2016-09-28 20:59:25 |
Jorge Niedbalski |
bug |
|
|
added bug |
2016-09-28 20:59:49 |
Jorge Niedbalski |
tags |
|
sts |
|
2016-09-28 21:01:13 |
Emily Ratliff |
systemd (Ubuntu): status |
New |
Confirmed |
|
2016-09-28 21:27:26 |
Steve Beattie |
bug |
|
|
added subscriber Steve Beattie |
2016-09-28 21:32:25 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Z-series |
|
2016-09-28 21:32:25 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Xenial |
|
2016-09-28 21:32:25 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Yakkety |
|
2016-09-28 21:34:21 |
Steve Beattie |
bug task added |
|
systemd (Ubuntu Xenial) |
|
2016-09-28 21:35:20 |
Steve Beattie |
bug task added |
|
systemd (Ubuntu Yakkety) |
|
2016-09-28 21:36:22 |
Steve Beattie |
systemd (Ubuntu Xenial): status |
New |
Confirmed |
|
2016-09-28 22:38:27 |
Seth Arnold |
information type |
Public |
Public Security |
|
2016-09-29 05:34:13 |
Martin Pitt |
bug watch added |
|
https://github.com/systemd/systemd/issues/4234 |
|
2016-09-29 05:34:13 |
Martin Pitt |
bug task added |
|
systemd |
|
2016-09-29 05:34:32 |
Martin Pitt |
systemd (Ubuntu Xenial): importance |
Undecided |
High |
|
2016-09-29 05:34:34 |
Martin Pitt |
systemd (Ubuntu Yakkety): importance |
Undecided |
High |
|
2016-09-29 06:45:53 |
Launchpad Janitor |
systemd (Ubuntu Xenial): status |
Confirmed |
Fix Released |
|
2016-09-29 07:19:35 |
Bug Watch Updater |
systemd: status |
Unknown |
New |
|
2016-09-29 11:59:27 |
Martin Pitt |
systemd (Ubuntu Yakkety): status |
Confirmed |
Fix Committed |
|
2016-09-29 20:40:43 |
Martin Pitt |
systemd (Ubuntu Xenial): status |
Fix Released |
In Progress |
|
2016-09-29 20:41:04 |
Martin Pitt |
systemd (Ubuntu Yakkety): status |
Fix Committed |
In Progress |
|
2016-09-29 21:30:20 |
Martin Pitt |
systemd (Ubuntu Yakkety): status |
In Progress |
Fix Committed |
|
2016-09-29 21:30:23 |
Martin Pitt |
systemd (Ubuntu Yakkety): assignee |
|
Martin Pitt (pitti) |
|
2016-09-30 06:30:14 |
Launchpad Janitor |
systemd (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
2016-09-30 07:59:55 |
Bug Watch Updater |
systemd: status |
New |
Fix Released |
|
2016-09-30 15:28:25 |
Marc Deslauriers |
systemd (Ubuntu Xenial): status |
In Progress |
Fix Released |
|
2016-09-30 15:29:12 |
Marc Deslauriers |
systemd (Ubuntu Xenial): status |
Fix Released |
In Progress |
|
2016-09-30 17:11:28 |
Emanuele Aina |
cve linked |
|
2016-7795 |
|
2016-10-03 20:37:17 |
Martin Pitt |
systemd (Ubuntu Xenial): assignee |
|
Martin Pitt (pitti) |
|
2016-10-04 23:40:11 |
Chris Halse Rogers |
systemd (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2016-10-04 23:40:14 |
Chris Halse Rogers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2016-10-04 23:40:20 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
2016-10-04 23:40:25 |
Chris Halse Rogers |
tags |
sts |
sts verification-needed |
|
2016-10-06 05:31:46 |
Martin Pitt |
description |
Environment:
Xenial 16.04.1
Amd64
Description.
Systemd fails an assertion in manager_invoke_notify_message when a zero-length message is received over /run/systemd/notify. This allows a local user to perform a denial-of-service attack against PID 1.
How to trigger the bug:
$ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""; done
The following entries are written into /var/log/syslog, at this point systemd is crashed.
Sep 28 20:57:20 ubuntu systemd[1]: Started User Manager for UID 1000.
Sep 28 20:57:28 ubuntu systemd[1]: Assertion 'n > 0' failed at ../src/core/manager.c:1501, function manager_invoke_notify_message(). Aborting.
Sep 28 20:57:29 ubuntu systemd[1]: Caught <ABRT>, dumped core as pid 1307.
Sep 28 20:57:29 ubuntu systemd[1]: Freezing execution.
Public bug: https://github.com/systemd/systemd/issues/4234 |
Environment:
Xenial 16.04.1
Amd64
Description.
Systemd fails an assertion in manager_invoke_notify_message when a zero-length message is received over /run/systemd/notify. This allows a local user to perform a denial-of-service attack against PID 1.
How to trigger the bug:
$ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""; done
The following entries are written into /var/log/syslog, at this point systemd is crashed.
Sep 28 20:57:20 ubuntu systemd[1]: Started User Manager for UID 1000.
Sep 28 20:57:28 ubuntu systemd[1]: Assertion 'n > 0' failed at ../src/core/manager.c:1501, function manager_invoke_notify_message(). Aborting.
Sep 28 20:57:29 ubuntu systemd[1]: Caught <ABRT>, dumped core as pid 1307.
Sep 28 20:57:29 ubuntu systemd[1]: Freezing execution.
Public bug: https://github.com/systemd/systemd/issues/4234
The original USN/security fix in https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu10 introduced another local DoS due to fd exhaustion:
NOTIFY_SOCKET=/run/systemd/notify python3 -c 'from systemd import daemon; daemon.notify("", fds=[0]*100)'
Run this a few times and watch "sudo ls -l /proc/1/fd" grow. |
|
2016-10-06 05:34:32 |
Martin Pitt |
tags |
sts verification-needed |
sts verification-done |
|
2016-10-12 08:37:09 |
Launchpad Janitor |
systemd (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2016-10-12 08:37:41 |
Martin Pitt |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|