Bug#912169: stretch-pu: package systemd/232-25+deb9u6

Michael Biebl biebl at debian.org
Sun Oct 28 19:09:17 GMT 2018 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org at packages.debian.org
Usertags: pu

Dear release team,

a recently discovered vulnerability allows a malicious dhcp6 server
to overwrite heap memory in systemd-networkd. This can lead to a crash
(DoS) of networkd or in worst case a remote code execution [1].
I was contacted by the security team about this issue. As networkd is
not enabled by default, it wasn't deemed severe enough to be fixed via a
stable-security upload and a fix via a regular stable upload seemed
sufficient.
I already asked for a stable upload for 9.6 in [2]. I'm not sure what
the procedure is in such a case. Should I reupload 232-25+deb9u5 with
this fix included or make a 232-25+deb9u6 upload?
Assuming the latter is less work for the SRM team, I prepared a debdiff
for 232-25+deb9u6.
Please let me know, what you prefer and how to proceed here.

I've also CCed kibi, as usual, for his ack. Since this only touches
networkd, d-i should not be affected.

The fix has also been uploaded to unstable a few hours ago, so hasn't
seen any real world testing. But given that it's only a one-line change,
the regression potential is rather small.

Regards,
Michael

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912008
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908913

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 740787b..176bb0f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+systemd (232-25+deb9u6) stretch; urgency=medium
+
+  * dhcp6: Make sure we have enough space for the DHCP6 option header.
+    Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option
+    handling.
+    (CVE-2018-15688, LP: #1795921, Closes: #912008)
+
+ -- Michael Biebl <biebl at debian.org>  Sun, 28 Oct 2018 18:02:10 +0100
+
 systemd (232-25+deb9u5) stretch; urgency=medium
 
   * networkd: Do not fail manager_connect_bus() if dbus is not active yet
diff --git a/debian/patches/dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch b/debian/patches/dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch
new file mode 100644
index 0000000..3a4ee04
--- /dev/null
+++ b/debian/patches/dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch
@@ -0,0 +1,29 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Fri, 19 Oct 2018 12:12:33 +0200
+Subject: dhcp6: make sure we have enough space for the DHCP6 option header
+
+Fixes a vulnerability originally discovered by Felix Wilhelm from
+Google.
+
+CVE-2018-15688
+LP: #1795921
+https://bugzilla.redhat.com/show_bug.cgi?id=1639067
+
+(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892)
+---
+ src/libsystemd-network/dhcp6-option.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c
+index 5462e03..c12d008 100644
+--- a/src/libsystemd-network/dhcp6-option.c
++++ b/src/libsystemd-network/dhcp6-option.c
+@@ -101,7 +101,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
+                 return -EINVAL;
+         }
+ 
+-        if (*buflen < len)
++        if (*buflen < offsetof(DHCP6Option, data) + len)
+                 return -ENOBUFS;
+ 
+         ia_hdr = *buf;
diff --git a/debian/patches/series b/debian/patches/series
index 3c1ebbe..605f8cb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -85,6 +85,7 @@ login-change-variable-type-of-enable_wall_messages-as-it-.patch
 login-do-not-wall-message-on-cancelling-shutdown-when-Man.patch
 networkd-do-not-fail-manager_connect_bus-if-dbus-is-not-a.patch
 network-resolve-remove-comments-related-to-kdbus.patch
+dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch
 debian/Use-Debian-specific-config-files.patch
 debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch
 debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch

More information about the Pkg-systemd-maintainers mailing list