Bug 29270

Summary:	systemd new security issues CVE-2020-13529 and CVE-2021-33910
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	brtians1, davidwhodgins, fri, ouaurelien, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK MGA8-32-OK
Source RPM:	systemd-246.13-2.mga8.src.rpm	CVE:	CVE-2020-13529, CVE-2021-33910
Status comment:

Description David Walser 2021-07-20 14:58:24 CEST

Qualys has issued an advisory today (July 20):
https://www.openwall.com/lists/oss-security/2021/07/20/2

Presumably the patches are available somewhere today (possibly a systemd mailing list).

Comment 1 Thomas Backlund 2021-07-20 15:23:30 CEST

Fixed in cauldron in v249.1 and for mga8: systemd-246.14-2.mga8 is currently building

Comment 2 Thomas Backlund 2021-07-20 17:02:31 CEST

this is an update to v246.14 (from v246.13) to fix some bugs and I backpoorted the fix for the CVE.


SRPM:
systemd-246.14-2.mga8.src.rpm


i586:
libsystemd0-246.14-2.mga8.i586.rpm
libudev1-246.14-2.mga8.i586.rpm
libudev-devel-246.14-2.mga8.i586.rpm
nss-myhostname-246.14-2.mga8.i586.rpm
systemd-246.14-2.mga8.i586.rpm
systemd-devel-246.14-2.mga8.i586.rpm
systemd-homed-246.14-2.mga8.i586.rpm
systemd-tests-246.14-2.mga8.i586.rpm


x86_64:
lib64systemd0-246.14-2.mga8.x86_64.rpm
lib64udev1-246.14-2.mga8.x86_64.rpm
lib64udev-devel-246.14-2.mga8.x86_64.rpm
nss-myhostname-246.14-2.mga8.x86_64.rpm
systemd-246.14-2.mga8.x86_64.rpm
systemd-devel-246.14-2.mga8.x86_64.rpm
systemd-homed-246.14-2.mga8.x86_64.rpm
systemd-tests-246.14-2.mga8.x86_64.rpm

Assignee: tmb => qa-bugs

Comment 3 Aurelien Oudelet 2021-07-20 23:01:35 CEST Comment hidden (obsolete)

Suggested Advisory:
========================

Updated systemd packages fix security vulnerability:

basic/unit-name.c in systemd 220 through 248 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash (CVE-2021-29270).

systemd packages are updated from 246.13 to 246.14 upstream stable version with a backported fix for the CVE.

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29270
 - https://www.openwall.com/lists/oss-security/2021/07/20/2
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33910
========================

Updated packages in core/updates_testing:
========================
lib(64)systemd0-246.14-2.mga8
lib(64)udev1-246.14-2.mga8
lib(64)udev-devel-246.14-2.mga8
nss-myhostname-246.14-2.mga8
systemd-246.14-2.mga8
systemd-devel-246.14-2.mga8
systemd-homed-246.14-2.mga8
systemd-tests-246.14-2.mga8

CC: (none) => ouaurelien

Comment 4 Aurelien Oudelet 2021-07-20 23:02:03 CEST

Note also there is a 246.15 tag upstream
https://github.com/systemd/systemd-stable/releases

Comment 5 Dave Hodgins 2021-07-21 06:23:45 CEST

No problems encountered on my systems or in vb guests.
Validating the update.

CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK MGA8-32-OK

Comment 6 Thomas Backlund 2021-07-21 09:50:47 CEST

(In reply to Aurelien Oudelet from comment #4)
> Note also there is a 246.15 tag upstream
> https://github.com/systemd/systemd-stable/releases

How nice, they rolled it out after I built this one...

Normally I would have ignored that for now as this is a security update, but there is some other uaf and crash fixes and an other security fix hiding in there: CVE-2020-13529, so the rpms to validate are now:


SRPM:
systemd-246.15-1.mga8.src.rpm


i586:
libsystemd0-246.15-1.mga8.i586.rpm
libudev1-246.15-1.mga8.i586.rpm
libudev-devel-246.15-1.mga8.i586.rpm
nss-myhostname-246.15-1.mga8.i586.rpm
systemd-246.15-1.mga8.i586.rpm
systemd-devel-246.15-1.mga8.i586.rpm
systemd-homed-246.15-1.mga8.i586.rpm
systemd-tests-246.15-1.mga8.i586.rpm


x86_64:
lib64systemd0-246.15-1.mga8.x86_64.rpm
lib64udev1-246.15-1.mga8.x86_64.rpm
lib64udev-devel-246.15-1.mga8.x86_64.rpm
nss-myhostname-246.15-1.mga8.x86_64.rpm
systemd-246.15-1.mga8.x86_64.rpm
systemd-devel-246.15-1.mga8.x86_64.rpm
systemd-homed-246.15-1.mga8.x86_64.rpm
systemd-tests-246.15-1.mga8.x86_64.rpm

Keywords: validated_update => (none)
CVE: (none) => CVE-2020-13529, CVE-2021-33910
Whiteboard: MGA8-64-OK MGA8-32-OK => (none)
Summary: systemd new security issue CVE-2021-33910 => systemd new security issues CVE-2021-33910 and CVE-2020-13529

Comment 7 Thomas Backlund 2021-07-21 10:09:00 CEST

Advisory, added to svn:

type: security
subject: Updated systemd packages fix security vulnerabilities
CVE:
 - CVE-2020-13529
 - CVE-2021-33910
src:
  8:
   core:
     - systemd-246.15-1.mga8
description: |
  This systemd update provides the v246.15 maintenance release and fixes
  atleast the following security issues:

  An exploitable denial-of-service vulnerability exists in Systemd 245.
  A specially crafted DHCP FORCERENEW packet can cause a server running
  the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An
  attacker can forge a pair of FORCERENEW and DCHP ACK packets to
  reconfigure the server (CVE-2020-13529).

  basic/unit-name.c in systemd 220 through 248 has a Memory Allocation with
  an Excessive Size Value (involving strdupa and alloca for a pathname
  controlled by a local attacker) that results in an operating system crash
  (CVE-2021-29270).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29270
 - https://github.com/systemd/systemd-stable/compare/v246.13...v246.15
 - https://www.openwall.com/lists/oss-security/2021/07/20/2

Keywords: (none) => advisory

Comment 8 Brian Rockwell 2021-07-21 15:49:35 CEST

Phys hardware - AMD X3, Nvidia 390



The following 6 packages are going to be installed:

- lib64cap-devel-2.46-1.mga8.x86_64
- lib64systemd0-246.15-1.mga8.x86_64
- libcap-utils-2.46-1.mga8.x86_64
- nss-myhostname-246.15-1.mga8.x86_64
- systemd-246.15-1.mga8.x86_64
- systemd-devel-246.15-1.mga8.x86_64

413KB of additional disk space will be used.

rebooted


# systemctl --version
systemd 246 (246)
+PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=unified


thank goodness it came back working

CC: (none) => brtians1

Comment 9 David Walser 2021-07-21 16:40:16 CEST

Ubuntu has issued an advisory for this on July 20:
https://ubuntu.com/security/notices/USN-5013-1

Summary: systemd new security issues CVE-2021-33910 and CVE-2020-13529 => systemd new security issues CVE-2020-13529 and CVE-2021-33910
Severity: normal => critical

Comment 10 Morgan Leijström 2021-07-21 19:31:47 CEST

x86_64 Tested OK, with both new kernels (details there)
with also from testing: mesa, x11

CC: (none) => fri

Comment 11 Dave Hodgins 2021-07-21 19:44:25 CEST

Ok on all of my systems and vb guests.
Validating

Whiteboard: (none) => MGA8-64-OK MGA8-32-OK
Keywords: (none) => validated_update

Comment 12 Aurelien Oudelet 2021-07-21 20:36:45 CEST

x86_64 mga8
OK on all systems, baremetals and VM.

Comment 13 Mageia Robot 2021-07-22 09:09:13 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0365.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED