An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. Upstream Fix: https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad
Created systemd tracking bugs for this issue: Affects: fedora-30 [bug 1793980]
Statement: The version of systemd delivered in OpenShift Container Platform 4.1 and included in CoreOS images has been superseded by the version delivered in Red Hat Enterprise Linux 8. CoreOS updates for systemd in will be consumed from Red Hat Enterprise Linux 8 channels.
In systemd v239 (-> means "is called from"): logind-button.c:button_open() -> logind-core.c:manager_process_button_device() -> logind.c:manager_enumerate_buttons(): this function is called when logind is started, at the very beginning, to enumerate all the buttons available in the system; -> logind.c:manager_dispatch_button_udev(): this function is called every time there is an event received by udev with the tag "power-switch" and subsystem "input";
Since this is only called when hardware is physically added or when udevadm trigger is called by root, it doesn't seem to be a big issue. Lowering severity appropriately.
I have lowered the Impact of this flaw to Low and adjusted the CVSSv3.1 score to 2.4/CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. Attack Vector is Physical (AV:P) because the only way to reach the button_open() function, after logind initialization, is through the manager_dispatch_button_udev() function which is called when a user physically does something that triggers a udev event (e.g. pressing the poweroff button, opening the lid, etc.). Availability set to Low (A:L) because even when this happens, this just leaks some bytes but it would be hard to make logind crash. Moreover, an attacker that has physical access to a machine and wants to cause a Denial of Service, could just as well turn off the machine.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4007 https://access.redhat.com/errata/RHSA-2020:4007
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20386
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4553 https://access.redhat.com/errata/RHSA-2020:4553