Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1380286 - (CVE-2016-7795) CVE-2016-7795 systemd: Assertion failure when PID 1 receives a zero-length message over notify socket
CVE-2016-7795 systemd: Assertion failure when PID 1 receives a zero-length me...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1380175 1380287 1381573 1382284
Blocks: 1380288
  Show dependency treegraph
Reported: 2016-09-29 04:22 EDT by Adam Mariš
Modified: 2017-01-29 15:30 EST (History)
34 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way systemd handled empty notification messages. A local attacker could use this flaw to make systemd freeze its execution, preventing further management of system services, system shutdown, or zombie process collection via systemd.
Story Points: ---
Clone Of:
Last Closed: 2016-11-09 16:02:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2678711 None None None 2016-10-03 03:18 EDT
Red Hat Product Errata RHSA-2016:2610 normal SHIPPED_LIVE Moderate: systemd security and bug fix update 2016-11-03 11:50:26 EDT
Red Hat Product Errata RHSA-2016:2694 normal SHIPPED_LIVE Moderate: systemd security and bug fix update 2016-11-09 16:48:16 EST

  None (edit)
Description Adam Mariš 2016-09-29 04:22:54 EDT
It was found that systemd fails an assertion in manager_invoke_notify_message when a zero-length message is received over its notification socket. After failing the assertion, PID 1 hangs in the pause system call, making no longer possible to start and stop daemons or cleanly reboot the system. Inetd-style services managed by systemd no longer accept connections.

Since the notification socket, /run/systemd/notify, is world-writable, this allows a local user to perform a denial-of-service attack against systemd.


NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

Upstream bug report:


CVE request:

Comment 1 Adam Mariš 2016-09-29 04:23:33 EDT
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1380287]
Comment 3 Tomas Hoger 2016-09-29 06:55:19 EDT
This fix was applied upstream:


Upstream bug also indicates that the problem was likely introduced via this change, added in v219:

Comment 7 Tomas Hoger 2016-09-30 09:11:23 EDT
Additional upstream fixes:


The second commit reverts the original fix linked in comment 3.
Comment 9 Andrej Nemec 2016-10-03 03:26:58 EDT

Comment 12 Tomas Hoger 2016-10-05 07:49:12 EDT
CVE-2016-7796 was moved to a separate bug 1381911, as those CVEs affect different systemd versions.  Only the fix for CVE-2016-7796 make the assert causing CVE-2016-7795 reachable.
Comment 14 errata-xmlrpc 2016-11-04 04:55:43 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2610 https://rhn.redhat.com/errata/RHSA-2016-2610.html
Comment 15 errata-xmlrpc 2016-11-09 11:49:13 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2016:2694 https://rhn.redhat.com/errata/RHSA-2016-2694.html

Note You need to log in before you can comment on or make changes to this bug.