https://www.openwall.com/lists/oss-security/2022/01/10/2 ``` We discovered a minor denial of service (an uncontrolled recursion) in systemd-tmpfiles, CVE-2021-3997; the Coordinated Release Date is today (January 10, 2022), and a patch is now available at (many thanks to Zbigniew Jedrzejewski-Szmek for working on this): https://github.com/systemd/systemd/commit/55a89ea1b4088a6d84ba0bd3cd8e648bd51f1ebf Below is a short write-up (which is part of a longer advisory that is mostly unrelated to systemd and that we will publish at a later date): ======================================================================== CVE-2021-3997: Uncontrolled recursion in systemd's systemd-tmpfiles ======================================================================== [...] We therefore looked into systemd-tmpfiles (which "creates, deletes, and cleans up volatile and temporary files and directories") and discovered a denial of service (an uncontrolled recursion): if we create thousands of nested directories in /tmp, then "systemd-tmpfiles --remove" (when executed as root at boot time) will call its rm_rf_children() function recursively (on each nested directory) and will exhaust its stack and crash. For example, on Ubuntu 21.04: ```
Patch: https://github.com/systemd/systemd/commit/55a89ea1b4088a6d84ba0bd3cd8e648bd51f1ebf and 250.2 fixes this issue. No 249.x backport yet.
Working on a backport.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2606e84e36c1bf0515947e4d744e6990526ba366 commit 2606e84e36c1bf0515947e4d744e6990526ba366 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-01-11 00:54:09 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-01-11 01:01:37 +0000 sys-apps/systemd-tmpfiles: add 249.7 Includes backport for CVE-2021-3997. Bug: https://bugs.gentoo.org/830967 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd-tmpfiles/Manifest | 2 + .../systemd-tmpfiles/systemd-tmpfiles-249.7.ebuild | 260 +++++++++++++++++++++ 2 files changed, 262 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6daa1cf9c70212251552b25bbbfaf70744986fb1 commit 6daa1cf9c70212251552b25bbbfaf70744986fb1 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-01-10 23:59:08 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-01-11 01:01:36 +0000 sys-apps/systemd: backport fix for CVE-2021-3997 Bug: https://bugs.gentoo.org/830967 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/Manifest | 1 + sys-apps/systemd/systemd-249.7-r1.ebuild | 507 +++++++++++++++++++++++++++++++ 2 files changed, 508 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9520a1f6193571ee2b4397b4ca8a55b8614c6bd6 commit 9520a1f6193571ee2b4397b4ca8a55b8614c6bd6 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-01-10 23:52:33 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-01-11 01:01:36 +0000 sys-apps/systemd: add 250.2, drop 250.1 Bug: https://bugs.gentoo.org/830967 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/Manifest | 2 +- sys-apps/systemd/{systemd-250.1.ebuild => systemd-250.2.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec4a94845f76a144736e85f708e4b5cdd5c5793c commit ec4a94845f76a144736e85f708e4b5cdd5c5793c Author: Sam James <sam@gentoo.org> AuthorDate: 2022-01-13 00:15:37 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-13 00:19:30 +0000 sys-apps/systemd-tmpfiles: add 249.9 Note that systemd-tmpfiles-249.7 in Gentoo already had a backport for the CVE-2021-3997 fix, so there's no explicit _need_ to upgrade from 249.7->249.9 for the security bug. Of course, if running <249.7, please do upgrade. Anyway, this is the first release upstream packaged in Gentoo with the fix, so I'm adding it to avoid confusion and to generally minimise upstream delta so we notice issues sooner. Bug: https://bugs.gentoo.org/830967 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/systemd-tmpfiles/Manifest | 1 + .../systemd-tmpfiles/systemd-tmpfiles-249.9.ebuild | 257 +++++++++++++++++++++ 2 files changed, 258 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ca40167e29dc86229788294508ba28472a9598d commit 6ca40167e29dc86229788294508ba28472a9598d Author: Sam James <sam@gentoo.org> AuthorDate: 2022-01-13 00:14:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-13 00:18:42 +0000 sys-apps/systemd: add 249.9 (Note that 250.1 also contains the SPARC/alignment fixes for NSS.) Bug: https://bugs.gentoo.org/830275 Bug: https://bugs.gentoo.org/830967 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/systemd/Manifest | 1 + sys-apps/systemd/systemd-249.9.ebuild | 505 ++++++++++++++++++++++++++++++++++ 2 files changed, 506 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28a1d60a9f070e01affcaee1f230a3cbaee4c80e commit 28a1d60a9f070e01affcaee1f230a3cbaee4c80e Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-01-13 16:29:19 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-01-13 16:29:19 +0000 sys-apps/systemd-tmpfiles: drop 249.5 Bug: https://bugs.gentoo.org/830967 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd-tmpfiles/Manifest | 1 - .../systemd-tmpfiles/systemd-tmpfiles-249.5.ebuild | 257 --------------------- 2 files changed, 258 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d343b62dbdd1f39ef6ae47af8f6d53220752cb74 commit d343b62dbdd1f39ef6ae47af8f6d53220752cb74 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-01-13 16:28:34 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-01-13 16:28:34 +0000 sys-apps/systemd: drop 249.6-r1, 249.7, 249.7-r1 Bug: https://bugs.gentoo.org/830967 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/Manifest | 3 - sys-apps/systemd/files/250-fix-openssl.patch | 102 ------ sys-apps/systemd/systemd-249.6-r1.ebuild | 505 -------------------------- sys-apps/systemd/systemd-249.7-r1.ebuild | 507 --------------------------- sys-apps/systemd/systemd-249.7.ebuild | 505 -------------------------- 5 files changed, 1622 deletions(-)
Thanks!
Added to existing GLSA request
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=00f1bf10331ddbf80ab4cd4a7d5117e69ccef2f7 commit 00f1bf10331ddbf80ab4cd4a7d5117e69ccef2f7 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 10:03:45 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 10:05:28 +0000 [ GLSA 202305-15 ] systemd: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/830967 Bug: https://bugs.gentoo.org/880547 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-15.xml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+)
