Fedora has issued an advisory on April 9: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131370.html Mageia 4 would also be affected. Mageia 3 may be as well. The RedHat bug links the upstream commit to fix the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1084286 Fedora added this patch in Fedora 20: http://pkgs.fedoraproject.org/cgit/systemd.git/plain/0369-ask-password-when-the-user-types-a-overly-long-passw.patch?h=f20&id=4f94566dd7aff548bbce5de481e19236171ca61d Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Thanks for that David. I'll update to the latest v208-stable which should sort that out and look into backporting said path to mga3 too.
CVE request: http://openwall.com/lists/oss-security/2014/04/17/3
Packages are now available in MGA3 and MGA4: SRPMS: systemd-195-22.2.mga3, systemd-208-10.5.mga4 I've so far done general stability testing in MGA4/64 (two machines) but no longer have any MGA3 machines :( The fix is really simple, so I think just general stability tests are sufficient (ideally booting in a range of different setups - especially on MGA4 where various other "stable release" patches are included (keeps our package similar to fedora's)) Advisory Text ============= A stack-based buffer overflow was found in systemd-ask-password, a utility used to query a system password or passphrase from the user, using a question message specified on the command line. A local user could this flaw to crash the binary or even execute arbitrary code with the permissions of the user running the program. The systemd packages shipped with Mageia 3 and 4 have been updated to address this vulnerability. Additionally, the Mageia 4 packages include various other general stability and performance fixed deemed appropriate for the stable updates.
Assignee: mageia => qa-bugs
Note that this probably won't get a CVE: http://openwall.com/lists/oss-security/2014/04/17/4 As far as the advisory, this should be included in the references: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131370.html Package list: systemd-195-22.2.mga3 systemd-tools-195-22.2.mga3 systemd-units-195-22.2.mga3 python-systemd-195-22.2.mga3 systemd-devel-195-22.2.mga3 libsystemd-daemon0-195-22.2.mga3 libsystemd-login0-195-22.2.mga3 libsystemd-journal0-195-22.2.mga3 libsystemd-id128_0-195-22.2.mga3 libudev1-195-22.2.mga3 libudev-devel-195-22.2.mga3 libgudev1.0_0-195-22.2.mga3 libgudev-gir1.0-195-22.2.mga3 libgudev1.0-devel-195-22.2.mga3 systemd-208-10.5.mga4 systemd-units-208-10.5.mga4 python-systemd-208-10.5.mga4 systemd-devel-208-10.5.mga4 nss-myhostname-208-10.5.mga4 libsystemd-daemon0-208-10.5.mga4 libsystemd-login0-208-10.5.mga4 libsystemd-journal0-208-10.5.mga4 libsystemd-id128_0-208-10.5.mga4 libudev1-208-10.5.mga4 libudev-devel-208-10.5.mga4 libgudev1.0_0-208-10.5.mga4 libgudev-gir1.0-208-10.5.mga4 libgudev1.0-devel-208-10.5.mga4 from SRPMS: systemd-195-22.2.mga3.src.rpm systemd-208-10.5.mga4.src.rpm
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
No regressions noticed mga4 64
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
No regressions noticed mga3 64 or mga4 32 Needs tests mga3 32 to validate
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok
Testing on Mga4, i586. I'll report back in a few days.
CC: (none) => wassi
In VirtualBox, M3, KDE, 32-bit Package(s) under test: systemd default install of systemd [root@localhost wilcal]# urpmi systemd Package systemd-195-22.1.mga3.i586 is already installed Test system works and is stable with many apps. install package from updates_testing [root@localhost wilcal]# urpmi systemd Package systemd-195-22.2.mga3.i586 is already installed Test system works and is stable with many apps. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
CC: (none) => wilcal.intWhiteboard: MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
For me this update works fine
Testing complete on Mga4, i586. Everything works fine, no regressions noticed.
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0188.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED