Debian Bug report logs - #918841
systemd: CVE-2018-16864

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: systemd: CVE-2018-16864

Date: Wed, 09 Jan 2019 21:08:51 +0100

Source: systemd
Version: 204-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 232-25+deb9u6
Control: found -1 240-2

Hi,

The following vulnerability was published for systemd.

CVE-2018-16864[0]:
memory corruption

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16864
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16864
[1] https://www.openwall.com/lists/oss-security/2019/01/09/3

Regards,
Salvatore

Message #14 received at 918841@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 918841@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: systemd: CVE-2018-16864

Date: Wed, 9 Jan 2019 22:45:10 +0100

[Message part 1 (text/plain, inline)]

On Wed, 09 Jan 2019 21:08:51 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: systemd
> Version: 204-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: found -1 232-25+deb9u6
> Control: found -1 240-2
> 
> Hi,
> 
> The following vulnerability was published for systemd.
> 
> CVE-2018-16864[0]:
> memory corruption
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2018-16864
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16864
> [1] https://www.openwall.com/lists/oss-security/2019/01/09/3

Should CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866 be handled
separately, i.e. do you plan to file separate bug reports?

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #19 received at 918841@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 918841@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: systemd: CVE-2018-16864

Date: Wed, 9 Jan 2019 22:50:32 +0100

[Message part 1 (text/plain, inline)]

Am 09.01.19 um 22:45 schrieb Michael Biebl:
> Should CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866 be handled
> separately, i.e. do you plan to file separate bug reports?

Hm, for some reason I only received #918848 just now.
So that part of my question is moot.

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #24 received at 918841@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Michael Biebl <biebl@debian.org>, 918841@bugs.debian.org

Subject: Re: Bug#918841: systemd: CVE-2018-16864

Date: Wed, 9 Jan 2019 23:07:11 +0100

Hi,

On Wed, Jan 09, 2019 at 10:50:32PM +0100, Michael Biebl wrote:
> Am 09.01.19 um 22:45 schrieb Michael Biebl:
> > Should CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866 be handled
> > separately, i.e. do you plan to file separate bug reports?
> 
> Hm, for some reason I only received #918848 just now.
> So that part of my question is moot.

The BTS had some load issues apprently, so there was some delay in
delivering the bug reports.

I have filled only two bugs (given the different set of affected
versions CVE-2018-16864 and CVE-2018-16865). I have not filled a bug
for CVE-2018-16866  as this one is already fixed in unstable with the
v240.

Regards,
Salvatore

Message #29 received at 918841@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 918841@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: systemd: CVE-2018-16864

Date: Thu, 10 Jan 2019 01:41:17 +0100

[Message part 1 (text/plain, inline)]

On Wed, 09 Jan 2019 21:08:51 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: systemd
> Version: 204-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: found -1 232-25+deb9u6
> Control: found -1 240-2
> 
> Hi,
> 
> The following vulnerability was published for systemd.
> 
> CVE-2018-16864[0]:
> memory corruption


Should we mark old-stable as not affected given the remark that the
vulnerability is exploitable since v230?

https://security-tracker.debian.org/tracker/CVE-2018-16864
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #34 received at 918841@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Michael Biebl <biebl@debian.org>

Cc: 918841@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: systemd: CVE-2018-16864

Date: Thu, 10 Jan 2019 06:14:07 +0100

Hi Michael,

On Thu, Jan 10, 2019 at 01:41:17AM +0100, Michael Biebl wrote:
> On Wed, 09 Jan 2019 21:08:51 +0100 Salvatore Bonaccorso
> <carnil@debian.org> wrote:
> > Source: systemd
> > Version: 204-1
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > Control: found -1 232-25+deb9u6
> > Control: found -1 240-2
> > 
> > Hi,
> > 
> > The following vulnerability was published for systemd.
> > 
> > CVE-2018-16864[0]:
> > memory corruption
> 
> 
> Should we mark old-stable as not affected given the remark that the
> vulnerability is exploitable since v230?
> 
> https://security-tracker.debian.org/tracker/CVE-2018-16864

I do not think so, not-affected would mean the issue is not present.
CVE-2018-16864 though is introduced in v203 itself (see the Qualys
report).  Maybe it needs to be discussed in the context of v215 if it
needs a corresponding update or not (that is no-dsa/ignored).

Regards,
Salvatore

p.s.: Note that Red Hat backported the CVE-2018-16864 fix to v219.

Message #39 received at 918841-submitter@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 918841-submitter@bugs.debian.org

Subject: Bug #918841 in systemd marked as pending

Date: Sat, 12 Jan 2019 21:11:32 +0000

Control: tag -1 pending

Hello,

Bug #918841 in systemd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/systemd-team/systemd/commit/ce0e48e43979e955df2413dca23c64088a729ed8

------------------------------------------------------------------------
Import patches from v240-stable branch (up to f02b5472c6)

- Fixes a problem in logind closing the controlling terminal when using
  startx. (Closes: #918927)
- Fixes various journald vulnerabilities via attacker controlled alloca.
  (CVE-2018-16864, CVE-2018-16865, Closes: #918841, Closes: #918848)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/918841

Message #46 received at 918841-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 918841-close@bugs.debian.org

Subject: Bug#918841: fixed in systemd 240-4

Date: Sat, 12 Jan 2019 23:16:47 +0000

Source: systemd
Source-Version: 240-4

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918841@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 12 Jan 2019 21:49:44 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 240-4
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
 libnss-myhostname - nss module providing fallback resolution for the current hostname
 libnss-mymachines - nss module to resolve hostnames for local container instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libnss-systemd - nss module providing dynamic user and group name resolution
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 systemd-tests - tests for systemd
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Closes: 909396 917607 918841 918848 918927
Changes:
 systemd (240-4) unstable; urgency=medium
 .
   [ Benjamin Drung ]
   * Fix shellcheck issues in initramfs-tools scripts
 .
   [ Michael Biebl ]
   * Import patches from v240-stable branch (up to f02b5472c6)
     - Fixes a problem in logind closing the controlling terminal when using
       startx. (Closes: #918927)
     - Fixes various journald vulnerabilities via attacker controlled alloca.
       (CVE-2018-16864, CVE-2018-16865, Closes: #918841, Closes: #918848)
   * sd-device-monitor: Fix ordering of setting buffer size.
     Fixes an issue with uevents not being processed properly during coldplug
     stage and some kernel modules not being loaded via "udevadm trigger".
     (Closes: #917607)
   * meson: Stop setting -fPIE globally.
     Setting -fPIE globally can lead to miscompilations on certain
     architectures. Instead use the b_pie=true build option, which was
     introduced in meson 0.49. Bump the Build-Depends accordingly.
     (Closes: #909396)
Checksums-Sha1:
 71e37bb2f12272a16b7b50f45f77d47518e8c5a0 4898 systemd_240-4.dsc
 e8160f259001a6563c5a7523aa22e58a90883f9c 164740 systemd_240-4.debian.tar.xz
 b70e6881b2d011a8afe72697b004e1333084660f 9092 systemd_240-4_source.buildinfo
Checksums-Sha256:
 0f6d3af3272098320cde66d8cef56b8dba42674e3279d5f01a6e41d2a7b8d945 4898 systemd_240-4.dsc
 89de641b06c125bdf4c75249673fa4c6d38b1289cd781e97e897e5af12c9cb87 164740 systemd_240-4.debian.tar.xz
 6f8b4fca0da2c314663c72eadf02537f96725a770728e19d2b991de7853ef3ac 9092 systemd_240-4_source.buildinfo
Files:
 d1b15187721bd4aa3972477c23f8832e 4898 admin optional systemd_240-4.dsc
 8921999d026f783853e9b385e4c3504a 164740 admin optional systemd_240-4.debian.tar.xz
 4d48b2431f3af586c55fff6447e43913 9092 admin optional systemd_240-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlw6bjoACgkQauHfDWCP
Itww6Q/+LLeP3LH1IKYoNJcmsAXpPMj4VTG5AtSoGcw972v7tB8U1DXpzp/68BwW
DO+lrPCwStUWNCWsbsu1jrgD3Rm+siGPeJ0JTQ/Qu+fr+jUhgIWYDXxDJ2v6iHGy
LlC1u29mRoKGddICgzls/7OMhCg2z/OcC0Hnxfa2kGV/cuxWQ3uBCjgoFlbSgJdI
dKTdS+kL0n1TCh55gIw/HUdCLWq12w4vJM6lOdoM6nrGw8NNQ89ehQHgDrP+0+Sw
JjLxapTou1Ijvj/yK2PF88z/HyXvzVf57X8HPrzgmhog4Wks3zVVak7DB4m/+oRe
3UTezDPJE/K4w2s1ZpUJgPPxM7vXhHtmznf0t376jrYwdVwu70rEPrWg/MiEcgIu
/0+QiMNRc/wwcdNBWKRXp0+iPCt5Dbk7kfTdEo6Ba9MrXYiw0aHIH2gThXmXoYMq
r0LKYOEp0U7edcjDkCEb63HrTzjTmFHg1NWKm6F7tA4eha/V3U9RfFnuC6X8Vpcw
65ITGEhTYfPSTd+UsaKv0b8CHs+c3QXAASbeDvMLQ7n89UUtTxNeIsgwsNpU0pC1
AjT1jxOw3Qno5dmGcxeQw9FBjRNPofjQ1osU5zzu9edf/JQSqCAR5FGSOtrrZ9ia
VUSws6F14EEQEKPAvKE/3s7GgaHyi4mtzo0TScyioSCCp4DMx04=
=SQ3h
-----END PGP SIGNATURE-----

Message #55 received at 918841@bugs.debian.org (full text, mbox, reply):

From: Nye Liu <nyet@nyet.org>

To: 918841@bugs.debian.org

Subject: Really bad regression

Date: Sat, 19 Jan 2019 23:39:28 -0800

[Message part 1 (text/plain, inline)]

https://github.com/systemd/systemd/issues/11502 <https://github.com/systemd/systemd/issues/11502>

[Message part 2 (text/html, inline)]

Message #60 received at 918841-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 918841-close@bugs.debian.org

Subject: Bug#918841: fixed in systemd 232-25+deb9u7

Date: Tue, 29 Jan 2019 13:02:18 +0000

Source: systemd
Source-Version: 232-25+deb9u7

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918841@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 12 Jan 2019 09:38:38 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 232-25+deb9u7
Distribution: stretch-security
Urgency: high
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 918841 918848
Description: 
 libnss-myhostname - nss module providing fallback resolution for the current hostname
 libnss-mymachines - nss module to resolve hostnames for local container instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libnss-systemd - nss module providing dynamic user and group name resolution
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Changes:
 systemd (232-25+deb9u7) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * journald: do not store the iovec entry for process commandline on stack
     (CVE-2018-16864) (Closes: #918841)
   * journald: set a limit on the number of fields (1k) (CVE-2018-16865)
     (Closes: #918848)
   * journal-remote: set a limit on the number of fields in a message
     (CVE-2018-16865) (Closes: #918848)
   * journal: fix syslog_parse_identifier() (CVE-2018-16866)
   * journal: do not remove multiple spaces after identifier in syslog message
     (CVE-2018-16866)
Package-Type: udeb
Checksums-Sha1: 
 b4ca041a73cb8775c90bbcc92c080cd7ac58dfe4 4952 systemd_232-25+deb9u7.dsc
 74178b96d631058236cf79f5b0cc3953382f12b5 4529048 systemd_232.orig.tar.gz
 4b7fbdd4005aa0340dca1cc37603cbd520343e31 214680 systemd_232-25+deb9u7.debian.tar.xz
Checksums-Sha256: 
 1dea5088456636c50c3135ae5cd00f92ee8559360c907a22e1ed05a3e0016646 4952 systemd_232-25+deb9u7.dsc
 1172c7c7d5d72fbded53186e7599d5272231f04cc8b72f9a0fb2c5c20dfc4880 4529048 systemd_232.orig.tar.gz
 653cf8bb0b33b01c08484a3a3c8de4de1bb875b56f869ef389b17760442a8e7f 214680 systemd_232-25+deb9u7.debian.tar.xz
Files: 
 45cf746f8e5721bffbdbd80e2c38c4e8 4952 admin optional systemd_232-25+deb9u7.dsc
 3e3a0b14050eff62e68be72142181730 4529048 admin optional systemd_232.orig.tar.gz
 6a58324e6574cf198db06db655f29f6e 214680 admin optional systemd_232-25+deb9u7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlw6SrZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ERJAP/jeXZ/yRfhlQ5wB1c0qS0pskC5Wxn5ge
OR4i0rodEFi8HVoPzEqYgO9NbiReKWDfkWfaecgIZyrtnTFSj6jVlZs9zzb0ulSx
GI0reZ8gbWaHkMWb2G3wRBMsa6VL9+zZ71GvHBciryx1ms0qGpQ2F7YwxcD/KdEW
PGnn1ohFykxDXcjpo/Q2SqdXVszDbC5yTJw3pxW5ZJa6oHpFDpirTiruj5QatSNJ
WwMcI2gQye+UJ/krXxs+12Bx/Cg83GwbIe4ABsxnqjfDsU1TMuiyUBAED+CdIRB0
+wPR4PqSkYiRjh4/tZRr5v6NGbyxaAnUx/JPJ3qFhZ2Gf2kuU3tdPy0lmHnCp2UB
EcO/+D06uRozRKxFFUHr3OwJi3+ug3aVIupErtzv/UwB1Oc/EroEk/pHk8sPNTnG
Xk7Pa6363epscGbWgtwEDr2YuI6mv7M64F9UM0Wxlu+kX66fbO17/noJD1tuylm9
nJzsj3I9q+vOUMND1ykZMJkCbWfRtv6zAk7VY9PmpIGULD7djMEOFfh3dswBPXg2
eJGM+HBhzuFvP2cNoEKKc2bKwjCaZgJIxkM/3M8ldYVsOBaVmIP7OHL1hfacGE0N
nNrSL05x1/SF+O/VSaYUY7Am7T/m9VCCbQ3PjKXNMEuESL3nkuocvtKTCZYosC0U
TLRx4R8nlEkb
=g+xr
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.