Opened 3 years ago

Closed 3 years ago

#11367 closed enhancement (fixed)

Update systemd to the stable backports used in LFS

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 8.4
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

Update systemd to the stable backports as used in LFS.

Change History (3)

comment:1 by Douglas R. Reno, 3 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 3 years ago

{{{
Workaround
==========

- CVE-2018-15688

Disable IPv6 by setting either LinkLocalAddressing=ipv4 or
LinkLocalAddressing=no in the corresponding network configuration file.

Description
===========

- CVE-2018-15686 (privilege escalation)

A security issue has been found in systemd up to and including 239,
where the use of fgets() allows an attacker to escalate privilege via a
crafted service with NotifyAccess.

- CVE-2018-15687 (privilege escalation)

A security issue has been found in systemd up to and including 239,
where a race condition in the chown_one() function can be used to
escalate privileges via a crafted symlink.

- CVE-2018-15688 (arbitrary code execution)

An out-of-bounds write has been found in the dhcpv6 option handing code
of systemd-networkd up to and including v239.

It was discovered that systemd-network does not correctly keep track of
a buffer size  in the dhcp6_option_append_ia() function, when
constructing DHCPv6 packets. This flaw may lead to an integer underflow
that can be used to produce an heap-based buffer overflow. A malicious
host on the same network segment as the victim's one may advertise
itself as a DHCPv6 server and exploit this flaw to cause a Denial of
Service or potentially gain code execution on the victim's machine. The
overflow can be triggered relatively easy by advertising a DHCPv6
server with a server-id >= 493 characters long.

Impact
======

A remote attacker is able to cause arbitrary code execution by
advertising itself as a DHCPv6 server with a specially crafted server-
id. A local attacker can escalate privileges with a specially crafted
service or a crafted symlink.

}}}

comment:3 by DJ Lucas, 3 years ago

Resolution: fixed
Status: assignedclosed

Fixed in r20739.

Note: See TracTickets for help on using tickets.