Bug#1059278: systemd: CVE-2023-7008

Jan Erik Petersen jpetersen at rootlair.com
Sun Dec 24 01:45:00 GMT 2023 

Hi,

I'm the reporter of the bug at 
https://github.com/systemd/systemd/issues/25676. I'm sorry that I have 
to add to the bug at this time.

The commit[0] that was determined to have introduced this vulnerability 
is incorrect. Looking at the relevant diff[1] the commit merely 
introduced the use of the `FLAGS_SET` macro, but did not change the flag 
being read from the incorrect variable `t`. In the fix[2] this was 
changed to `dt`.

Note that the vulnerability has been previously reported[3] in March 
2020 on systemd v243+v244. Hence systemd v248 is definitely not the 
first version introducing the vulnerable code.

In fact, I have reproduced the issue right now on both Debian buster 
(10.13) with systemd 241-7~deb10u10 and Debian bullseye (11.8) with 
systemd 247.3-7+deb11u4.

I assume the vulnerability was introduced with the initial version[4] of 
the `dns_transaction_requires_rrsig` function, which already read the 
flag from `t`. This would have been in systemd v229, but I did not test 
any version older than v241.

I would add this information to the GitHub issue, but it has been 
locked. Perhaps a systemd contributor could relay this update, so that 
the misleading information does not spread.

Regards,
Jan Erik Petersen

[0] 
https://github.com/systemd/systemd/commit/6f055e43b817b66e6d4f6e4022f0a115dc35651b
[1] 
https://github.com/systemd/systemd/commit/6f055e43b817b66e6d4f6e4022f0a115dc35651b#diff-d63d6fd38d6a715e4ca052fc0fb65eda859f3822dbddffa4a87a3ee872e25eafL2621
[2] 
https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1
[3] https://github.com/systemd/systemd/issues/15158
[4] 
https://github.com/systemd/systemd/commit/105e151299dc1208855380be2b22d0db2d66ebc6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20231224/f3a74134/attachment-0001.sig>

More information about the Pkg-systemd-maintainers mailing list