Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 646218 (CVE-2017-18078) - sys-apps/systemd: Local Privilege Escalation in systemd-tmpfiles
Summary: sys-apps/systemd: Local Privilege Escalation in systemd-tmpfiles
Status: RESOLVED INVALID
Alias: CVE-2017-18078
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C1 [noglsa cve]
Keywords:
Depends on:
Blocks: 647778
  Show dependency tree
 
Reported: 2018-01-31 16:59 UTC by Sebastian Pipping
Modified: 2018-03-25 19:30 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-31 17:40:22 UTC
No unaffected version in Gentoo repo yet hence bug summary change.

@maintainers, Upstream 237 version contains fix as noted by Sebastian.
Comment 2 Sebastian Pipping gentoo-dev 2018-01-31 17:48:07 UTC
(In reply to Aaron Bauman from comment #1)
> @maintainers, Upstream 237 version contains fix as noted by Sebastian.

Seems like the was cherry-picking involved.  This is the commit included with v237:
https://github.com/systemd/systemd/commit/5579f85663d10269e7ac7464be6548c99cea4ada
Comment 3 Mike Gilbert gentoo-dev 2018-01-31 19:55:29 UTC
I believe this issue does not affect systemd in its default configuration on Gentoo. I am therefore in no hurry to backport the fix or to stabilize a newer version.
Comment 4 Michael Orlitzky gentoo-dev 2018-01-31 21:57:54 UTC
There were some other tmpfiles changes in the PR that could complicate a cherry-pick, but a backport is overkill regardless. You have to go out of your way to disable a sysctl whose sole purpose is to protect you from things like this. A more important fix is targeted for v238; this one just happened to land right as v237 was cut.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-31 22:00:26 UTC
(In reply to Mike Gilbert from comment #3)
> I believe this issue does not affect systemd in its default configuration on
> Gentoo. I am therefore in no hurry to backport the fix or to stabilize a
> newer version.

Agreed.  This is simply hardening for our systemd users who may decide to disable protected hardlinks.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-25 19:30:45 UTC
Mitigated by fs.protected_hardlinks wrt bug #540006.