Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#51035 - [systemd] local denial of service via zero-length message over notify socket
Attached to Project:
Arch Linux
Opened by Remi Gacogne (rgacogne) - Thursday, 29 September 2016, 12:45 GMT
Last edited by Dave Reisner (falconindy) - Friday, 30 September 2016, 10:49 GMT
Opened by Remi Gacogne (rgacogne) - Thursday, 29 September 2016, 12:45 GMT
Last edited by Dave Reisner (falconindy) - Friday, 30 September 2016, 10:49 GMT
|
DetailsHi,
A security issue has been found [1] and widely discussed over the internet allowing a local, unprivileged user to cause a denial of service against pid 1. It has been successfully tested against our systemd version, and the fix [2] seems to apply cleanly against it, so I think it would be nice if we could backport it. A CVE number has been requested [3] but not assigned yet AFAIK. Cheers, Remi [1]: https://github.com/systemd/systemd/issues/4234 [2]: https://github.com/systemd/systemd/commit/531ac2b2349da02acc9c382849758e07eb92b020 [3]: http://seclists.org/oss-sec/2016/q3/641 |
This task depends upon
Closed by Dave Reisner (falconindy)
Friday, 30 September 2016, 10:49 GMT
Reason for closing: Fixed
Additional comments about closing: testing/systemd-231-2
Friday, 30 September 2016, 10:49 GMT
Reason for closing: Fixed
Additional comments about closing: testing/systemd-231-2
https://github.com/systemd/systemd/pull/4242