This bug was fixed in the package systemd - 229-4ubuntu11

systemd (229-4ubuntu11) xenial; urgency=medium

  * 73-usb-net-by-mac.rules: Split kernel command line import line.
    Reportedly this makes the rule actually work on some platforms. Thanks
    Alp Toker! (LP: #1593379)
  * fsckd: Do not exit on idle timeout if there are still clients connected
    (Closes: #788050, LP: #1547844)
  * libnss-*.prerm: Remove possible [key=value] options from NSS modules as
    well. (LP: #1625584)
  * Backport networkd 231. Compared to 229 this has a lot of fixes, some of
    which we need for good netplan support. Backporting them individually
    would be a lot more work and a lot less robust, and we did not use/support
    networkd in 16.04 so far. Drop the other network related patches as they
    are included in this backport now. (LP: #1627641)
  * debian/tests/networkd: Re-enable the the DHCPv6 tests. The DHCPv6
    behaviour is fixed with the above backport now.
  * pid1: process zero-length notification messages again. Just remove the
    assertion, the "n" value was not used anyway. This fixes a local DoS due
    to unprocessed/unclosed fds which got introduced by the previous fix.
    (LP: #1628687)
  * pid1: Robustify manager_dispatch_notify_fd(). If
    manager_dispatch_notify_fd() fails and returns an error then the handling
    of service notifications will be disabled entirely leading to a
    compromised system. (side issue of LP: #1628687)

 -- Martin Pitt <>  Tue, 04 Oct 2016 21:43:04

** Changed in: systemd (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.

  Assertion failure when PID 1 receives a zero-length message over
  notify socket

Status in systemd:
  Fix Released
Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Xenial:
  Fix Released
Status in systemd source package in Yakkety:
  Fix Released

Bug description:

  Xenial 16.04.1


  Systemd fails an assertion in manager_invoke_notify_message when a
  zero-length message is received over /run/systemd/notify. This allows
  a local user to perform a denial-of-service attack against PID 1.

  How to trigger the bug:

  $ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify "";

  The following entries are written into /var/log/syslog, at this point
  systemd is crashed.

  Sep 28 20:57:20 ubuntu systemd[1]: Started User Manager for UID 1000.
  Sep 28 20:57:28 ubuntu systemd[1]: Assertion 'n > 0' failed at 
../src/core/manager.c:1501, function manager_invoke_notify_message(). Aborting.
  Sep 28 20:57:29 ubuntu systemd[1]: Caught <ABRT>, dumped core as pid 1307.
  Sep 28 20:57:29 ubuntu systemd[1]: Freezing execution.

  Public bug:

  The original USN/security fix in introduced
  another local DoS due to fd exhaustion:

    NOTIFY_SOCKET=/run/systemd/notify python3 -c 'from systemd import
  daemon; daemon.notify("", fds=[0]*100)'

  Run this a few times and watch "sudo ls -l /proc/1/fd" grow.

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to