#4594: Generate security patch for systemd CVE-2020-1712
--------------------+----------------------
Reporter: renodr | Owner: lfs-book
Type: task | Status: new
Priority: normal | Milestone: 9.1
Component: Book | Version: SVN
Severity: normal | Keywords:
--------------------+----------------------
Generate a security patch for this (after build testing):
{{{
Hello,
A heap use-after-free vulnerability was found in systemd, when
asynchronous
Polkit queries are performed while handling Dbus messages. A local
unprivileged
attacker can abuse this flaw to crash systemd services or potentially
execute
code and elevate their privileges, by sending specially crafted Dbus
messages.
CVE-2020-1712 has been assigned to this issue.
This flaw happens due to the way bus_verify_polkit_async() works. Some
DBus
interfaces use a cache to store objects for a short period and they clear
it as
soon as the bus is again in the idle state. However, if a DBus method uses
bus_verify_polkit_async(), the method may have to wait a while until the
polkit
action is resolved and when that happens the method handler is called
again,
with the userdata previously allocated. If the polkit request takes too
long,
the clearing of the cache would free the stored objects before the method
is
called the second time, causing the use-after-free vulnerability.
The issue was reported by Tavis Ormandy, Google Project Zero.
Upstream fix is included in v245-rc1:
https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2
Thanks,
--
Riccardo Schirone
Red Hat -- Product Security
Email: [email protected]
PGP-Key ID: CF96E110
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/4594>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://lists.linuxfromscratch.org/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
