Bug#727708: systemd (security) bugs (was: init system question)

Thu, 28 Nov 2013 04:52:08 -0800 

A friend of mine mentioned to me in the pub that he had seem alarming
reports of systemd security bugs.  Naturally I asked for more
information and he promised me an email with some references.

So, here's what Andrew sent me.  Thanks to Andrew for doing this
legwork.

I'll reply substantively in a moment.
--- Begin Message --- 
Hi Ian,

Here's the email about systemd security holes that I kept forgetting to send
you. I hope it's (still) useful.

The debian-devel post I was thinking of is 
<[email protected]>
but it actually only mentions three vulnerabilities, there's a more complete
list of the ones that have affected Debian at
 https://security-tracker.debian.org/tracker/source-package/systemd

Here's a short summary along with the redhat bug numbers (since the redhat BTS
seems to be the place to go for systemd information)

CVE             summary                                 Debian BTS      Redhat
2012-0871       systemd-logind insecure file creation   ?               795853 
2012-1101       DoS from systemctl status               662029          799902
2012-1174       TOCTOU deletion race in systemd-logind  664364          803358
2013-4327       insecure use of polkit                  723713          1006680
2013-4391       systemd journald integer overflow       725357          859051
2013-4392       TOCTOU race updating file perms         725357          859060
2013-4393       systemd journald DoS                    725357          859104
2013-4394       improper sanitization of XKB layouts    725357          862324

I think the "really bad one to do with remote connection" the guy on
debian-devel was thinking of is CVE-2013-4391 which mentions possible
arbitrary code execution from a "specially crafted packet" but I'm not sure
under what conditions it would be triggerable over IP, I guess you might have
had to set up your system as a remote journald server.

The bug I mentioned one where bad data in its binary log files causes journald
to go mad and eventially fill up /var with junk is
https://bugzilla.redhat.com/show_bug.cgi?id=974132
and is apparently still not fixed.

Generally the RedHat BTS at
https://bugzilla.redhat.com/buglist.cgi?quicksearch=Component:systemd
and 
https://bugzilla.redhat.com/buglist.cgi?quicksearch=Component:systemd+Status:CLOSED
make alarming reading

Hope this helps,

Andrew

--- End Message ---

Reply via email to