It was discovered that systemd is vulnerable to a state injection attack when deserializing the state of a service. Properties longer than LINE_MAX are not correctly parsed and an attacker may abuse this flaw in particularly configured services to inject, change, or corrupt the service state.
systemd is vulnerable to line splitting via long lines read by fgets() in the unit_deserialize() function during daemon-reexec (e.g. during a package upgrade) allowing for state injection. Systemd services with `NotifyAccess != none` and malicious executables can exploit this vulnerability resulting corrupted process state.
When systemd re-executes, the state is serialized and then deserialized after the re-execution. Function unit_deserialize() in file unit.c does not properly handle lines longer than LINE_MAX and the content of a property longer than that is parsed as part of the serialized state, allowing an attacker to corrupt the state of the service (e.g. change the main-pid, control-pid, etc.)
Systemd services with `NotifyAccess != none` can send a status message to systemd, which stores it in the `status-text` property and, in turn, it may trigger the vulnerability. However, this may not be the only way to exploit this flaw. Any other way to set a serialized property to a value longer than LINE_MAX may trigger the flaw as well.
Patch currently under review at:
Created systemd tracking bugs for this issue:
Affects: fedora-all [bug 1643372]
Name: Ubuntu, Jann Horn (Google Project Zero)
By when shall we expect the official release??