Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 708806 (CVE-2020-1712)

Summary: <sys-apps/systemd-244.3: use-after-free when asynchronous polkit queries are performed (CVE-2020-1712)
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: critical CC: systemd
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A1 [glsa+ cve]
Package list:
Runtime testing required: ---

Description filip ambroz 2020-02-09 10:04:24 UTC
from URL:
A heap use-after-free vulnerability was found in systemd, when asynchronous
Polkit queries are performed while handling Dbus messages. A local unprivileged
attacker can abuse this flaw to crash systemd services or potentially execute
code and elevate their privileges, by sending specially crafted Dbus messages.

This flaw happens due to the way bus_verify_polkit_async() works. Some DBus
interfaces use a cache to store objects for a short period and they clear it as
soon as the bus is again in the idle state. However, if a DBus method uses
bus_verify_polkit_async(), the method may have to wait a while until the polkit
action is resolved and when that happens the method handler is called again,
with the userdata previously allocated. If the polkit request takes too long,
the clearing of the cache would free the stored objects before the method is
called the second time, causing the use-after-free vulnerability.

The issue was reported by Tavis Ormandy, Google Project Zero.

Upstream fix is included in v245-rc1:

Other References:

v245-rc1 is already ~ in tree
Comment 1 Larry the Git Cow gentoo-dev 2020-02-09 15:15:19 UTC
The bug has been referenced in the following commit(s):

commit 267b6228821f17cd90562dae89614fb697b4ff9f
Author:     Mike Gilbert <>
AuthorDate: 2020-02-09 15:13:27 +0000
Commit:     Mike Gilbert <>
CommitDate: 2020-02-09 15:15:10 +0000

    sys-apps/systemd: bump to 244.2
    Package-Manager: Portage-2.3.87_p10, Repoman-2.3.20_p57
    Signed-off-by: Mike Gilbert <>

 sys-apps/systemd/Manifest             |   1 +
 sys-apps/systemd/systemd-244.2.ebuild | 508 ++++++++++++++++++++++++++++++++++
 sys-apps/systemd/systemd-9999.ebuild  |   9 +-
 3 files changed, 516 insertions(+), 2 deletions(-)
Comment 2 Mike Gilbert gentoo-dev 2020-02-09 15:18:13 UTC
Comment 3 Larry the Git Cow gentoo-dev 2020-02-10 02:37:35 UTC
The bug has been referenced in the following commit(s):

commit 7156f31c6ab4a26e85a2addfbebd98dbb5fadbf3
Author:     Richard Freeman <>
AuthorDate: 2020-02-10 02:37:22 +0000
Commit:     Richard Freeman <>
CommitDate: 2020-02-10 02:37:22 +0000

    sys-apps/systemd: amd64 stable
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Richard Freeman <>

 sys-apps/systemd/systemd-244.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2020-02-13 08:14:33 UTC
ia64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-16 21:16:23 UTC
x86 stable
Comment 6 Mike Gilbert gentoo-dev 2020-02-18 00:36:37 UTC
Updating to 244.3, which fixes a regression in udev (bug 710002).
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2020-03-02 20:20:51 UTC
ppc64 stable
Comment 8 Ben Kohler gentoo-dev 2020-03-07 14:16:55 UTC
sparc stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-14 18:04:06 UTC
arm stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 03:09:16 UTC
New GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 03:29:54 UTC
This issue was resolved and addressed in
 GLSA 202003-20 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 03:30:32 UTC
Re-opening for remaining architectures.
Comment 13 Mart Raudsepp gentoo-dev 2020-03-15 11:41:09 UTC
arm64 stable
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-31 17:46:55 UTC
@ppc: ping
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-19 08:21:42 UTC
@ppc: ping
Comment 16 Sergei Trofimovich (RETIRED) gentoo-dev 2020-06-01 22:35:56 UTC
ppc stable
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-04 17:02:28 UTC
@maintainer(s), please cleanup
Comment 18 Larry the Git Cow gentoo-dev 2020-06-11 02:29:56 UTC
The bug has been referenced in the following commit(s):

commit 33eed1b877eea0d533760a7cec37fb2ea37c57d0
Author:     Mike Gilbert <>
AuthorDate: 2020-06-11 02:29:00 +0000
Commit:     Mike Gilbert <>
CommitDate: 2020-06-11 02:29:53 +0000

    sys-apps/systemd: remove old
    Signed-off-by: Mike Gilbert <>

 sys-apps/systemd/Manifest                   |   1 -
 sys-apps/systemd/files/244-efi-gcc-10.patch |  40 ---
 sys-apps/systemd/systemd-244.ebuild         | 503 ----------------------------
 3 files changed, 544 deletions(-)
Comment 19 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-11 02:33:17 UTC
All done, thanks!