CVE-2022-45873 (https://github.com/systemd/systemd/pull/25055#issuecomment-1313733553): systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file. Seems like this should be backported?
The backport is not trivial; it may be better to wait for a backport upstream, or stabilize systemd-252.
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=086164d117a043966946611e66f4322204a92260 commit 086164d117a043966946611e66f4322204a92260 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-04 07:18:38 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-04 07:19:05 +0000 [ GLSA 202405-04 ] systemd: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/882769 Bug: https://bugs.gentoo.org/887581 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-04.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)