Re: systemd CVE-2016-7796
Ben Hutchings <ben@decadent.org.uk> writes:
> Oh, I didn't realise that. Let's drop those then.
> This patch also needs to change the '<= 0' to '< 0', doesn't it?
Ooops. Yes. Missed that.
Latest patch with these changes:
diff -Nru systemd-44/debian/changelog systemd-44/debian/changelog
--- systemd-44/debian/changelog 2013-10-09 21:18:41.000000000 +1100
+++ systemd-44/debian/changelog 2016-10-07 17:44:20.000000000 +1100
@@ -1,3 +1,10 @@
+systemd (44-11+deb7u5) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2016-7796: don't return any error in manager_dispatch_notify_fd.
+
+ -- Brian May <bam@debian.org> Fri, 07 Oct 2016 17:40:21 +1100
+
systemd (44-11+deb7u4) stable-security; urgency=low
* Fix CVE-2013-4327, CVE-2013-4391 and CVE-2013-4394
diff -Nru systemd-44/debian/patches/CVE-2016-7796.patch systemd-44/debian/patches/CVE-2016-7796.patch
--- systemd-44/debian/patches/CVE-2016-7796.patch 1970-01-01 10:00:00.000000000 +1000
+++ systemd-44/debian/patches/CVE-2016-7796.patch 2016-10-10 08:02:20.000000000 +1100
@@ -0,0 +1,43 @@
+From f1e852245a30b60d5e6e0a487d049a04a40772fe Mon Sep 17 00:00:00 2001
+From: Franck Bui <fbui@suse.com>
+Date: Thu, 29 Sep 2016 11:59:49 +0200
+Subject: [PATCH] pid1: don't return any error in manager_dispatch_notify_fd()
+
+If manager_dispatch_notify_fd() fails and returns an error then the handling of
+service notifications will be disabled entirely leading to a compromised system.
+
+For example pid1 won't be able to receive the WATCHDOG messages anymore and
+will kill all services supposed to send such messages.
+---
+ src/core/manager.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/src/manager.c
++++ b/src/manager.c
+@@ -2030,10 +2030,14 @@
+ msghdr.msg_controllen = sizeof(control);
+
+ if ((n = recvmsg(m->notify_watch.fd, &msghdr, MSG_DONTWAIT)) < 0) {
+- if (errno == EAGAIN || errno == EINTR)
+- break;
++ if (errno != EAGAIN && errno != EINTR)
++ log_error("Failed to receive notification message: %m");
+
+- return -errno;
++ /* It's not an option to return an error here since it
++ * would disable the notification handler entirely. Services
++ * wouldn't be able to send the WATCHDOG message for
++ * example... */
++ return 0;
+ }
+
+ if (msghdr.msg_controllen < CMSG_LEN(sizeof(struct ucred)) ||
+@@ -2055,7 +2059,7 @@
+ assert((size_t) n < sizeof(buf));
+ buf[n] = 0;
+ if (!(tags = strv_split(buf, "\n\r")))
+- return -ENOMEM;
++ return 0;
+
+ log_debug("Got notification message for unit %s", u->id);
+
diff -Nru systemd-44/debian/patches/no_error_on_zero_len.patch systemd-44/debian/patches/no_error_on_zero_len.patch
--- systemd-44/debian/patches/no_error_on_zero_len.patch 1970-01-01 10:00:00.000000000 +1000
+++ systemd-44/debian/patches/no_error_on_zero_len.patch 2016-10-10 08:00:54.000000000 +1100
@@ -0,0 +1,14 @@
+--- a/src/manager.c
++++ b/src/manager.c
+@@ -2029,10 +2029,7 @@
+ msghdr.msg_control = &control;
+ msghdr.msg_controllen = sizeof(control);
+
+- if ((n = recvmsg(m->notify_watch.fd, &msghdr, MSG_DONTWAIT)) <= 0) {
+- if (n >= 0)
+- return -EIO;
+-
++ if ((n = recvmsg(m->notify_watch.fd, &msghdr, MSG_DONTWAIT)) < 0) {
+ if (errno == EAGAIN || errno == EINTR)
+ break;
+
diff -Nru systemd-44/debian/patches/series systemd-44/debian/patches/series
--- systemd-44/debian/patches/series 2013-10-08 18:38:12.000000000 +1100
+++ systemd-44/debian/patches/series 2016-10-10 07:53:28.000000000 +1100
@@ -2,3 +2,5 @@
v44..upstream-fixes_44-11
debian-changes
secfixes
+no_error_on_zero_len.patch
+CVE-2016-7796.patch
--
Brian May <bam@debian.org>
Reply to: