Bug#928102: systemd: CVE-2019-3843 CVE-2019-3844

[Salvatore Bonaccorso]

Source: systemd
Version: 241-3
Severity: important
Tags: security upstream
Control: found -1 232-25+deb9u11
Control: found -1 232-1

Hi,

The following vulnerabilities were published for systemd.

CVE-2019-3843[0]:
| It was discovered that a systemd service that uses DynamicUser
| property can create a SUID/SGID binary that would be allowed to run as
| the transient service UID/GID even after the service is terminated. A
| local attacker may use this flaw to access resources that will be
| owned by a potentially different service in the future, when the
| UID/GID will be recycled.


CVE-2019-3844[1]:
| It was discovered that a systemd service that uses DynamicUser
| property can get new privileges through the execution of SUID
| binaries, which would allow to create binaries owned by the service
| transient group with the setgid bit set. A local attacker may use this
| flaw to access resources that will be owned by a potentially different
| service in the future, when the GID will be recycled.

More details are in [2] and [3].

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-3843
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3843
[1] https://security-tracker.debian.org/tracker/CVE-2019-3844
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3844
[2] https://bugs.chromium.org/p/project-zero/issues/detail?id=1771
[3] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596

Please adjust the affected versions in the BTS as needed. I think
affected versions are back to the one in  stretch were support for
DynamicUsers were added. Overall though the issue seems to be low
impacted, thus I have marked it as no-dsa for stretch, but let us know
if this is wrong assessment for severity.

Regards,
Salvatore