Bug 13219

Summary: systemd stack-based buffer overflow in systemd-ask-password
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb, wassi, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/594895/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: systemd-208-14.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-04-15 20:23:16 CEST 
Fedora has issued an advisory on April 9:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131370.html

Mageia 4 would also be affected.  Mageia 3 may be as well.

The RedHat bug links the upstream commit to fix the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1084286

Fedora added this patch in Fedora 20:
http://pkgs.fedoraproject.org/cgit/systemd.git/plain/0369-ask-password-when-the-user-types-a-overly-long-passw.patch?h=f20&id=4f94566dd7aff548bbce5de481e19236171ca61d

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-15 20:23:22 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Colin Guthrie 2014-04-16 10:24:38 CEST 
Thanks for that David.

I'll update to the latest v208-stable which should sort that out and look into backporting said path to mga3 too.
Comment 2 David Walser 2014-04-17 13:49:31 CEST 
CVE request:
http://openwall.com/lists/oss-security/2014/04/17/3
Comment 3 Colin Guthrie 2014-04-17 20:09:35 CEST 
Packages are now available in MGA3 and MGA4:

SRPMS: systemd-195-22.2.mga3, systemd-208-10.5.mga4

I've so far done general stability testing in MGA4/64 (two machines) but no longer have any MGA3 machines :(


The fix is really simple, so I think just general stability tests are sufficient (ideally booting in a range of different setups - especially on MGA4 where various other "stable release" patches are included (keeps our package similar to fedora's))

Advisory Text
=============

A stack-based buffer overflow was found in systemd-ask-password, a utility used
to query a system password or passphrase from the user, using a question message
specified on the command line. A local user could this flaw to crash the binary
or even execute arbitrary code with the permissions of the user running the program.

The systemd packages shipped with Mageia 3 and 4 have been updated to address this vulnerability.

Additionally, the Mageia 4 packages include various other general stability and performance fixed deemed appropriate for the stable updates.

Assignee: mageia => qa-bugs

Comment 4 David Walser 2014-04-17 22:05:04 CEST 
Note that this probably won't get a CVE:
http://openwall.com/lists/oss-security/2014/04/17/4

As far as the advisory, this should be included in the references:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131370.html

Package list:
systemd-195-22.2.mga3
systemd-tools-195-22.2.mga3
systemd-units-195-22.2.mga3
python-systemd-195-22.2.mga3
systemd-devel-195-22.2.mga3
libsystemd-daemon0-195-22.2.mga3
libsystemd-login0-195-22.2.mga3
libsystemd-journal0-195-22.2.mga3
libsystemd-id128_0-195-22.2.mga3
libudev1-195-22.2.mga3
libudev-devel-195-22.2.mga3
libgudev1.0_0-195-22.2.mga3
libgudev-gir1.0-195-22.2.mga3
libgudev1.0-devel-195-22.2.mga3
systemd-208-10.5.mga4
systemd-units-208-10.5.mga4
python-systemd-208-10.5.mga4
systemd-devel-208-10.5.mga4
nss-myhostname-208-10.5.mga4
libsystemd-daemon0-208-10.5.mga4
libsystemd-login0-208-10.5.mga4
libsystemd-journal0-208-10.5.mga4
libsystemd-id128_0-208-10.5.mga4
libudev1-208-10.5.mga4
libudev-devel-208-10.5.mga4
libgudev1.0_0-208-10.5.mga4
libgudev-gir1.0-208-10.5.mga4
libgudev1.0-devel-208-10.5.mga4

from SRPMS:
systemd-195-22.2.mga3.src.rpm
systemd-208-10.5.mga4.src.rpm

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 5 claire robinson 2014-04-18 14:48:58 CEST 
No regressions noticed mga4 64

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 6 claire robinson 2014-04-19 16:48:30 CEST 
No regressions noticed mga3 64 or mga4 32

Needs tests mga3 32 to validate

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok

Comment 7 user7 2014-04-21 14:44:57 CEST 
Testing on Mga4, i586. I'll report back in a few days.

CC: (none) => wassi

Comment 8 William Kenney 2014-04-22 18:39:18 CEST 
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
systemd

default install of systemd

[root@localhost wilcal]# urpmi systemd
Package systemd-195-22.1.mga3.i586 is already installed

Test system works and is stable with many apps.

install package from updates_testing

[root@localhost wilcal]# urpmi systemd
Package systemd-195-22.2.mga3.i586 is already installed

Test system works and is stable with many apps.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm

CC: (none) => wilcal.int
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 9 William Kenney 2014-04-22 18:40:00 CEST 
For me this update works fine
Comment 10 user7 2014-04-22 21:47:37 CEST 
Testing complete on Mga4, i586. Everything works fine, no regressions noticed.
Comment 11 claire robinson 2014-04-23 15:16:50 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 12 Thomas Backlund 2014-04-23 18:18:56 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0188.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED