FS#51035 - [systemd] local denial of service via zero-length message over notify socket

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Thursday, 29 September 2016, 12:45 GMT
Last edited by Dave Reisner (falconindy) - Friday, 30 September 2016, 10:49 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Dave Reisner (falconindy)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No



A security issue has been found [1] and widely discussed over the internet allowing a local, unprivileged user to cause a denial of service against pid 1.
It has been successfully tested against our systemd version, and the fix [2] seems to apply cleanly against it, so I think it would be nice if we could backport it.
A CVE number has been requested [3] but not assigned yet AFAIK.



[1]: https://github.com/systemd/systemd/issues/4234
[2]: https://github.com/systemd/systemd/commit/531ac2b2349da02acc9c382849758e07eb92b020
[3]: http://seclists.org/oss-sec/2016/q3/641
This task depends upon

Closed by  Dave Reisner (falconindy)
Friday, 30 September 2016, 10:49 GMT
Reason for closing:  Fixed
Additional comments about closing:  testing/systemd-231-2
Comment by Dave Reisner (falconindy) - Thursday, 29 September 2016, 18:55 GMT
The merged fix is purported buggy, and there's now another pull request pending:

Comment by Levente Polyak (anthraxx) - Friday, 30 September 2016, 10:03 GMT
The new pull request got merged into the tree, looks like it in fact is the better way :)