Opened 2 years ago
Closed 2 years ago
#15953 closed enhancement (fixed)
Generate security patch for systemd (CVE-2021-3997
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.1 |
| Component: | BOOK | Version: | systemd |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Qualys has released a security advisory for a new security vulnerability in systemd. This one has to do with systemd-tmpfiles.
I will deal with this after GNOME.
Hi all,
We discovered a minor denial of service (an uncontrolled recursion) in
systemd-tmpfiles, CVE-2021-3997; the Coordinated Release Date is today
(January 10, 2022), and a patch is now available at (many thanks to
Zbigniew Jedrzejewski-Szmek for working on this):
https://github.com/systemd/systemd/commit/55a89ea1b4088a6d84ba0bd3cd8e648bd51f1ebf
Below is a short write-up (which is part of a longer advisory that is
mostly unrelated to systemd and that we will publish at a later date):
========================================================================
CVE-2021-3997: Uncontrolled recursion in systemd's systemd-tmpfiles
========================================================================
[...]
We therefore looked into systemd-tmpfiles (which "creates, deletes, and
cleans up volatile and temporary files and directories") and discovered
a denial of service (an uncontrolled recursion): if we create thousands
of nested directories in /tmp, then "systemd-tmpfiles --remove" (when
executed as root at boot time) will call its rm_rf_children() function
recursively (on each nested directory) and will exhaust its stack and
crash. For example, on Ubuntu 21.04:
------------------------------------------------------------------------
$ cd /tmp
$ perl -e 'use strict;
for (my $i = 0; $i < (1<<15); $i++) {
mkdir "A", 0700 or die;
chdir "A" or die; }'
------------------------------------------------------------------------
Then, as root (warning: this command may delete important files and
directories in /tmp; it is normally executed at boot time only):
------------------------------------------------------------------------
# systemd-tmpfiles --remove
Segmentation fault (core dumped)
------------------------------------------------------------------------
We have not fully explored the implications of this vulnerability;
however, we noticed that:
- at boot time, systemd executes "systemd-tmpfiles --create --remove
--boot --exclude-prefix=/dev";
- systemd-tmpfiles first enters the "remove" phase, and subsequently
enters the "create" phase;
- but if systemd-tmpfiles crashes during the "remove" phase, then it
never enters the "create" phase;
- and it fails to create the files and directories (specified in
/usr/lib/tmpfiles.d/*.conf) that it should create at boot time;
- for example, on Ubuntu 21.04, systemd-tmpfiles fails to create the
directory /run/lock/subsys; but because /run/lock is world-writable,
attackers can create their own /run/lock/subsys; and because various
legacy packages and daemons write into /run/lock/subsys as root, the
attackers may create arbitrary files via symlinks in /run/lock/subsys.
Patch is available here: https://github.com/systemd/systemd/commit/55a89ea1b4088a6d84ba0bd3cd8e648bd51f1ebf
Change History (8)
comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
follow-up: 3 comment:2 by , 2 years ago
follow-up: 4 comment:3 by , 2 years ago
Replying to Xi Ruoyao:
I suggest to add two more patches along with the security fix:
Sorry, should be in LFS ticket...
comment:4 by , 2 years ago
comment:5 by , 2 years ago
| Priority: | normal → elevated |
|---|
comment:7 by , 2 years ago
| Summary: | Generate security patch for systemd (CVE-2021-20316) → Generate security patch for systemd (CVE-2021-3997 |
|---|
comment:8 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
I suggest to add two more patches along with the security fix:
So we can drop the sed for getty@.service and CONFIG_DEFAULT_HOSTNAME note.