[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#912169: marked as done (stretch-pu: package systemd/232-25+deb9u6)

Your message dated Sat, 10 Nov 2018 10:42:56 +0000
with message-id <1541846576.3542.38.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.6
has caused the Debian Bug report #912169,
regarding stretch-pu: package systemd/232-25+deb9u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
912169: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912169
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

a recently discovered vulnerability allows a malicious dhcp6 server
to overwrite heap memory in systemd-networkd. This can lead to a crash
(DoS) of networkd or in worst case a remote code execution [1].
I was contacted by the security team about this issue. As networkd is
not enabled by default, it wasn't deemed severe enough to be fixed via a
stable-security upload and a fix via a regular stable upload seemed
sufficient.
I already asked for a stable upload for 9.6 in [2]. I'm not sure what
the procedure is in such a case. Should I reupload 232-25+deb9u5 with
this fix included or make a 232-25+deb9u6 upload?
Assuming the latter is less work for the SRM team, I prepared a debdiff
for 232-25+deb9u6.
Please let me know, what you prefer and how to proceed here.

I've also CCed kibi, as usual, for his ack. Since this only touches
networkd, d-i should not be affected.

The fix has also been uploaded to unstable a few hours ago, so hasn't
seen any real world testing. But given that it's only a one-line change,
the regression potential is rather small.

Regards,
Michael

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912008
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908913

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/changelog b/debian/changelog
index 740787b..176bb0f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+systemd (232-25+deb9u6) stretch; urgency=medium
+
+  * dhcp6: Make sure we have enough space for the DHCP6 option header.
+    Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option
+    handling.
+    (CVE-2018-15688, LP: #1795921, Closes: #912008)
+
+ -- Michael Biebl <biebl@debian.org>  Sun, 28 Oct 2018 18:02:10 +0100
+
 systemd (232-25+deb9u5) stretch; urgency=medium
 
   * networkd: Do not fail manager_connect_bus() if dbus is not active yet
diff --git a/debian/patches/dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch b/debian/patches/dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch
new file mode 100644
index 0000000..3a4ee04
--- /dev/null
+++ b/debian/patches/dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch
@@ -0,0 +1,29 @@
+From: Lennart Poettering <lennart@poettering.net>
+Date: Fri, 19 Oct 2018 12:12:33 +0200
+Subject: dhcp6: make sure we have enough space for the DHCP6 option header
+
+Fixes a vulnerability originally discovered by Felix Wilhelm from
+Google.
+
+CVE-2018-15688
+LP: #1795921
+https://bugzilla.redhat.com/show_bug.cgi?id=1639067
+
+(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892)
+---
+ src/libsystemd-network/dhcp6-option.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c
+index 5462e03..c12d008 100644
+--- a/src/libsystemd-network/dhcp6-option.c
++++ b/src/libsystemd-network/dhcp6-option.c
+@@ -101,7 +101,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
+                 return -EINVAL;
+         }
+ 
+-        if (*buflen < len)
++        if (*buflen < offsetof(DHCP6Option, data) + len)
+                 return -ENOBUFS;
+ 
+         ia_hdr = *buf;
diff --git a/debian/patches/series b/debian/patches/series
index 3c1ebbe..605f8cb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -85,6 +85,7 @@ login-change-variable-type-of-enable_wall_messages-as-it-.patch
 login-do-not-wall-message-on-cancelling-shutdown-when-Man.patch
 networkd-do-not-fail-manager_connect_bus-if-dbus-is-not-a.patch
 network-resolve-remove-comments-related-to-kdbus.patch
+dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch
 debian/Use-Debian-specific-config-files.patch
 debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch
 debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch

--- End Message ---
--- Begin Message --- 
Version: 9.6

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---
Reply to: