Bug 31305

Summary: systemd new security issue CVE-2022-4415
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-32-OK MGA8-64-OK
Source RPM: systemd-252.3-1.mga9.src.rpm CVE:
Status comment: Patch available from upstream

Description David Walser 2022-12-21 16:48:14 CET 
A security issue fixed upstream in systemd has been announced today (December 21):
https://www.openwall.com/lists/oss-security/2022/12/21/3

The commit that fixed the issue is linked in the message above.

Mageia 8 is also affected.
David Walser 2022-12-21 16:49:41 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from upstream

Comment 1 David Walser 2022-12-21 16:53:54 CET 
I'm not sure if the fix was included in yesterday's 252.4 release.
Comment 2 David Walser 2022-12-23 17:51:33 CET 
Fedora has issued an advisory for this today (December 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JZKXTILQJERZNQGT3KIVV6BFKD5IV6EY/
Comment 3 David Walser 2022-12-28 17:55:10 CET 
openSUSE has issued an advisory for this today (December 28):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EEZTDRHOCHY2CZIAQ5LHAW5DIC7DDHWL/
Comment 4 David Walser 2023-02-23 18:02:56 CET 
RedHat has issued an advisory for this on February 21:
https://access.redhat.com/errata/RHSA-2023:0837
Comment 5 David Walser 2023-03-09 17:48:35 CET 
Ubuntu has issued an advisory for this on March 7:
https://ubuntu.com/security/notices/USN-5928-1

Note that CVE-2022-45873 in that advisory was introduced in 250 and fixed in 252, so we're not affected.
Comment 6 Thomas Backlund 2023-06-27 17:44:32 CEST 
fixed in cauldron since v253-rc1~238^2

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 7 Thomas Backlund 2023-06-27 18:51:52 CEST 
SRPM:
systemd-246.16-4.mga8.src.rpm


i586:
libsystemd0-246.16-4.mga8.i586.rpm
libudev1-246.16-4.mga8.i586.rpm
libudev-devel-246.16-4.mga8.i586.rpm
nss-myhostname-246.16-4.mga8.i586.rpm
systemd-246.16-4.mga8.i586.rpm
systemd-devel-246.16-4.mga8.i586.rpm
systemd-homed-246.16-4.mga8.i586.rpm
systemd-tests-246.16-4.mga8.i586.rpm


x86_64:
lib64systemd0-246.16-4.mga8.x86_64.rpm
lib64udev1-246.16-4.mga8.x86_64.rpm
lib64udev-devel-246.16-4.mga8.x86_64.rpm
nss-myhostname-246.16-4.mga8.x86_64.rpm
systemd-246.16-4.mga8.x86_64.rpm
systemd-devel-246.16-4.mga8.x86_64.rpm
systemd-homed-246.16-4.mga8.x86_64.rpm
systemd-tests-246.16-4.mga8.x86_64.rpm

Assignee: tmb => qa-bugs

PC LX 2023-06-28 11:53:20 CEST

CC: (none) => mageia

Comment 8 PC LX 2023-06-28 21:56:00 CEST 
Installed and tested on VMs and nspawn containers without issues.

Tested on:
- systemd nspwan container running Mageia 8.
- QEMU/KVM VM running Mageia 8 x86_64.
- QEMU/KVM VM running Mageia 8 aarch64.

No issues or regressions found. After some more testing will install and test on the host workstation and a server.


# uname -a
Linux jupiter-co-mageia-8 6.1.34-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Wed Jun 14 19:14:11 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa | grep 246.16 | sort
lib64systemd0-246.16-4.mga8
lib64udev1-246.16-4.mga8
nss-myhostname-246.16-4.mga8
systemd-246.16-4.mga8


# uname -a
Linux jupiter-vm-mageia-8 6.1.34-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Wed Jun 14 19:14:11 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa | grep 246.16 | sort
lib64systemd0-246.16-4.mga8
lib64udev1-246.16-4.mga8
lib64udev-devel-246.16-4.mga8
libsystemd0-246.16-4.mga8
libudev1-246.16-4.mga8
nss-myhostname-246.16-4.mga8
systemd-246.16-4.mga8


# uname -a
Linux jupiter-vm-mageia-8-aarch64 6.1.27-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Mon May  8 20:08:05 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
# rpm -qa | grep 246.16 | sort
lib64systemd0-246.16-4.mga8
lib64udev-devel-246.16-4.mga8
lib64udev1-246.16-4.mga8
nss-myhostname-246.16-4.mga8
systemd-246.16-4.mga8
Comment 9 Brian Rockwell 2023-06-29 20:13:58 CEST 
MGA8-64, Plasma, AMD x3-450, Nouveau (real hardware)

The following 3 packages are going to be installed:

- lib64systemd0-246.16-4.mga8.x86_64
- systemd-246.16-4.mga8.x86_64
- systemd-devel-246.16-4.mga8.x86_64
- nss-myhostname-246.16-4.mga8.x86_64


-- reboooottttteeeeedd

System came up, processes are running and nothing notably awful is happening.

Works

CC: (none) => brtians1

Comment 10 Thomas Andrews 2023-07-01 01:58:11 CEST 
MGA8-64 Plasma, AMD Phenom II X4 910, AMD HD 8790. No installation issues.
Rebooted, tried some status commands, all seems OK.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA8-64-OK

Comment 11 Thomas Andrews 2023-07-01 02:27:11 CEST 
MGA8-32 Xfce on Foolishness, my Dell Inspiron 5100, P4, Radeon RV200.

No installation issues. rebooted, checked general status, no issues. Looks good here, too.

Validating.

CC: (none) => sysadmin-bugs
Whiteboard: MGA8-64-OK => MGA8-32-OK MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-07-06 22:53:47 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 12 Mageia Robot 2023-07-07 07:56:22 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0217.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED