11339 – Multiple vulnerabilities in systemd (CVE-2013-4391, CVE-2013-4392, CVE-2013-4393, CVE-2013-4394)

Bug 11339 - Multiple vulnerabilities in systemd (CVE-2013-4391, CVE-2013-4392, CVE-2013-4393, CVE-2013-4394)

Summary: Multiple vulnerabilities in systemd (CVE-2013-4391, CVE-2013-4392, CVE-2013-4...

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Colin Guthrie
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/570330/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-10-01 12:33 CEST by Oden Eriksson
Modified:	2016-12-13 20:23 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	systemd
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Oden Eriksson 2013-10-01 12:33:23 CEST

http://www.openwall.com/lists/oss-security/2013/10/01/5

"Date: Tue, 01 Oct 2013 12:56:23 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [CVE request] systemd

Hi All,

I would like to request CVE ids for 4 systemd issues.

1. systemd: Integer overflow, leading to heap-based buffer overflow by
processing native messages
https://bugzilla.redhat.com/show_bug.cgi?id=859051

2. systemd: TOCTOU race condition when updating file permissions and
SELinux security contexts
https://bugzilla.redhat.com/show_bug.cgi?id=859060

3. systemd: Possibility of denial of logging service by processing
native messages from file
https://bugzilla.redhat.com/show_bug.cgi?id=859104

4. systemd: Improper sanitization of invalid XKB layouts descriptions
(privilege escalation when custom PolicyKit local authority file used)
https://bugzilla.redhat.com/show_bug.cgi?id=862324

Thanks!

-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team"

Reproducible: 

Steps to Reproduce:

David Walser 2013-10-01 15:25:15 CEST

Version: 2 => Cauldron
Assignee: bugsquad => mageia
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 Colin Guthrie 2013-10-01 15:39:21 CEST

I'm pretty sure none of these affects mga3 (certainly the patch for 1 is already included, we do not use SELinux so I suspect 2 does not apply. for 4 I suspect the fix is 0b507b17a760b21e33fc52ff377db6aa5086c680 which we have - not 100% sure about 3 yet).

As for mga2, 2 still does not apply. 4 might apply, and 1 and 2 might again also apply).

Without knowing the fixes that are applied I cannot say for sure.

Col

Comment 2 Oden Eriksson 2013-10-01 18:13:49 CEST

On 10/01/2013 01:26 AM, Huzaifa Sidhpurwala wrote:
> Hi All,
>
> I would like to request CVE ids for 4 systemd issues.
>
> 1. systemd: Integer overflow, leading to heap-based buffer overflow
> by processing native messages
> https://bugzilla.redhat.com/show_bug.cgi?id=859051

Please use CVE-2013-4391 for this issue.

> 2. systemd: TOCTOU race condition when updating file permissions
> and SELinux security contexts
> https://bugzilla.redhat.com/show_bug.cgi?id=859060

Please use CVE-2013-4392 for this issue.

> 3. systemd: Possibility of denial of logging service by processing
> native messages from file
> https://bugzilla.redhat.com/show_bug.cgi?id=859104

Please use CVE-2013-4393 for this issue.

> 4. systemd: Improper sanitization of invalid XKB layouts
> descriptions (privilege escalation when custom PolicyKit local
> authority file used)
> https://bugzilla.redhat.com/show_bug.cgi?id=862324

Please use CVE-2013-4394 for this issue.

> Thanks!
>
>


--
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

David Walser 2013-10-14 18:43:28 CEST

URL: http://www.openwall.com/lists/oss-security/2013/10/01/5 => http://lwn.net/Vulnerabilities/570330/

Comment 3 Oden Eriksson 2013-10-29 08:44:15 CET

======================================================
Name: CVE-2013-4391
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4391
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: MLIST:[oss-security] 20131001 Re: [CVE request] systemd
Reference: URL:http://www.openwall.com/lists/oss-security/2013/10/01/9
Reference: CONFIRM:http://cgit.freedesktop.org/systemd/systemd/commit/?id=505b6a61c22d5565e9308045c7b9bf79f7d0517e
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=859051

Integer overflow in the valid_user_field function in
journal/journald-native.c in systemd allows remote attackers to cause
a denial of service (crash) and possibly execute arbitrary code via a
large journal data field, which triggers a heap-based buffer overflow.



======================================================
Name: CVE-2013-4392
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4392
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: MLIST:[oss-security] 20131001 Re: [CVE request] systemd
Reference: URL:http://www.openwall.com/lists/oss-security/2013/10/01/9
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=859060

systemd, when updating file permissions, allows local users to change
the permissions and SELinux security contexts for arbitrary files via
a symlink attack on unspecified files.



======================================================
Name: CVE-2013-4393
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4393
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: MLIST:[oss-security] 20131001 Re: [CVE request] systemd
Reference: URL:http://www.openwall.com/lists/oss-security/2013/10/01/9
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=859104

journald in systemd, when the origin of native messages is set to
file, allows local users to cause a denial of service (logging service
blocking) via a crafted file descriptor.



======================================================
Name: CVE-2013-4394
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4394
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: MLIST:[oss-security] 20131001 Re: [CVE request] systemd
Reference: URL:http://www.openwall.com/lists/oss-security/2013/10/01/9
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=862324

The SetX11Keyboard function in systemd, when PolicyKit Local Authority
(PKLA) is used to change the group permissions on the X Keyboard
Extension (XKB) layouts description, allows local users in the group
to modify the Xorg X11 Server configuration file and possibly gain
privileges via vectors involving "special and control characters."

Oden Eriksson 2013-10-31 12:28:14 CET

Summary: Multiple vulnerabilities in systemd => Multiple vulnerabilities in systemd (CVE-2013-4391, CVE-2013-4392, CVE-2013-4393, CVE-2013-4394)

David Walser 2013-11-21 23:05:17 CET

Blocks: (none) => 11726

Comment 4 David Walser 2013-11-22 16:13:27 CET

Removing Mageia 2 from the whiteboard due to EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

CC: (none) => luigiwalser
Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO

Comment 5 David Walser 2014-01-23 20:23:43 CET

RedHat's bugs for these CVE say that the systemd versions in Fedora 18 and 19 (systemd 201 as of their posting) are not affected by these, so Cauldron is certainly not affected.  Mageia 3 still may be.

Version: Cauldron => 3
Blocks: 11726 => (none)
Whiteboard: MGA3TOO => (none)

Comment 6 Sander Lepik 2014-10-04 14:47:42 CEST

Colin, can we close this bug?

CC: (none) => mageia

Comment 7 David Walser 2014-11-27 15:54:02 CET

Closing due to Mageia 3 EOL:
http://blog.mageia.org/en/2014/11/26/lets-say-goodbye-to-mageia-3/

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 8 David Walser 2016-12-13 20:23:25 CET

LWN reference for CVE-2016-4393:
https://lwn.net/Vulnerabilities/709006/

Note You need to log in before you can comment on or make changes to this bug.