Incoming details.
It was found that bus_process_object() in bus-objects.c allocates a buffer on the stack large enough to temporarily store the object path specified in the incoming message. A malicious unprivileged local user to send a message which results in the stack pointer moving outside of the bounds of the currently mapped stack region, jumping over the stack guard pages. A specifically crafted DBUS nessage could crash PID 1 and result in a subsequent kernel panic.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8fdbe1769429ab4e0310916f85275f7a4e5b74e commit b8fdbe1769429ab4e0310916f85275f7a4e5b74e Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2019-02-18 23:31:19 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2019-02-18 23:31:56 +0000 sys-apps/systemd: apply fix for CVE-2019-6454 to 239 Bug: https://bugs.gentoo.org/677944 Package-Manager: Portage-2.3.59_p2, Repoman-2.3.12_p67 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/files/CVE-2019-6454.patch | 198 +++++++++++++ sys-apps/systemd/systemd-239-r4.ebuild | 449 +++++++++++++++++++++++++++++ 2 files changed, 647 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27 commit c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2019-02-17 18:31:37 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2019-02-18 23:31:56 +0000 sys-apps/systemd: backport patches for CVE-2019-6454 Bug: https://bugs.gentoo.org/677944 Package-Manager: Portage-2.3.59_p2, Repoman-2.3.12_p67 Signed-off-by: Mike Gilbert <floppym@gentoo.org> ...-message-paths-longer-than-BUS_PATH_SIZE_.patch | 48 +++ ...mporary-strings-to-hold-dbus-paths-on-the.patch | 188 +++++++++ ...e-receive-an-invalid-dbus-message-ignore-.patch | 54 +++ sys-apps/systemd/systemd-241-r1.ebuild | 461 +++++++++++++++++++++ 4 files changed, 751 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a5969530c37d52d675b5f34dc72c4ff6fbcef6b commit 7a5969530c37d52d675b5f34dc72c4ff6fbcef6b Author: Richard Freeman <rich0@gentoo.org> AuthorDate: 2019-02-19 15:27:23 +0000 Commit: Richard Freeman <rich0@gentoo.org> CommitDate: 2019-02-19 15:27:23 +0000 sys-apps/systemd: amd64 stable Bug: https://bugs.gentoo.org/677944 Signed-off-by: Richard Freeman <rich0@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 sys-apps/systemd/systemd-239-r4.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
arm64 stable
x86 stable
arm stable
ia64 stable
ppc64 stable
ppc stable
alpha stable
@systemd, please clean vulnerable.
This issue was resolved and addressed in GLSA 201903-07 at https://security.gentoo.org/glsa/201903-07 by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a58a376b3fb78121d905dd52c3fa2070ec2f1bd1 commit a58a376b3fb78121d905dd52c3fa2070ec2f1bd1 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2019-03-11 01:16:35 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2019-03-11 01:16:35 +0000 sys-apps/systemd: remove old Closes: https://bugs.gentoo.org/677944 Package-Manager: Portage-2.3.62, Repoman-2.3.12_p83 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/Manifest | 6 - sys-apps/systemd/systemd-239-r2.ebuild | 448 ------------------------------- sys-apps/systemd/systemd-239-r3.ebuild | 448 ------------------------------- sys-apps/systemd/systemd-240-r3.ebuild | 457 ------------------------------- sys-apps/systemd/systemd-240-r4.ebuild | 457 ------------------------------- sys-apps/systemd/systemd-241.ebuild | 459 -------------------------------- sys-apps/systemd/systemd-241_rc1.ebuild | 459 -------------------------------- sys-apps/systemd/systemd-241_rc2.ebuild | 459 -------------------------------- 8 files changed, 3193 deletions(-)