from URL: A heap use-after-free vulnerability was found in systemd, when asynchronous Polkit queries are performed while handling Dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. This flaw happens due to the way bus_verify_polkit_async() works. Some DBus interfaces use a cache to store objects for a short period and they clear it as soon as the bus is again in the idle state. However, if a DBus method uses bus_verify_polkit_async(), the method may have to wait a while until the polkit action is resolved and when that happens the method handler is called again, with the userdata previously allocated. If the polkit request takes too long, the clearing of the cache would free the stored objects before the method is called the second time, causing the use-after-free vulnerability. The issue was reported by Tavis Ormandy, Google Project Zero. Upstream fix is included in v245-rc1: https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2 Other References: https://security.archlinux.org/CVE-2020-1712 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950732 https://www.suse.com/security/cve/CVE-2020-1712/ Note: v245-rc1 is already ~ in tree
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=267b6228821f17cd90562dae89614fb697b4ff9f commit 267b6228821f17cd90562dae89614fb697b4ff9f Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2020-02-09 15:13:27 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-02-09 15:15:10 +0000 sys-apps/systemd: bump to 244.2 Bug: https://bugs.gentoo.org/708806 Package-Manager: Portage-2.3.87_p10, Repoman-2.3.20_p57 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/Manifest | 1 + sys-apps/systemd/systemd-244.2.ebuild | 508 ++++++++++++++++++++++++++++++++++ sys-apps/systemd/systemd-9999.ebuild | 9 +- 3 files changed, 516 insertions(+), 2 deletions(-)
sys-apps/systemd-244.2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7156f31c6ab4a26e85a2addfbebd98dbb5fadbf3 commit 7156f31c6ab4a26e85a2addfbebd98dbb5fadbf3 Author: Richard Freeman <rich0@gentoo.org> AuthorDate: 2020-02-10 02:37:22 +0000 Commit: Richard Freeman <rich0@gentoo.org> CommitDate: 2020-02-10 02:37:22 +0000 sys-apps/systemd: amd64 stable Bug: https://bugs.gentoo.org/708806 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Richard Freeman <rich0@gentoo.org> sys-apps/systemd/systemd-244.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
ia64 stable
x86 stable
Updating to 244.3, which fixes a regression in udev (bug 710002).
ppc64 stable
sparc stable
arm stable
New GLSA request filed.
This issue was resolved and addressed in GLSA 202003-20 at https://security.gentoo.org/glsa/202003-20 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
arm64 stable
@ppc: ping
ppc stable
@maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33eed1b877eea0d533760a7cec37fb2ea37c57d0 commit 33eed1b877eea0d533760a7cec37fb2ea37c57d0 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2020-06-11 02:29:00 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-06-11 02:29:53 +0000 sys-apps/systemd: remove old Bug: https://bugs.gentoo.org/708806 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/Manifest | 1 - sys-apps/systemd/files/244-efi-gcc-10.patch | 40 --- sys-apps/systemd/systemd-244.ebuild | 503 ---------------------------- 3 files changed, 544 deletions(-)
All done, thanks!
