleanup

Comment 14 Larry the Git Cow gentoo-dev

2019-03-11 01:16:49 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a58a376b3fb78121d905dd52c3fa2070ec2f1bd1

commit a58a376b3fb78121d905dd52c3fa2070ec2f1bd1
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2019-03-11 01:16:35 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-03-11 01:16:35 +0000

    sys-apps/systemd: remove old
    
    Closes: https://bugs.gentoo.org/677944
    Package-Manager: Portage-2.3.62, Repoman-2.3.12_p83
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-apps/systemd/Manifest               |   6 -
 sys-apps/systemd/systemd-239-r2.ebuild  | 448 -------------------------------
 sys-apps/systemd/systemd-239-r3.ebuild  | 448 -------------------------------
 sys-apps/systemd/systemd-240-r3.ebuild  | 457 -------------------------------
 sys-apps/systemd/systemd-240-r4.ebuild  | 457 -------------------------------
 sys-apps/systemd/systemd-241.ebuild     | 459 --------------------------------
 sys-apps/systemd/systemd-241_rc1.ebuild | 459 --------------------------------
 sys-apps/systemd/systemd-241_rc2.ebuild | 459 --------------------------------
 8 files changed, 3193 deletions(-)