Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Various systemd vulnerabilities

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Various systemd vulnerabilities

#1 Post by Head_on_a_Stick »

The bloated code base of systemd hides many potential vulnerabilities, some new ones have just been uncovered:

https://security-tracker.debian.org/tra ... 2018-16864

https://security-tracker.debian.org/tra ... 2018-16865

https://security-tracker.debian.org/tra ... 2018-16866

Hopefully they'll be fixed soon.
deadbang

User avatar
llivv
Posts: 5340
Joined: 2007-02-14 18:10
Location: cold storage

Re: Various systemd vulnerabilities

#2 Post by llivv »

doesn't ipleak.net say it all? ( icon for groooan here)
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: Various systemd vulnerabilities

#3 Post by golinux »

Just the tip of the iceberg . . . way to go Debian . . . great choice to follow the CorporateCamelCaseComedians . . .
May the FORK be with you!

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Various systemd vulnerabilities

#4 Post by bw123 »

Well thanks for the heads-up, my first reaction was check the backport ver, but it's 239 and the problems have been fixed in ver 240 FWICT?

Even if we get these fixed, I'm thinking yeah maybe tip of the iceberg. Hard to find the bugs, hard to implement the fixes. Some of these go way back.

I didn;t spend any time at all trying to understand what the bugs are or how serious or anything... why bother? nothing to do about it anyway.
resigned by AI ChatGPT

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Various systemd vulnerabilities

#5 Post by Head_on_a_Stick »

Before we all get carried away, please note that the vulnerabilities are local in nature unless systemd-journal-remote is enabled, which is unlikely.
deadbang

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Various systemd vulnerabilities

#6 Post by Wheelerof4te »

Chill your horses, the vulns are fixed:
https://lists.debian.org/debian-securit ... 00005.html

And we are all alive.

User avatar
sunrat
Administrator
Administrator
Posts: 6412
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 116 times
Been thanked: 462 times

Re: Various systemd vulnerabilities

#7 Post by sunrat »

Wheelerof4te wrote:Chill your horses, the vulns are fixed:
https://lists.debian.org/debian-securit ... 00005.html

And we are all alive.
Thank $(deity)! I dread the day systemd causes the end of the human race as seemingly predicted by some correspondents. We all thought it would be climate change, pollution, or global nuclear war. :mrgreen:
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Various systemd vulnerabilities

#8 Post by bw123 »

That's great. Thanks for keeping people aware of the work being done.
https://bugs.debian.org/cgi-bin/pkgrepo ... t=unstable
https://github.com/systemd/systemd/issues
resigned by AI ChatGPT

pendrachken
Posts: 1394
Joined: 2007-03-04 21:10
Location: U.S.A. - WI.

Re: Various systemd vulnerabilities

#9 Post by pendrachken »

Head_on_a_Stick wrote:Before we all get carried away, please note that the vulnerabilities are local in nature unless systemd-journal-remote is enabled, which is unlikely.

Thank the gods and goddesses, I mean it's not like most of these machines are connected to the internet and every single exploit to shell as a user has been patched on these multiuser machines! Wait, you mean there are other bugs that allow a remote attacker to get a local shell?

Oh wait. Any vulnerability in some random piece of software that lets a remote attacker get a limited shell on a system is *drum roll* all of a sudden a local presence. And now able to gain root with these exploits. Way to understand what's going on here.

Here's hoping the bugfixes don't insert new bugs, but I won't hold my breath.
fortune -o
Your love life will be... interesting.
:twisted: How did it know?

The U.S. uses the metric system too, we have tenths, hundredths and thousandths of inches :-P

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Various systemd vulnerabilities

#10 Post by Head_on_a_Stick »

pendrachken wrote:Way to understand what's going on here
Just for the record: I don't understand the vulnerabilities at all, nor have I claimed to. I was just letting people know about them.

Btw you have some spittle on your chin, perhaps wipe it off? :mrgreen:
deadbang

User avatar
llivv
Posts: 5340
Joined: 2007-02-14 18:10
Location: cold storage

Re: Various systemd vulnerabilities

#11 Post by llivv »

sunrat wrote:
Wheelerof4te wrote:Chill your horses, the vulns are fixed:
https://lists.debian.org/debian-securit ... 00005.html

And we are all alive.
Thank $(deity)! I dread the day systemd causes the end of the human race as seemingly predicted by some correspondents. We all thought it would be climate change, pollution, or global nuclear war. :mrgreen:
every little bit helps :wink: of course the (gernerally accepted) global business model don't leave much room for anything that doesn't add $$ to the cook books
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.

pendrachken
Posts: 1394
Joined: 2007-03-04 21:10
Location: U.S.A. - WI.

Re: Various systemd vulnerabilities

#12 Post by pendrachken »

Head_on_a_Stick wrote:
pendrachken wrote:Way to understand what's going on here
Just for the record: I don't understand the vulnerabilities at all, nor have I claimed to. I was just letting people know about them.

Btw you have some spittle on your chin, perhaps wipe it off? :mrgreen:

Well then you are contributing to the problem. If you "don't understand" whats going on don't say "everything's fine, nothing to worry about". Especially when there actually ARE issues that should worry anyone who looks at the actual vulnerabilities for more than half a second.
fortune -o
Your love life will be... interesting.
:twisted: How did it know?

The U.S. uses the metric system too, we have tenths, hundredths and thousandths of inches :-P

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Various systemd vulnerabilities

#13 Post by Head_on_a_Stick »

pendrachken wrote:don't say "everything's fine, nothing to worry about"
And where did I say that?

I linked to the actual bug reports in the OP, the post which attracted your ire was an attempt to stop the tin-foil hat wearing conspiracy theorist nutcases from hi-jacking the thread.

Also, what problem, exactly? Have you run out of tin-foil? :mrgreen:
deadbang

pendrachken
Posts: 1394
Joined: 2007-03-04 21:10
Location: U.S.A. - WI.

Re: Various systemd vulnerabilities

#14 Post by pendrachken »

Are you intentionally being obtuse?
Let's see, you said:
[quote]
Before we all get carried away, please note that the vulnerabilities are LOCAL in nature unless systemd-journal-remote is enabled, which is unlikely.
[/code]

Emphasis added. You completely ignore that it is a local SHELL that can be elevated.

Yeah, I'm almost out of tin foil because I know that there are still tons of vulnerabilities in systems that can lead to a local shell escape. Silly me for thinking logically that an attacker on my systems would not stop at a single exploit :roll:
fortune -o
Your love life will be... interesting.
:twisted: How did it know?

The U.S. uses the metric system too, we have tenths, hundredths and thousandths of inches :-P

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Various systemd vulnerabilities

#15 Post by Head_on_a_Stick »

pendrachken wrote:You completely ignore that it is a local SHELL that can be elevated
Did I question your assertion?

My statement was taken from the Debian bug reports, perhaps go whine at them instead?

Please refrain from further off-topic posting else the thread will be locked.
deadbang

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: Various systemd vulnerabilities

#16 Post by golinux »

(golinux is soooo missing dasein's wit and wisdom . . . sheds a tear and sighs)
May the FORK be with you!

pendrachken
Posts: 1394
Joined: 2007-03-04 21:10
Location: U.S.A. - WI.

Re: Various systemd vulnerabilities

#17 Post by pendrachken »

Go ahead and lock it, see if I care.

Correcting misinformation is not offtopic. It is extremely ON topic. I'll call out B.S. when I see it, golinux might miss dasein, but I will always channel my inner RickH.
fortune -o
Your love life will be... interesting.
:twisted: How did it know?

The U.S. uses the metric system too, we have tenths, hundredths and thousandths of inches :-P

xepan
Posts: 89
Joined: 2018-11-28 06:38

Re: Various systemd vulnerabilities

#18 Post by xepan »

pendrachken wrote:Go ahead and lock it, see if I care.

Correcting misinformation is not offtopic. It is extremely ON topic. I'll call out B.S. when I see it, golinux might miss dasein, but I will always channel my inner RickH.
It nearly seems bald-faced to mention someone like dasein in the same sentence as rickh.
But sure, good point.

Post Reply