Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 677944 (CVE-2019-6454) - <sys-apps/systemd-239-r4: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454)
Summary: <sys-apps/systemd-239-r4: Insufficient input validation in bus_process_object...
Status: RESOLVED FIXED
Alias: CVE-2019-6454
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://seclists.org/oss-sec/2019/q1/140
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-14 01:17 UTC by Thomas Deutschmann
Modified: 2019-03-11 01:46 UTC (History)
2 users (show)

See Also:
Package list:
sys-apps/systemd-239-r4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2019-02-14 01:17:21 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-02-18 22:04:33 UTC
It was found that bus_process_object() in bus-objects.c allocates a buffer on the stack large enough to temporarily store the object path specified in the incoming message. A malicious unprivileged local user to send a message which results in the stack pointer moving outside of the bounds of the currently mapped stack region, jumping over the stack guard pages. A specifically crafted DBUS nessage could crash PID 1 and result in a subsequent kernel panic.
Comment 2 Larry the Git Cow gentoo-dev 2019-02-18 23:32:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8fdbe1769429ab4e0310916f85275f7a4e5b74e

commit b8fdbe1769429ab4e0310916f85275f7a4e5b74e
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2019-02-18 23:31:19 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-02-18 23:31:56 +0000

    sys-apps/systemd: apply fix for CVE-2019-6454 to 239
    
    Bug: https://bugs.gentoo.org/677944
    Package-Manager: Portage-2.3.59_p2, Repoman-2.3.12_p67
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-apps/systemd/files/CVE-2019-6454.patch | 198 +++++++++++++
 sys-apps/systemd/systemd-239-r4.ebuild     | 449 +++++++++++++++++++++++++++++
 2 files changed, 647 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27

commit c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2019-02-17 18:31:37 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-02-18 23:31:56 +0000

    sys-apps/systemd: backport patches for CVE-2019-6454
    
    Bug: https://bugs.gentoo.org/677944
    Package-Manager: Portage-2.3.59_p2, Repoman-2.3.12_p67
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 ...-message-paths-longer-than-BUS_PATH_SIZE_.patch |  48 +++
 ...mporary-strings-to-hold-dbus-paths-on-the.patch | 188 +++++++++
 ...e-receive-an-invalid-dbus-message-ignore-.patch |  54 +++
 sys-apps/systemd/systemd-241-r1.ebuild             | 461 +++++++++++++++++++++
 4 files changed, 751 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2019-02-19 15:27:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a5969530c37d52d675b5f34dc72c4ff6fbcef6b

commit 7a5969530c37d52d675b5f34dc72c4ff6fbcef6b
Author:     Richard Freeman <rich0@gentoo.org>
AuthorDate: 2019-02-19 15:27:23 +0000
Commit:     Richard Freeman <rich0@gentoo.org>
CommitDate: 2019-02-19 15:27:23 +0000

    sys-apps/systemd: amd64 stable
    
    Bug: https://bugs.gentoo.org/677944
    Signed-off-by: Richard Freeman <rich0@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 sys-apps/systemd/systemd-239-r4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Mart Raudsepp gentoo-dev 2019-02-19 15:47:19 UTC
arm64 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2019-02-19 18:47:46 UTC
x86 stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-02-20 13:10:29 UTC
arm stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-23 20:49:27 UTC
ia64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-23 21:00:29 UTC
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-23 21:02:50 UTC
ppc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-10 15:28:12 UTC
alpha stable
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-10 19:33:35 UTC
@systemd, please clean vulnerable.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2019-03-10 20:48:26 UTC
This issue was resolved and addressed in
 GLSA 201903-07 at https://security.gentoo.org/glsa/201903-07
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-10 20:48:55 UTC
re-opened for cleanup
Comment 14 Larry the Git Cow gentoo-dev 2019-03-11 01:16:49 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a58a376b3fb78121d905dd52c3fa2070ec2f1bd1

commit a58a376b3fb78121d905dd52c3fa2070ec2f1bd1
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2019-03-11 01:16:35 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-03-11 01:16:35 +0000

    sys-apps/systemd: remove old
    
    Closes: https://bugs.gentoo.org/677944
    Package-Manager: Portage-2.3.62, Repoman-2.3.12_p83
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-apps/systemd/Manifest               |   6 -
 sys-apps/systemd/systemd-239-r2.ebuild  | 448 -------------------------------
 sys-apps/systemd/systemd-239-r3.ebuild  | 448 -------------------------------
 sys-apps/systemd/systemd-240-r3.ebuild  | 457 -------------------------------
 sys-apps/systemd/systemd-240-r4.ebuild  | 457 -------------------------------
 sys-apps/systemd/systemd-241.ebuild     | 459 --------------------------------
 sys-apps/systemd/systemd-241_rc1.ebuild | 459 --------------------------------
 sys-apps/systemd/systemd-241_rc2.ebuild | 459 --------------------------------
 8 files changed, 3193 deletions(-)