Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 708806 (CVE-2020-1712) - <sys-apps/systemd-244.3: use-after-free when asynchronous polkit queries are performed (CVE-2020-1712)
Summary: <sys-apps/systemd-244.3: use-after-free when asynchronous polkit queries are ...
Status: RESOLVED FIXED
Alias: CVE-2020-1712
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://seclists.org/oss-sec/2020/q1/58
Whiteboard: A1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-09 10:04 UTC by filip ambroz
Modified: 2020-06-11 02:33 UTC (History)
1 user (show)

See Also:
Package list:
sys-apps/systemd-244.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-09 10:04:24 UTC
from URL:
A heap use-after-free vulnerability was found in systemd, when asynchronous
Polkit queries are performed while handling Dbus messages. A local unprivileged
attacker can abuse this flaw to crash systemd services or potentially execute
code and elevate their privileges, by sending specially crafted Dbus messages.

This flaw happens due to the way bus_verify_polkit_async() works. Some DBus
interfaces use a cache to store objects for a short period and they clear it as
soon as the bus is again in the idle state. However, if a DBus method uses
bus_verify_polkit_async(), the method may have to wait a while until the polkit
action is resolved and when that happens the method handler is called again,
with the userdata previously allocated. If the polkit request takes too long,
the clearing of the cache would free the stored objects before the method is
called the second time, causing the use-after-free vulnerability.

The issue was reported by Tavis Ormandy, Google Project Zero.

Upstream fix is included in v245-rc1:
https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2

Other References:
https://security.archlinux.org/CVE-2020-1712
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950732
https://www.suse.com/security/cve/CVE-2020-1712/

Note:
v245-rc1 is already ~ in tree
Comment 1 Larry the Git Cow gentoo-dev 2020-02-09 15:15:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=267b6228821f17cd90562dae89614fb697b4ff9f

commit 267b6228821f17cd90562dae89614fb697b4ff9f
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2020-02-09 15:13:27 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-02-09 15:15:10 +0000

    sys-apps/systemd: bump to 244.2
    
    Bug: https://bugs.gentoo.org/708806
    Package-Manager: Portage-2.3.87_p10, Repoman-2.3.20_p57
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-apps/systemd/Manifest             |   1 +
 sys-apps/systemd/systemd-244.2.ebuild | 508 ++++++++++++++++++++++++++++++++++
 sys-apps/systemd/systemd-9999.ebuild  |   9 +-
 3 files changed, 516 insertions(+), 2 deletions(-)
Comment 2 Mike Gilbert gentoo-dev 2020-02-09 15:18:13 UTC
sys-apps/systemd-244.2
Comment 3 Larry the Git Cow gentoo-dev 2020-02-10 02:37:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7156f31c6ab4a26e85a2addfbebd98dbb5fadbf3

commit 7156f31c6ab4a26e85a2addfbebd98dbb5fadbf3
Author:     Richard Freeman <rich0@gentoo.org>
AuthorDate: 2020-02-10 02:37:22 +0000
Commit:     Richard Freeman <rich0@gentoo.org>
CommitDate: 2020-02-10 02:37:22 +0000

    sys-apps/systemd: amd64 stable
    
    Bug: https://bugs.gentoo.org/708806
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Richard Freeman <rich0@gentoo.org>

 sys-apps/systemd/systemd-244.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Sergei Trofimovich gentoo-dev 2020-02-13 08:14:33 UTC
ia64 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2020-02-16 21:16:23 UTC
x86 stable
Comment 6 Mike Gilbert gentoo-dev 2020-02-18 00:36:37 UTC
Updating to 244.3, which fixes a regression in udev (bug 710002).
Comment 7 Sergei Trofimovich gentoo-dev 2020-03-02 20:20:51 UTC
ppc64 stable
Comment 8 Ben Kohler gentoo-dev 2020-03-07 14:16:55 UTC
sparc stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-03-14 18:04:06 UTC
arm stable
Comment 10 Thomas Deutschmann gentoo-dev Security 2020-03-15 03:09:16 UTC
New GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 03:29:54 UTC
This issue was resolved and addressed in
 GLSA 202003-20 at https://security.gentoo.org/glsa/202003-20
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann gentoo-dev Security 2020-03-15 03:30:32 UTC
Re-opening for remaining architectures.
Comment 13 Mart Raudsepp gentoo-dev 2020-03-15 11:41:09 UTC
arm64 stable
Comment 14 Sam James archtester gentoo-dev Security 2020-03-31 17:46:55 UTC
@ppc: ping
Comment 15 Sam James archtester gentoo-dev Security 2020-04-19 08:21:42 UTC
@ppc: ping
Comment 16 Sergei Trofimovich gentoo-dev 2020-06-01 22:35:56 UTC
ppc stable
Comment 17 Sam James archtester gentoo-dev Security 2020-06-04 17:02:28 UTC
@maintainer(s), please cleanup
Comment 18 Larry the Git Cow gentoo-dev 2020-06-11 02:29:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33eed1b877eea0d533760a7cec37fb2ea37c57d0

commit 33eed1b877eea0d533760a7cec37fb2ea37c57d0
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2020-06-11 02:29:00 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-06-11 02:29:53 +0000

    sys-apps/systemd: remove old
    
    Bug: https://bugs.gentoo.org/708806
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-apps/systemd/Manifest                   |   1 -
 sys-apps/systemd/files/244-efi-gcc-10.patch |  40 ---
 sys-apps/systemd/systemd-244.ebuild         | 503 ----------------------------
 3 files changed, 544 deletions(-)
Comment 19 Sam James archtester gentoo-dev Security 2020-06-11 02:33:17 UTC
All done, thanks!