486904 – (CVE-2013-4391, CVE-2013-4393, CVE-2013-4394) <sys-apps/systemd-208: multiple vulnerabilities (CVE-2013-{4391,4393,4394})

Bug 486904 (CVE-2013-4391, CVE-2013-4393, CVE-2013-4394) - <sys-apps/systemd-208: multiple vulnerabilities (CVE-2013-{4391,4393,4394})

Summary: <sys-apps/systemd-208: multiple vulnerabilities (CVE-2013-{4391,4393,4394})

Status:	RESOLVED FIXED

Alias:	CVE-2013-4391, CVE-2013-4393, CVE-2013-4394

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B1 [glsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2013-10-03 19:08 UTC by Agostino Sarubbo
Modified:	2016-12-13 06:47 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-10-03 19:08:18 UTC

From ${URL} :

1. systemd: Integer overflow, leading to heap-based buffer overflow by
processing native messages
https://bugzilla.redhat.com/show_bug.cgi?id=859051

2. systemd: TOCTOU race condition when updating file permissions and
SELinux security contexts
https://bugzilla.redhat.com/show_bug.cgi?id=859060

3. systemd: Possibility of denial of logging service by processing
native messages from file
https://bugzilla.redhat.com/show_bug.cgi?id=859104

4. systemd: Improper sanitization of invalid XKB layouts descriptions
(privilege escalation when custom PolicyKit local authority file used)
https://bugzilla.redhat.com/show_bug.cgi?id=862324



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.

Comment 1 Agostino Sarubbo gentoo-dev

2013-10-09 17:01:22 UTC

Vulnerability 1,3,4 are fixed in systemd-208.

Vulnerability 2 is not fixed.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2013-11-05 02:35:27 UTC

CVE-2013-4394 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4394):
  The SetX11Keyboard function in systemd, when PolicyKit Local Authority
  (PKLA) is used to change the group permissions on the X Keyboard Extension
  (XKB) layouts description, allows local users in the group to modify the
  Xorg X11 Server configuration file and possibly gain privileges via vectors
  involving "special and control characters."

CVE-2013-4393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4393):
  journald in systemd, when the origin of native messages is set to file,
  allows local users to cause a denial of service (logging service blocking)
  via a crafted file descriptor.

CVE-2013-4392 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4392):
  systemd, when updating file permissions, allows local users to change the
  permissions and SELinux security contexts for arbitrary files via a symlink
  attack on unspecified files.

CVE-2013-4391 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4391):
  Integer overflow in the valid_user_field function in
  journal/journald-native.c in systemd allows remote attackers to cause a
  denial of service (crash) and possibly execute arbitrary code via a large
  journal data field, which triggers a heap-based buffer overflow.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-23 20:48:07 UTC

We will split out the 2nd issue (CVE-2013-4392) which is still present and move it into an own bug so we can proceed with the rest.

v208 landed in Gentoo repository via https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-apps/systemd/systemd-208.ebuild?hideattic=0&view=log

Current stable ebuild is >=sys-apps/systemd-218-r5 and no vulnerable ebuilds left.

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2016-12-13 06:47:33 UTC

This issue was resolved and addressed in
 GLSA 201612-34 at https://security.gentoo.org/glsa/201612-34
by GLSA coordinator Aaron Bauman (b-man).