Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#11670 closed enhancement (fixed)

systemd-241

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: normal Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New version

As a result of backwards-incompatible changes, a hard reqirement on kernel 4.19.x or later, and the fact that we are so close to freeze, I'm holding on this until directly after 8.4 releases.


🎆 A new, official systemd release has just 🎉 been 🎊 tagged 🍾. Please download the tarball here:

        https://github.com/systemd/systemd/archive/v241.tar.gz

Changes since the previous release:

        * The default locale can now be configured at compile time. Otherwise,
          a suitable default will be selected automatically (one of C.UTF-8,
          en_US.UTF-8, and C).

        * The version string shown by systemd and other tools now includes the
          git commit hash when built from git. An override may be specified
          during compilation, which is intended to be used by distributions to
          include the package release information.

        * systemd-cat can now filter standard input and standard error streams
          for different syslog priorities using the new --stderr-priority=
          option.

        * systemd-journald and systemd-journal-remote reject entries which
          contain too many fields (CVE-2018-16865) and set limits on the
          process' command line length (CVE-2018-16864).

        * $DBUS_SESSION_BUS_ADDRESS environment variable is set by pam_systemd
          again.

        * A new network device NamePolicy "keep" is implemented for link files,
          and used by default in 99-default.link (the fallback configuration
          provided by systemd). With this policy, if the network device name
          was already set by userspace, the device will not be renamed again.
          This matches the naming scheme that was implemented before
          systemd-240. If naming-scheme < 240 is specified, the "keep" policy
          is also enabled by default, even if not specified. Effectively, this
          means that if naming-scheme >= 240 is specified, network devices will
          be renamed according to the configuration, even if they have been
          renamed already, if "keep" is not specified as the naming policy in
          the .link file. The 99-default.link file provided by systemd includes
          "keep" for backwards compatibility, but it is recommended for user
          installed .link files to *not* include it.

          The "kernel" policy, which keeps kernel names declared to be
          "persistent", now works again as documented.

        * kernel-install script now optionally takes the paths to one or more
          initrd files, and passes them to all plugins.

        * The mincore() system call has been dropped from the @system-service
          system call filter group, as it is pretty exotic and may potentially
          used for side-channel attacks.

        * -fPIE is dropped from compiler and linker options. Please specify
          -Db_pie=true option to meson to build position-independent
          executables. Note that the meson option is supported since meson-0.49.

        * The fs.protected_regular and fs.protected_fifos sysctls, which were
          added in Linux 4.19 to make some data spoofing attacks harder, are
          now enabled by default. While this will hopefully improve the
          security of most installations, it is technically a backwards
          incompatible change; to disable these sysctls again, place the
          following lines in /etc/sysctl.d/60-protected.conf or a similar file:

              fs.protected_regular = 0
              fs.protected_fifos = 0

          Note that the similar hardlink and symlink protection has been
          enabled since v199, and may be disabled likewise.

        * The files read from the EnvironmentFile= setting in unit files now
          parse backslashes inside quotes literally, matching the behaviour of
          POSIX shells.

        * udevadm trigger, udevadm control, udevadm settle and udevadm monitor
          now automatically become NOPs when run in a chroot() environment.

        * The tmpfiles.d/ "C" line type will now copy directory trees not only
          when the destination is so far missing, but also if it already exists
          as a directory and is empty. This is useful to cater for systems
          where directory trees are put together from multiple separate mount
          points but otherwise empty.

        * A new function sd_bus_close_unref() (and the associated
          sd_bus_close_unrefp()) has been added to libsystemd, that combines
          sd_bus_close() and sd_bus_unref() in one.

        * udevadm control learnt a new option for --ping for testing whether a
          systemd-udevd instance is running and reacting.

        Contributions from: Aaron Plattner, Alberts Muktupāvels, Alex Mayer,
        Ayman Bagabas, Beniamino Galvani, Burt P, Chris Down, Chris Lamb, Chris
        Morin, Christian Hesse, Claudius Ellsel, dana, Daniel Axtens, Daniele
        Medri, Dave Reisner, David Santamaría Rogado, Diego Canuhe, Dimitri
        John Ledkov, Evgeny Vereshchagin, Fabrice Fontaine, Filipe
        Brandenburger, Franck Bui, Frantisek Sumsal, govwin, Hans de Goede,
        James Hilliard, Jan Engelhardt, Jani Uusitalo, Jan Janssen, Jan
        Synacek, Jonathan McDowell, Jonathan Roemer, Jonathon Kowalski, Joost
        Heitbrink, Jörg Thalheim, Lance, Lennart Poettering, Louis Taylor,
        Lucas Werkmeister, Mantas Mikulėnas, Marc-Antoine Perennou,
        marvelousblack, Michael Biebl, Michael Sloan, Michal Sekletar, Mike
        Auty, Mike Gilbert, Mikhail Kasimov, Neil Brown, Niklas Hambüchen,
        Patrick Williams, Paul Seyfert, Peter Hutterer, Philip Withnall, Roger
        James, Ronnie P. Thomas, Ryan Gonzalez, Sam Morris, Stephan Edel,
        Stephan Gerhold, Susant Sahani, Taro Yamada, Thomas Haller, Topi
        Miettinen, YiFei Zhu, YmrDtnJu, YunQiang Su, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek, zsergeant77, Дамјан Георгиевски

        — Berlin, 2018-02-14
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel


Change History (6)

comment:1 by Douglas R. Reno, 3 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 3 years ago

Hey guys,

I've got a security patch for systemd and polkit.

systemd

TL;DR - remotely exploitable kernel panic by causing PID1 to crash

It was found that bus_process_object() in bus-objects.c allocates a buffer on the stack large enough to temporarily store the object path specified in the incoming message. A malicious unprivileged local user to send a message which results in the stack pointer moving outside of the bounds of the currently mapped stack region, jumping over the stack guard pages. A specifically crafted DBUS nessage could crash PID 1 and result in a subsequent kernel panic.

https://bugzilla.redhat.com/show_bug.cgi?id=1667032 https://www.openwall.com/lists/oss-security/2019/02/18/3 https://github.com/systemd/systemd/pull/11754 https://github.com/systemd/systemd/commit/612b74d32f970c43c14ad087ad086424792981b1

polkit TL;DR - Authentication Bypass

In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.

https://gitlab.freedesktop.org/polkit/polkit/commit/c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81#0cf68d1183ea5299db7cd71b8377fa3d29e1a63e

Can I / should I break freeze for these said packages to generate patches? The systemd one will affect 241 as well when it's put in. The systemd patch will need to go into LFS as well. In addition, there are known issues for Gettext and File, but they're not remotely executable so I'm not sure that they need to be added (although they do permit file corruption / leakage and arbitrary code execution). There *is* one for OpenSSH that allows remote execution and authentication bypass over SCP though, but that's so far tagged that I'm not sure it's worth putting in. Either way, you can check Arch's CVE page for that OpenSSH one here: https://security.archlinux.org/CVE-2018-20685

comment:3 by Douglas R. Reno, 3 years ago

After consulting with Bruce on these, I've decided to file tickets and go ahead and take care of them. We want to make sure we release with as little known security vulnerabilities as possible.

For anyone who's curious as to where I've obtained a handful of them:

https://security.archlinux.org/

comment:4 by Douglas R. Reno, 3 years ago

Summary: systemd-241 (Hold until 8.5)systemd-241

I think the patch for the kernel panic will still be needed. I'll have to verify.

comment:5 by Douglas R. Reno, 3 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r21317

comment:6 by Bruce Dubbs, 3 years ago

Milestone: 8.59.0

Milestone renamed

Note: See TracTickets for help on using tickets.