Bug#924255: stretch-pu: package systemd/232-25+deb9u10
Michael Biebl
biebl at debian.org
Sun Mar 10 15:55:24 GMT 2019
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org at packages.debian.org
Usertags: pu
Hi,
I'd like to make a stable upload for systemd, fixing 5 separate issues.
Two of them have a CVE.
The changelog is
systemd (232-25+deb9u10) stretch; urgency=medium
* journald: fix assertion failure on journal_file_link_data (Closes: #916880)
https://salsa.debian.org/systemd-team/systemd/commit/67a3135d9c9b66b64544dd96a6741a86058ba7a8
* tmpfiles: fix "e" to support shell style globs (Closes: #918400)
https://salsa.debian.org/systemd-team/systemd/commit/a1f9aa01624edc01bbbf50203fd35dd261d7480f
* mount-util: accept that name_to_handle_at() might fail with EPERM.
Container managers frequently block name_to_handle_at(), returning
EACCES or EPERM when this is issued. Accept that, and simply fall back
to fdinfo-based checks. (Closes: #917122)
https://salsa.debian.org/systemd-team/systemd/commit/169eb2b486b832ef88746e9d25c4b181cabac5c2
* automount: ack automount requests even when already mounted.
Fixes a race condition in systemd which could result in automount requests
not being serviced and processes using them to hang, causing denial of
service. (CVE-2018-1049)
https://salsa.debian.org/systemd-team/systemd/commit/2cae426a3e753f74ec8e829217dc9090abcfcf4d
* core: when deserializing state always use read_line(…, LONG_LINE_MAX, …)
Fixes improper serialization on upgrade which can influence systemd
execution environment and lead to root privilege escalation.
(CVE-2018-15686, Closes: #912005)
https://salsa.debian.org/systemd-team/systemd/commit/82a114295a4ef123925d02081255fe88bec4867c
The fix for CVE-2018-15686/#912005 is the most invasive one. I based it
partially on what was uploaded to old-stable by the debian-lts team.
With this patch applied, the demo exploit from [1] no longer causes
systemctl stop to hang.
That said, I would appreciate a second pair of eyes to look over the
patch.
As usual, KiBi is in CC as we build a udeb. Though the code changes
above should not affect udev.
Regards,
Michael
[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1687
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
More information about the Pkg-systemd-maintainers
mailing list