Bug 859104 (CVE-2013-4393)

Summary: CVE-2013-4393 systemd: Possibility of denial of logging service by processing native messages from file
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fweimer, lpoetter, meissner, security-response-team, zbyszek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-03 18:58:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 859151    

Description Jan Lieskovsky 2012-09-20 14:47:35 UTC 
A possibility for denial of loggin service was found in the way journald functionality of systemd, a system and service manager, processed native messages when file was chosen as their origin. A local attacker could use this flaw to provide a specially-crafted file descriptor, leading the journald file read process to block, resultingin portion of subsequent native messages intended to be logged to be ignored.

Issue found by Florian Weimer, Red Hat Product Security Team
Comment 1 Jan Lieskovsky 2012-09-20 14:50:13 UTC 
This issue affects the version of the systemd package, as shipped with Fedora release of 17.

--

This issue did NOT affect the version of the systemd package, as shipped with Fedora release of 16.
Comment 2 Vincent Danen 2013-10-01 22:51:01 UTC 
Acknowledgements:

This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Comment 3 Vincent Danen 2013-10-01 22:51:39 UTC 
This issue was assigned CVE-2013-4393:

http://www.openwall.com/lists/oss-security/2013/10/01/9
Comment 4 Marcus Meissner 2013-11-22 11:01:49 UTC 
do you know where this happens? and was this fixed in the meantime?
Comment 5 Marcus Meissner 2013-11-22 11:32:14 UTC 
after some digging it is probably in src/journal/journal-native.c:


http://cgit.freedesktop.org/systemd/systemd/commit/src/journal/journald-native.c?id=1dfa7e79a60de680086b1d93fcc3629b463f58bd

(+ stddef.h one
http://cgit.freedesktop.org/systemd/systemd/commit/src/journal/journald-native.c?id=4871690d9e32608bbd9b18505b5326c2079c9690
)

and perhaps some more of those fixes
Comment 6 Zbigniew Jędrzejewski-Szmek 2013-12-03 18:58:08 UTC 
This bug is fixed in F >= 18.
Comment 7 Florian Weimer 2014-04-23 15:54:15 UTC 
(In reply to Marcus Meissner from comment #5)
> after some digging it is probably in src/journal/journal-native.c:
> 
> 
> http://cgit.freedesktop.org/systemd/systemd/commit/src/journal/journald-
> native.c?id=1dfa7e79a60de680086b1d93fcc3629b463f58bd

Yes, that's right.  Sorry for the confusion.