Bug#825059: CVE-2015-8842
Michael Biebl
biebl at debian.org
Fri Jul 1 16:28:11 BST 2016
Hi Moritz
On Mon, 23 May 2016 09:49:38 +0200 Moritz Muehlenhoff <jmm at debian.org>
wrote:
> Package: systemd
> Version: 215-17+deb8u4
> Severity: important
> Tags: security patch
>
> As discussed on IRC it would be great if CVE-2015-8842 could be fixed
> in a jessie point release. Please see here for further links:
> https://security-tracker.debian.org/tracker/CVE-2015-8842
I looked into this today.
The faulty commit was introduced in v213 by the commit referenced in the
security tracker.
There was a followup commit in v214:
commit 176f2acf8dee45fee832fd2ab07243f63783a238
Author: Lennart Poettering <lennart at poettering.net>
Date: Wed Jun 11 10:23:16 2014 +0200
tmpfiles: don't allow read access to journal files to users not in
systemd-journal
Also, don't apply access mode recursively to /var/log/journal/*/, since
that might be quite large, and should be correct anyway.
This means, users who installed jessie from scratch and never had 214-1
installed, won't be affected.
Only if a (unstable) user had /var/log/journal enabled and 214-1
installed in the past, he might end up with a systemd.journal which has
the wrong permissions.
The commit [1] basically fixes up borked permissions of existing
system.journal files. And if he's an (up-to-date) unstable user, he has
already received the update in 230-1.
So, considering this, I don't think this will be an issue in practice
and I think we can safely close this issue.
Waiting for your confirmation though, before doing so.
Regards,
Michael
[1]
https://github.com/systemd/systemd/commit/afae249efa4774c6676738ac5de6aeb4daf4889f
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20160701/fdb1607c/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list