Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1639071 - (CVE-2018-15686) CVE-2018-15686 systemd: Line splitting via fgets() allows for state injection during daemon-reexec
CVE-2018-15686 systemd: Line splitting via fgets() allows for state injection...
Status: ASSIGNED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20181026,repor...
: Security
Depends On: 1641566 1643372 1643373
Blocks: 1639072
  Show dependency treegraph
 
Reported: 2018-10-14 22:12 EDT by Sam Fowler
Modified: 2018-11-02 06:00 EDT (History)
25 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that systemd is vulnerable to a state injection attack when deserializing the state of a service. Properties longer than LINE_MAX are not correctly parsed and an attacker may abuse this flaw in particularly configured services to inject, change, or corrupt the service state.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Sam Fowler 2018-10-14 22:12:59 EDT 
systemd is vulnerable to line splitting via long lines read by fgets() in the unit_deserialize() function during daemon-reexec (e.g. during a package upgrade) allowing for state injection. Systemd services with `NotifyAccess != none` and malicious executables can exploit this vulnerability resulting corrupted process state.
Comment 1 Riccardo Schirone 2018-10-22 04:19:35 EDT 
When systemd re-executes, the state is serialized and then deserialized after the re-execution. Function unit_deserialize() in file unit.c does not properly handle lines longer than LINE_MAX and the content of a property longer than that is parsed as part of the serialized state, allowing an attacker to corrupt the state of the service (e.g. change the main-pid, control-pid, etc.)
Comment 2 Riccardo Schirone 2018-10-22 04:22:53 EDT 
Systemd services with `NotifyAccess != none` can send a status message to systemd, which stores it in the `status-text` property and, in turn, it may trigger the vulnerability. However, this may not be the only way to exploit this flaw. Any other way to set a serialized property to a value longer than LINE_MAX may trigger the flaw as well.
Comment 5 Riccardo Schirone 2018-10-26 02:28:16 EDT 
Patch currently under review at:
https://github.com/systemd/systemd/pull/10519
Comment 6 Riccardo Schirone 2018-10-26 02:31:30 EDT 
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1643372]
Comment 8 Riccardo Schirone 2018-10-29 03:03:23 EDT 
Acknowledgments:

Name: Ubuntu, Jann Horn (Google Project Zero)
Comment 9 Riccardo Schirone 2018-10-31 03:51:13 EDT 
Upstream patch:
https://github.com/systemd/systemd/commit/9f1c81d80a435d15ca1bd536a6d043c18c81c047
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.