id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
4981	Generate security patch for systemd (CVE-2021-20316)	Douglas R. Reno	Douglas R. Reno	"Qualys has released a security advisory for a new security vulnerability in systemd. This one has to do with systemd-tmpfiles. 

I will deal with this after GNOME.

{{{
Hi all,

We discovered a minor denial of service (an uncontrolled recursion) in
systemd-tmpfiles, CVE-2021-3997; the Coordinated Release Date is today
(January 10, 2022), and a patch is now available at (many thanks to
Zbigniew Jedrzejewski-Szmek for working on this):

https://github.com/systemd/systemd/commit/55a89ea1b4088a6d84ba0bd3cd8e648bd51f1ebf

Below is a short write-up (which is part of a longer advisory that is
mostly unrelated to systemd and that we will publish at a later date):

========================================================================
CVE-2021-3997: Uncontrolled recursion in systemd's systemd-tmpfiles
========================================================================

[...]

We therefore looked into systemd-tmpfiles (which ""creates, deletes, and
cleans up volatile and temporary files and directories"") and discovered
a denial of service (an uncontrolled recursion): if we create thousands
of nested directories in /tmp, then ""systemd-tmpfiles --remove"" (when
executed as root at boot time) will call its rm_rf_children() function
recursively (on each nested directory) and will exhaust its stack and
crash. For example, on Ubuntu 21.04:

------------------------------------------------------------------------
$ cd /tmp
$ perl -e 'use strict;
for (my $i = 0; $i < (1<<15); $i++) {
mkdir ""A"", 0700 or die;
chdir ""A"" or die; }'
------------------------------------------------------------------------

Then, as root (warning: this command may delete important files and
directories in /tmp; it is normally executed at boot time only):

------------------------------------------------------------------------
# systemd-tmpfiles --remove
Segmentation fault (core dumped)
------------------------------------------------------------------------

We have not fully explored the implications of this vulnerability;
however, we noticed that:

- at boot time, systemd executes ""systemd-tmpfiles --create --remove
  --boot --exclude-prefix=/dev"";

- systemd-tmpfiles first enters the ""remove"" phase, and subsequently
  enters the ""create"" phase;

- but if systemd-tmpfiles crashes during the ""remove"" phase, then it
  never enters the ""create"" phase;

- and it fails to create the files and directories (specified in
  /usr/lib/tmpfiles.d/*.conf) that it should create at boot time;

- for example, on Ubuntu 21.04, systemd-tmpfiles fails to create the
  directory /run/lock/subsys; but because /run/lock is world-writable,
  attackers can create their own /run/lock/subsys; and because various
  legacy packages and daemons write into /run/lock/subsys as root, the
  attackers may create arbitrary files via symlinks in /run/lock/subsys.
}}}

Patch is available here: [https://github.com/systemd/systemd/commit/55a89ea1b4088a6d84ba0bd3cd8e648bd51f1ebf]"	enhancement	closed	normal	11.1	Book	systemd	normal	fixed