Bug 1793979 (CVE-2019-20386)
| Summary: | CVE-2019-20386 systemd: memory leak in button_open() in login/logind-button.c when udev events are received | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | bmontgom, eparis, jburrell, jokerman, lnykryn, lpoetter, msekleta, nstielau, sponnaga, s, systemd-maint-list, systemd-maint, zbyszek, zjedrzej |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | systemd 243 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A memory leak was discovered in the systemd-login when a power-switch event is received. A physical attacker may trigger one of these events and leak bytes due to a missing free.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-29 21:59:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1793980, 1798503, 1798504 | ||
| Bug Blocks: | 1793981 | ||
|
Description
Marian Rehak
2020-01-22 12:31:14 UTC
Created systemd tracking bugs for this issue: Affects: fedora-30 [bug 1793980] Statement: The version of systemd delivered in OpenShift Container Platform 4.1 and included in CoreOS images has been superseded by the version delivered in Red Hat Enterprise Linux 8. CoreOS updates for systemd in will be consumed from Red Hat Enterprise Linux 8 channels. In systemd v239 (-> means "is called from"): logind-button.c:button_open() -> logind-core.c:manager_process_button_device() -> logind.c:manager_enumerate_buttons(): this function is called when logind is started, at the very beginning, to enumerate all the buttons available in the system; -> logind.c:manager_dispatch_button_udev(): this function is called every time there is an event received by udev with the tag "power-switch" and subsystem "input"; Since this is only called when hardware is physically added or when udevadm trigger is called by root, it doesn't seem to be a big issue. Lowering severity appropriately. I have lowered the Impact of this flaw to Low and adjusted the CVSSv3.1 score to 2.4/CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. Attack Vector is Physical (AV:P) because the only way to reach the button_open() function, after logind initialization, is through the manager_dispatch_button_udev() function which is called when a user physically does something that triggers a udev event (e.g. pressing the poweroff button, opening the lid, etc.). Availability set to Low (A:L) because even when this happens, this just leaks some bytes but it would be hard to make logind crash. Moreover, an attacker that has physical access to a machine and wants to cause a Denial of Service, could just as well turn off the machine. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4007 https://access.redhat.com/errata/RHSA-2020:4007 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20386 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4553 https://access.redhat.com/errata/RHSA-2020:4553 |