Package: release.debian.org Severity: normal Tags: stretch User: [email protected] Usertags: pu
Dear release team, a recently discovered vulnerability allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. This can lead to a crash (DoS) of networkd or in worst case a remote code execution [1]. I was contacted by the security team about this issue. As networkd is not enabled by default, it wasn't deemed severe enough to be fixed via a stable-security upload and a fix via a regular stable upload seemed sufficient. I already asked for a stable upload for 9.6 in [2]. I'm not sure what the procedure is in such a case. Should I reupload 232-25+deb9u5 with this fix included or make a 232-25+deb9u6 upload? Assuming the latter is less work for the SRM team, I prepared a debdiff for 232-25+deb9u6. Please let me know, what you prefer and how to proceed here. I've also CCed kibi, as usual, for his ack. Since this only touches networkd, d-i should not be affected. The fix has also been uploaded to unstable a few hours ago, so hasn't seen any real world testing. But given that it's only a one-line change, the regression potential is rather small. Regards, Michael [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912008 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908913 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index 740787b..176bb0f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +systemd (232-25+deb9u6) stretch; urgency=medium + + * dhcp6: Make sure we have enough space for the DHCP6 option header. + Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option + handling. + (CVE-2018-15688, LP: #1795921, Closes: #912008) + + -- Michael Biebl <[email protected]> Sun, 28 Oct 2018 18:02:10 +0100 + systemd (232-25+deb9u5) stretch; urgency=medium * networkd: Do not fail manager_connect_bus() if dbus is not active yet diff --git a/debian/patches/dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch b/debian/patches/dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch new file mode 100644 index 0000000..3a4ee04 --- /dev/null +++ b/debian/patches/dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch @@ -0,0 +1,29 @@ +From: Lennart Poettering <[email protected]> +Date: Fri, 19 Oct 2018 12:12:33 +0200 +Subject: dhcp6: make sure we have enough space for the DHCP6 option header + +Fixes a vulnerability originally discovered by Felix Wilhelm from +Google. + +CVE-2018-15688 +LP: #1795921 +https://bugzilla.redhat.com/show_bug.cgi?id=1639067 + +(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892) +--- + src/libsystemd-network/dhcp6-option.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c +index 5462e03..c12d008 100644 +--- a/src/libsystemd-network/dhcp6-option.c ++++ b/src/libsystemd-network/dhcp6-option.c +@@ -101,7 +101,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) { + return -EINVAL; + } + +- if (*buflen < len) ++ if (*buflen < offsetof(DHCP6Option, data) + len) + return -ENOBUFS; + + ia_hdr = *buf; diff --git a/debian/patches/series b/debian/patches/series index 3c1ebbe..605f8cb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -85,6 +85,7 @@ login-change-variable-type-of-enable_wall_messages-as-it-.patch login-do-not-wall-message-on-cancelling-shutdown-when-Man.patch networkd-do-not-fail-manager_connect_bus-if-dbus-is-not-a.patch network-resolve-remove-comments-related-to-kdbus.patch +dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch debian/Use-Debian-specific-config-files.patch debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch
