systemd update for bullseye to fix CVE-2025-4598
Carlos Henrique Lima Melara
charles at debian.org
Thu Jun 26 03:41:41 BST 2025
Hi systemd maintainers and LTS folks,
I have prepared a fix for CVE-2025-4598 by mainly backporting the fixes
for systemd's stable version 252 and a required macro. Since systemd is
a very high profile package, I'd love a second (and a third :-) pair of
eyes looking at the changes. They are available in my salsa namespace
[1] and attached as debdiff. To test the fix, one can create a VM using
QEMU/debvm/incus --vm and run a reverse-engineered PoC sent to
oss-security [2]. Just make sure you run it as regular user with a
restricted pid_max (sysctl kernel.pid_max=1000) and use getfacl to see
if the regular user has read permission on the dump.
On a separate but important aspect, I've stumbled upon a buffer overflow
when running "systemd-run -t --property CoredumpFilter=all ls /tmp"
because it was in the coredump unit test. This does not have a CVE
assigned but it is a bug that might be worth fixing since it was
backported to systemd stable releases 253, 252 and 251 [3] (the feature
was introduced in systemd 246). I'm seeking advice if this bug should be
fixed in this bullseye update. The bug:
root at teste:~# systemd-run -t --property CoredumpFilter=all ls /tmp
Running as unit: run-u9.service
Press ^] three times within 1s to disconnect TTY.
*** buffer overflow detected ***: terminated
On a last note to systemd maintainers, currently we host the packaging
for LTS/ELTS in a fork under lts-team namespace [4], but it would be
nice to have it in the official repo. If you are okay with the idea,
please let me know and we can make the arrangements to use the official
one.
Cheers,
Charles
[1] https://salsa.debian.org/charles/systemd/-/tree/debian/bullseye
[2] https://www.openwall.com/lists/oss-security/2025/06/05/1
[3] https://github.com/systemd/systemd/pull/27421
[4] https://salsa.debian.org/lts-team/packages/systemd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: systemd_247.3-7+deb11u7.diff
Type: text/x-diff
Size: 30029 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20250625/b3213662/attachment-0001.diff>
More information about the Pkg-systemd-maintainers
mailing list