Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 595476 (CVE-2016-7795, CVE-2016-7796) - <sys-apps/systemd-233-r1: local user DoS
Summary: <sys-apps/systemd-233-r1: local user DoS
Status: RESOLVED FIXED
Alias: CVE-2016-7795, CVE-2016-7796
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 598992 599152 606422 CVE-2017-9445
Blocks: CVE-2014-9770 605022
  Show dependency tree
 
Reported: 2016-09-28 22:07 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-10-08 19:50 UTC (History)
2 users (show)

See Also:
Package list:
=sys-libs/libseccomp-2.3.2 amd64 arm ppc ppc64 x86 =sys-apps/systemd-233-r1
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-09-28 22:07:53 UTC
From ${URL}:
systemd[1] fails an assertion in manager_invoke_notify_message[2] when
a zero-length message is received over its notification socket.
After failing the assertion, PID 1 hangs in the pause system call.
It is no longer possible to start and stop daemons or cleanly reboot
the system. Inetd-style services managed by systemd no longer accept
connections.

Since the notification socket, /run/systemd/notify, is world-writable,
this allows a local user to perform a denial-of-service attack against
systemd.

Proof-of-concept:

        NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

This vulnerability is present in all versions of systemd since at
least v209[3].

This has been reported to systemd.[4]

[1] https://github.com/systemd/systemd/
[2] https://github.com/systemd/systemd/blob/b8fafaf4a1cffd02389d61ed92ca7acb1b8c739c/src/core/manager.c#L1666
[3] https://github.com/systemd/systemd/commit/5ba6985b6c8ef85a8bcfeb1b65239c863436e75b#diff-ab78220e12703ee63fa1e6a2caa16bebR1325
[4] https://github.com/systemd/systemd/issues/4234
Comment 2 Mike Gilbert gentoo-dev 2016-09-29 14:24:45 UTC
There's still some chatter on this upstream. I'm waiting a bit to see if this PR gets merged.

https://github.com/systemd/systemd/pull/4242
Comment 3 Mike Gilbert gentoo-dev 2016-09-30 01:39:14 UTC
Backporting the fix(es) to systemd-226 is non-trivial.

system-231 has some regressions, the fixes for which are also non-trivial backports.

I would prefer to wait for upstream to release systemd-232 to resolve this.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 16:24:41 UTC
The PR was merged and first release containing the fix was =sys-apps/systemd-232 which already landed in the Gentoo repository: https://gitweb.gentoo.org/repo/gentoo.git/commit/sys-apps/systemd?id=1aac346933936be0fca1b24cac3ba2a147b08c6f


@ maintainer(s): Please tell us how to proceed. Is systemd-232 ready for stabilization?
Comment 5 Mike Gilbert gentoo-dev 2016-11-18 16:48:21 UTC
(In reply to Thomas Deutschmann from comment #4)
> @ maintainer(s): Please tell us how to proceed. Is systemd-232 ready for
> stabilization?

No, systemd-232 introduced additional regressions and is not fit for stabilization.

See bug 598992, bug 599152.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-04-21 00:39:54 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 7 Mike Gilbert gentoo-dev 2017-04-21 01:17:24 UTC
Let's proceed with systemd-233-r1.

I have taken the liberty of adding sys-libs/libseccomp to the package list to satisfy a dependency.
Comment 8 Agostino Sarubbo gentoo-dev 2017-04-23 21:23:24 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-04-27 10:36:55 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-04-27 11:23:41 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-04-29 15:02:32 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-04-30 09:37:25 UTC
ppc64 stable
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2017-05-22 17:30:45 UTC
Stable on alpha.
Comment 14 Agostino Sarubbo gentoo-dev 2017-06-10 15:11:06 UTC
ia64 stable
Comment 15 Mike Gilbert gentoo-dev 2017-06-28 17:07:13 UTC
arm should now stabilize 233-r2 instead (bug 622874).
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-10-08 19:50:10 UTC
GLSA Vote: No