[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
This bug was fixed in the package systemd - 229-4ubuntu11 --- systemd (229-4ubuntu11) xenial; urgency=medium * 73-usb-net-by-mac.rules: Split kernel command line import line. Reportedly this makes the rule actually work on some platforms. Thanks Alp Toker! (LP: #1593379) * fsckd: Do not exit on idle timeout if there are still clients connected (Closes: #788050, LP: #1547844) * libnss-*.prerm: Remove possible [key=value] options from NSS modules as well. (LP: #1625584) * Backport networkd 231. Compared to 229 this has a lot of fixes, some of which we need for good netplan support. Backporting them individually would be a lot more work and a lot less robust, and we did not use/support networkd in 16.04 so far. Drop the other network related patches as they are included in this backport now. (LP: #1627641) * debian/tests/networkd: Re-enable the the DHCPv6 tests. The DHCPv6 behaviour is fixed with the above backport now. * pid1: process zero-length notification messages again. Just remove the assertion, the "n" value was not used anyway. This fixes a local DoS due to unprocessed/unclosed fds which got introduced by the previous fix. (LP: #1628687) * pid1: Robustify manager_dispatch_notify_fd(). If manager_dispatch_notify_fd() fails and returns an error then the handling of service notifications will be disabled entirely leading to a compromised system. (side issue of LP: #1628687) -- Martin PittTue, 04 Oct 2016 21:43:04 +0200 ** Changed in: systemd (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
I verified that with the -proposed version you cannot create orphaned notify FDs any more in pid 1 using the test case I just added. ** Description changed: Environment: Xenial 16.04.1 Amd64 Description. Systemd fails an assertion in manager_invoke_notify_message when a zero- length message is received over /run/systemd/notify. This allows a local user to perform a denial-of-service attack against PID 1. How to trigger the bug: $ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""; done The following entries are written into /var/log/syslog, at this point systemd is crashed. Sep 28 20:57:20 ubuntu systemd[1]: Started User Manager for UID 1000. Sep 28 20:57:28 ubuntu systemd[1]: Assertion 'n > 0' failed at ../src/core/manager.c:1501, function manager_invoke_notify_message(). Aborting. Sep 28 20:57:29 ubuntu systemd[1]: Caught , dumped core as pid 1307. Sep 28 20:57:29 ubuntu systemd[1]: Freezing execution. + Public bug: https://github.com/systemd/systemd/issues/4234 - Public bug: https://github.com/systemd/systemd/issues/4234 + The original USN/security fix in + https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu10 introduced + another local DoS due to fd exhaustion: + + NOTIFY_SOCKET=/run/systemd/notify python3 -c 'from systemd import + daemon; daemon.notify("", fds=[0]*100)' + + Run this a few times and watch "sudo ls -l /proc/1/fd" grow. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
Hello Jorge, or anyone else affected, Accepted systemd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu11 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: systemd (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
> Martin, if you can point me at the xenial branch, we can push this through the security pocket. https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=ubuntu-xenial=1aa1f84c (this just cleans up the original -security update to still work with gbp pq) https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=ubuntu-xenial=a80398c79 https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=ubuntu-xenial=0f6614488 I'm fine with landing this as part of the next SRU (I'll get it into -proposed today). A local DoS (the original and this new one) isn't particularly exciting after all. If you rather want to to handle this as a security update, then you can grab these three patches, and I'll rebase the branch/re-do the SRU again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
Martin, if you can point me at the xenial branch, we can push this through the security pocket. I wanted to wait and see if there were any further issues addressed (and to not release an update on a Friday). Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
I added the two patches to the xenial branch, and will test/upload the SRU tomorrow. ** Changed in: systemd (Ubuntu Xenial) Assignee: (unassigned) => Martin Pitt (pitti) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7795 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
** Changed in: systemd Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
This bug was fixed in the package systemd - 231-9 --- systemd (231-9) unstable; urgency=medium * pid1: process zero-length notification messages again. Just remove the assertion, the "n" value was not used anyway. This fixes a local DoS due to unprocessed/unclosed fds which got introduced by the previous fix. (Closes: #839171) (LP: #1628687) * pid1: Robustify manager_dispatch_notify_fd() * test/networkd-test.py: Add missing writeConfig() helper function. -- Martin PittThu, 29 Sep 2016 23:39:24 +0200 ** Changed in: systemd (Ubuntu Yakkety) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
For a follow-up xenial -security update we need: https://github.com/systemd/systemd/commit/8523bf7dd5 https://github.com/systemd/systemd/commit/9987750e7 which I just cherry-picked into the Debian packaging tree (for yakkety too): https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=64196d509b https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=c172afdd2 ** Changed in: systemd (Ubuntu Yakkety) Status: In Progress => Fix Committed ** Changed in: systemd (Ubuntu Yakkety) Assignee: (unassigned) => Martin Pitt (pitti) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
That initial fix just changed a DoS through assert() into a DoS through fd exhaustion. This is being handled in https://github.com/systemd/systemd/pull/4242 . Please let's handle this upstream first and not put out another USN in haste -- after all, this is just a local DoS, so far from being a catastrophe (you can DoS the machine as user in lots of other ways). ** Changed in: systemd (Ubuntu Xenial) Status: Fix Released => In Progress ** Changed in: systemd (Ubuntu Yakkety) Status: Fix Committed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
** Changed in: systemd (Ubuntu Yakkety) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
** Changed in: systemd Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
This bug was fixed in the package systemd - 229-4ubuntu10 --- systemd (229-4ubuntu10) xenial-security; urgency=medium * SECURITY UPDATE: zero-length notify message triggers abort/denial of service - systemd-dont_assert_on_zero_length_message-lp1628687.patch: change assert to simple return + log (LP: #1628687) - Thanks to Jorge Niedbalskifor the patch. -- Steve Beattie Wed, 28 Sep 2016 14:21:42 -0700 ** Changed in: systemd (Ubuntu Xenial) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
FYI, I've pushed xenial and yakkety systemd packages with Jorge's proposed fix from https://github.com/systemd/systemd/pull/4237 in the ubuntu-security-proposed ppa at https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ for people to test. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
** Bug watch added: github.com/systemd/systemd/issues #4234 https://github.com/systemd/systemd/issues/4234 ** Also affects: systemd via https://github.com/systemd/systemd/issues/4234 Importance: Unknown Status: Unknown ** Changed in: systemd (Ubuntu Xenial) Importance: Undecided => High ** Changed in: systemd (Ubuntu Yakkety) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
CVE request: http://www.openwall.com/lists/oss-security/2016/09/28/9 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
** Also affects: systemd (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: systemd (Ubuntu Yakkety) Importance: Undecided Status: Confirmed ** Changed in: systemd (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1628687] Re: Assertion failure when PID 1 receives a zero-length message over notify socket
** Changed in: systemd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628687 Title: Assertion failure when PID 1 receives a zero-length message over notify socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1628687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs