Ran into https://www.exploit-db.com/exploits/43935/ today...
No unaffected version in Gentoo repo yet hence bug summary change.
@maintainers, Upstream 237 version contains fix as noted by Sebastian.
(In reply to Aaron Bauman from comment #1)
> @maintainers, Upstream 237 version contains fix as noted by Sebastian.
Seems like the was cherry-picking involved. This is the commit included with v237:
I believe this issue does not affect systemd in its default configuration on Gentoo. I am therefore in no hurry to backport the fix or to stabilize a newer version.
There were some other tmpfiles changes in the PR that could complicate a cherry-pick, but a backport is overkill regardless. You have to go out of your way to disable a sysctl whose sole purpose is to protect you from things like this. A more important fix is targeted for v238; this one just happened to land right as v237 was cut.
(In reply to Mike Gilbert from comment #3)
> I believe this issue does not affect systemd in its default configuration on
> Gentoo. I am therefore in no hurry to backport the fix or to stabilize a
> newer version.
Agreed. This is simply hardening for our systemd users who may decide to disable protected hardlinks.
Mitigated by fs.protected_hardlinks wrt bug #540006.