Signed-off-by: Sam James <s...@gentoo.org> Signed-off-by: Georgy Yakovlev <gyakov...@gentoo.org> --- .../2021-07-07-systemd-tmpfiles.en.txt | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
diff --git a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt new file mode 100644 index 0000000..0960663 --- /dev/null +++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt @@ -0,0 +1,48 @@ +Title: systemd-tmpfiles replaces opentmpfiles due to security issues +Author: Georgy Yakovlev <gyakov...@gentoo.org> +Author: Sam James <s...@gentoo.org> +Posted: 2021-07-07 +Revision: 1 +News-Item-Format: 2.0 +Display-If-Installed: virtual/tmpfiles + +On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a +root privilege escalation vulnerability (CVE-2017-18925 [0], +bug #751415 [1], issue 4 [2] upstream). + +The use of opentmpfiles is discouraged by its maintainer due to the +unpatched vulnerability and other long-standing bugs [3]. + +Users will start seeing their package manager trying to replace +sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is +another provider of virtual/tmpfiles. + +Despite the name, 'systemd-tmpfiles' does not depend on systemd, does +not use dbus, and is just a drop-in replacement for opentmpfiles. It is +a small binary built from systemd source code, but works separately, +similarly to eudev or elogind. It is known to work on both glibc and +musl systems. + +Note that systemd-tmpfiles is specifically for non-systemd systems. It +is intended to be used on an OpenRC system. + +If you wish to selectively test systemd-tmpfiles, follow those steps: + + 1. # emerge --oneshot sys-apps/systemd-tmpfiles + 2. # reboot + +No other steps required. + +If, after reviewing the linked bug reference for opentmpfiles, you feel +your system is not vulnerable/applicable to the attack described, you +can unmask[4] opentmpfiles at your own risk: + +1. In /etc/portage/package.unmask, add: +-sys-apps/opentmpfiles +2. # emerge --oneshot sys-apps/opentmpfiles + +[0] https://nvd.nist.gov/vuln/detail/CVE-2017-18925 +[1] https://bugs.gentoo.org/751415 +[2] https://github.com/OpenRC/opentmpfiles/issues/4 +[3] https://bugs.gentoo.org/741216 +[4] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package -- 2.32.0