Summary: | <sys-apps/systemd-242-r7: systemd-resolved allows unprivileged users to execute privileged D-Bus methods (CVE-2019-15718) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | systemd |
Priority: | Low | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A4 [noglsa cve] | ||
Package list: |
sys-apps/systemd-242-r7
|
Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2019-08-30 23:19:41 UTC
I have a revbump prepared on a local branch. Nadav Markus from Palo Alto Networks discovered that systemd-resolved allows unprivileged users to execute D-Bus methods that are meant to be available only to privileged users. This can be exploited by local users to modify the system's DNS resolver settings: manager_connect_bus() in src/resolve/resolved-bus.c opens a connection to the system bus using the bus_open_system_watch_bind_with_description() helper function, which is defined in src/shared/bus-util.c. This helper function calls sd_bus_set_trusted(). This has the effect of disabling access controls, even for members that are defined without the SD_BUS_VTABLE_UNPRIVILEGED flag - the absence of which should deny access from unprivileged clients. See check_access() in src/libsystemd/sd-bus/bus-objects.c: static int check_access(sd_bus *bus, sd_bus_message *m, struct vtable_member *c, sd_bus_error *error) { uint64_t cap; int r; assert(bus); assert(m); assert(c); /* If the entire bus is trusted let's grant access */ if (bus->trusted) return 0; /* If the member is marked UNPRIVILEGED let's grant access */ if (c->vtable->flags & SD_BUS_VTABLE_UNPRIVILEGED) return 0; ... timesyncd and networkd both use the same helper function to connect to the system bus, but both of these are unaffected by this bug. In timesyncd's case, it only exposes some read-only properties and these don't have access controls. In networkd's case, all methods are annotated with SD_BUS_VTABLE_UNPRIVILEGED, and it uses policykit for enforcing access controls. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d54665bac2e0881b4d22cf48632fd0412623565 commit 5d54665bac2e0881b4d22cf48632fd0412623565 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2019-09-03 15:26:42 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2019-09-03 15:26:42 +0000 sys-apps/systemd: add patch for CVE-2019-15718 Bug: https://bugs.gentoo.org/693156 Package-Manager: Portage-2.3.73_p4, Repoman-2.3.17_p24 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/files/CVE-2019-15718.patch | 31 ++ sys-apps/systemd/systemd-242-r7.ebuild | 500 +++++++++++++++++++++ ...md-243_rc2.ebuild => systemd-243_rc2-r1.ebuild} | 1 + 3 files changed, 532 insertions(+) sparc stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba283c46d5861eb3de034bf81a21eddd3fc00d60 commit ba283c46d5861eb3de034bf81a21eddd3fc00d60 Author: Richard Freeman <rich0@gentoo.org> AuthorDate: 2019-09-03 17:27:13 +0000 Commit: Richard Freeman <rich0@gentoo.org> CommitDate: 2019-09-03 17:27:13 +0000 sys-apps/systemd: amd64 stable Bug: https://bugs.gentoo.org/693156 Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Richard Freeman <rich0@gentoo.org> sys-apps/systemd/systemd-242-r7.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) arm64 stable x86 stable ppc stable arm stable alpha stable ia64 stable ppc64 stable. Last arch. @ maintainer(s): Please cleanup and drop <sys-apps/systemd-242-r7! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22e17afdf3972504ccca959e51bf8ea7254d5513 commit 22e17afdf3972504ccca959e51bf8ea7254d5513 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2020-01-07 07:19:05 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-01-07 07:19:05 +0000 sys-apps/systemd: remove old Bug: https://bugs.gentoo.org/693156 Package-Manager: Portage-2.3.84_p2, Repoman-2.3.20_p24 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/Manifest | 1 - sys-apps/systemd/files/242-file-max.patch | 31 -- sys-apps/systemd/files/242-gcc-9.patch | 163 ------- sys-apps/systemd/files/242-network-domains.patch | 57 --- .../systemd/files/242-networkd-ipv6-token.patch | 152 ------- sys-apps/systemd/files/242-rdrand-ryzen.patch | 353 --------------- .../files/242-socket-util-flush-accept.patch | 46 -- .../systemd/files/242-wireguard-listenport.patch | 49 -- sys-apps/systemd/files/CVE-2019-15718.patch | 31 -- sys-apps/systemd/metadata.xml | 1 - sys-apps/systemd/systemd-242-r6.ebuild | 499 -------------------- sys-apps/systemd/systemd-242-r7.ebuild | 500 --------------------- sys-apps/systemd/systemd-243.ebuild | 492 -------------------- 13 files changed, 2375 deletions(-) Repository is clean, all done. |