Bug 1084286

Summary: systemd: Stack-based buffer overflow in systemd-ask-password
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: johannbg, jrusnack, lnykryn, mguzik, msekleta, nouveau, pfrields, plautrba, skottler, systemd-maint-list, systemd-maint, vpavlin, zbyszek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-12 04:44:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1083378    

Description Huzaifa S. Sidhpurwala 2014-04-04 05:20:15 UTC 
A stack-based buffer overflow was found in systemd-ask-password, a utility used to query a system password or passphrase from the user, using a question message specified on the command line. A local user could this flaw to crash the binary or even execute arbitrary code with the permissions of the user running the program.

This issue is fixed upstream via the following commit:

http://cgit.freedesktop.org/systemd/systemd/commit/?id=036eeac5a1799fa2c0ae11a14d8c667b5d303189
Comment 1 Huzaifa S. Sidhpurwala 2014-04-04 05:33:56 UTC 
References:

https://www.mail-archive.com/systemd-devel@lists.freedesktop.org/msg16595.html
Comment 3 Roy 2014-04-08 08:51:53 UTC 
*** Bug 1085120 has been marked as a duplicate of this bug. ***
Comment 4 Fedora Update System 2014-04-14 22:40:10 UTC 
systemd-208-16.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Huzaifa S. Sidhpurwala 2014-05-12 04:42:50 UTC 
After investigation it seems that the only impact of this flaw is crash of the "systemd-ask-password" utility. Systemd does not use this utility in anyway which could result in privilege escalation or any other form of exploitation.

The Red Hat Security Reponse Team does not consider this issue to be a security flaw.
Comment 7 Huzaifa S. Sidhpurwala 2014-05-12 04:44:04 UTC 
Statement:

Red Hat does not consider a user assisted client crash such as this to be a security flaw. For more details please refer to https://bugzilla.redhat.com/show_bug.cgi?id=1084286#c6