Hi,

Tl;DR: partial fixes for systemd issues pending upload, test packages at
usual location.

I've been working for the last two days on backporting the four pending
CVEs for systemd. Those are:

CVE-2018-1049   In systemd prior to 234 a race condition exists between .mount 
and ...
CVE-2018-15688  buffer overflow vulnerability in the dhcp6 client of systemd 
allows ...
CVE-2018-15686  A vulnerability in unit_deserialize of systemd allows an 
attacker to ...
CVE-2018-6954   systemd-tmpfiles in systemd through 237 mishandles symlinks 
present in ...

The first three were fairly easy to backport. CVE-2018-15686 required a
bit more work, but that was nothing compared to CVE-2018-6954.

The tempfiles "fixes" are ... challenging, to put it mildly. The
implementation between jessie and sid varies quite a bit (no
ACL/subvolumes support, major API differences) so backporting the
changes is definitely non-trivial. I've been battling quilt and upstream
patchsets for hours now, and I can't see the end. Every time I go
through the "backport, compile, fix" cycle, I uncover a new thread of
code I need to backport upstream for the code to make sense.

So I'm giving up on this fix for now. It' just too huge. In comparison,
the fix for the previous tmpfiles security issue (CVE-2017-18078,
currently unfixed) was a breeze - I backported it in a few minutes,
thinking it would help resolve the fuzz for the next patches. Far from
it.

As a safety precaution, I  had uploaded a test package to the usual
location before working on the tmpfiles work, here:

https://people.debian.org/~anarcat/debian/jessie-lts/

So I intend to upload *those* packages some time next week unless
otherwise noted.

An alternative to backporting the numerous tmpfiles patches from
upstream would be to backport *all* of tmpfiles.c itself from buster or
sid. Unfortunately, like many parts of systemd, it's not exactly
standalone and would imply significant behavior changes, although we
could remove the extra functionality introduced in the later releases
and focus on the pieces already present in jessie. I believe that it
would be the simplest and safest way to approach this, because
backporting the patches themselves is a complete nightmare: upstream is
constantly going back and forth in critical API changes (like passing a
fd or path) which makes it near impossible to settle on a target across
releases.

I must also admit that it doesn't help that I'm doing this only with
quilt, as opposed to cherry-picking upstream patches through
git. Unfortunately, even that is a significant challenge: the complete
tmpfiles fix is in #8822, which is a whopping 26 commits, rewriting most
of tmpfiles.c functions and doing a significant refactoring of
everything.

Now if you'll excuse me I'll go out enjoy this beautiful snow and nurse
that damaged brain of mine for sunnier days. ;)

A.

-- 
They say that time changes things, but you actually have to change
them yourself.           - Andy Warhol

Reply via email to