#4394: systemd-240 ---------------------+----------------------- Reporter: renodr | Owner: renodr Type: task | Status: assigned Priority: highest | Milestone: 8.4 Component: Book | Version: SVN Severity: normal | Resolution: Keywords: | ---------------------+----------------------- Changes (by renodr):
* priority: normal => highest Comment: Arbitrary Code Execution Fix (CVE-2018-15688): {{{ An out-of-bounds write has been found in the dhcpv6 option handing code of systemd-networkd up to and including v239. It was discovered that systemd-network does not correctly keep track of a buffer size in the dhcp6_option_append_ia() function, when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine. The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id >= 493 characters long. }}} Privilege Escalation issue (CVE-2018-15687): {{{ A security issue has been found in systemd up to and including 239, where a race condition in the chown_one() function can be used to escalate privileges via a crafted symlink. }}} Privilege Escalation Issue (CVE-2018-15686): {{{ A security issue has been found in systemd up to and including 239, where the use of fgets() allows an attacker to escalate privilege via a crafted service with NotifyAccess. }}} That's in addition to the vulnerability in the description above. -- Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/4394#comment:2> LFS Trac <http://wiki.linuxfromscratch.org/lfs/> Linux From Scratch: Your Distro, Your Rules. -- http://lists.linuxfromscratch.org/listinfo/lfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page