CVE-2012-1101: #662029 - systemd: local denial of login or local users can create arbitrary services (CVE-2012-1101)

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#662029; Package systemd. (Sat, 03 Mar 2012 18:12:05 GMT) (full text, mbox, link).

Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tollef Fog Heen <tfheen@debian.org>. (Sat, 03 Mar 2012 18:12:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: systemd Version: 37-1 Severity: important Tags: security Forwarded: https://bugzilla.redhat.com/show_bug.cgi?id=680122

By invoking systemctl status somename.service any user can create an entry in systemd’s service list. If this list gets too large the login procedure can fail. It is not tracked which user created the entries.

Thanks to Michael Biebl for helping me understand the issue. Lennart Poettering later explained that the issue is already known and fixed in git commit 9a46fc3b9014de1bf0ed1f3004a536b08a19ebb3.

Helmut

Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#662029; Package systemd. (Sun, 04 Mar 2012 08:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. (Sun, 04 Mar 2012 08:12:03 GMT) (full text, mbox, link).

Message #10 received at 662029@bugs.debian.org (full text, mbox, reply):

On Sat, Mar 03, 2012 at 06:39:57PM +0100, Helmut Grohne wrote:

Package: systemd Version: 37-1 Severity: important Tags: security Forwarded: https://bugzilla.redhat.com/show_bug.cgi?id=680122

By invoking systemctl status somename.service any user can create an entry in systemd’s service list. If this list gets too large the login procedure can fail. It is not tracked which user created the entries.

Thanks to Michael Biebl for helping me understand the issue. Lennart Poettering later explained that the issue is already known and fixed in git commit 9a46fc3b9014de1bf0ed1f3004a536b08a19ebb3.

Helmut

Does this security issue have CVE-identifier assigned? I can request one if needed.

• Henri Salo

Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#662029; Package systemd. (Sun, 04 Mar 2012 09:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. (Sun, 04 Mar 2012 09:00:27 GMT) (full text, mbox, link).

Message #15 received at 662029@bugs.debian.org (full text, mbox, reply):

On Sun, Mar 04, 2012 at 10:08:47AM +0200, Henri Salo wrote:

On Sat, Mar 03, 2012 at 06:39:57PM +0100, Helmut Grohne wrote:

Forwarded: https://bugzilla.redhat.com/show_bug.cgi?id=680122 Does this security issue have CVE-identifier assigned? I can request one if needed.

I don’t think so. As you can see in Redhat’s bugzilla, the issue started out as a simple bug. The security impact was realized later on.

Helmut

Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#662029; Package systemd. (Sun, 04 Mar 2012 09:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. (Sun, 04 Mar 2012 09:33:15 GMT) (full text, mbox, link).

Message #20 received at 662029@bugs.debian.org (full text, mbox, reply):

On Sun, Mar 04, 2012 at 09:49:45AM +0100, Helmut Grohne wrote:

On Sun, Mar 04, 2012 at 10:08:47AM +0200, Henri Salo wrote:

On Sat, Mar 03, 2012 at 06:39:57PM +0100, Helmut Grohne wrote:

Forwarded: https://bugzilla.redhat.com/show_bug.cgi?id=680122 Does this security issue have CVE-identifier assigned? I can request one if needed.

I don’t think so. As you can see in Redhat’s bugzilla, the issue started out as a simple bug. The security impact was realized later on.

Helmut

Requested in here: http://seclists.org/oss-sec/2012/q1/537

• Henri Salo

Changed Bug title to 'systemd: local denial of login or local users can create arbitrary services (CVE-2012-1101)' from ‘systemd: local denial of login or local users can create arbitrary services’ Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 07 Mar 2012 06:06:03 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Wed, 07 Mar 2012 19:09:04 GMT) (full text, mbox, link).

Reply sent to Tollef Fog Heen <tfheen@debian.org>:
You have taken responsibility. (Thu, 08 Mar 2012 21:54:35 GMT) (full text, mbox, link).

Notification sent to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer. (Thu, 08 Mar 2012 21:54:36 GMT) (full text, mbox, link).

Message #29 received at 662029-close@bugs.debian.org (full text, mbox, reply):

Source: systemd Source-Version: 43-1

We believe that the bug you reported is fixed in the latest version of systemd, which is due to be installed in the Debian FTP archive:

libpam-systemd_43-1_amd64.deb to main/s/systemd/libpam-systemd_43-1_amd64.deb libsystemd-daemon-dev_43-1_amd64.deb to main/s/systemd/libsystemd-daemon-dev_43-1_amd64.deb libsystemd-daemon0_43-1_amd64.deb to main/s/systemd/libsystemd-daemon0_43-1_amd64.deb libsystemd-id128-0_43-1_amd64.deb to main/s/systemd/libsystemd-id128-0_43-1_amd64.deb libsystemd-id128-dev_43-1_amd64.deb to main/s/systemd/libsystemd-id128-dev_43-1_amd64.deb libsystemd-journal-dev_43-1_amd64.deb to main/s/systemd/libsystemd-journal-dev_43-1_amd64.deb libsystemd-journal0_43-1_amd64.deb to main/s/systemd/libsystemd-journal0_43-1_amd64.deb libsystemd-login-dev_43-1_amd64.deb to main/s/systemd/libsystemd-login-dev_43-1_amd64.deb libsystemd-login0_43-1_amd64.deb to main/s/systemd/libsystemd-login0_43-1_amd64.deb systemd-gui_43-1_amd64.deb to main/s/systemd/systemd-gui_43-1_amd64.deb systemd-sysv_43-1_amd64.deb to main/s/systemd/systemd-sysv_43-1_amd64.deb systemd_43-1.debian.tar.gz to main/s/systemd/systemd_43-1.debian.tar.gz systemd_43-1.dsc to main/s/systemd/systemd_43-1.dsc systemd_43-1_amd64.deb to main/s/systemd/systemd_43-1_amd64.deb systemd_43.orig.tar.xz to main/s/systemd/systemd_43.orig.tar.xz

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 662029@bugs.debian.org, and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Tollef Fog Heen tfheen@debian.org (supplier of updated systemd package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Format: 1.8 Date: Tue, 07 Feb 2012 21:36:34 +0100 Source: systemd Binary: systemd systemd-sysv libpam-systemd systemd-gui libsystemd-login0 libsystemd-login-dev libsystemd-daemon0 libsystemd-daemon-dev libsystemd-journal0 libsystemd-journal-dev libsystemd-id128-0 libsystemd-id128-dev Architecture: source amd64 Version: 43-1 Distribution: experimental Urgency: low Maintainer: Tollef Fog Heen tfheen@debian.org Changed-By: Tollef Fog Heen tfheen@debian.org Description: libpam-systemd - system and service manager - PAM module libsystemd-daemon-dev - systemd utility library - development files libsystemd-daemon0 - systemd utility library libsystemd-id128-0 - systemd 128 bit ID utility library libsystemd-id128-dev - systemd 128 bit ID utility library - development files libsystemd-journal-dev - systemd journal utility library - development files libsystemd-journal0 - systemd journal utility library libsystemd-login-dev - systemd login utility library - development files libsystemd-login0 - systemd login utility library systemd - system and service manager systemd-gui - system and service manager - GUI systemd-sysv - system and service manager - SysV links Closes: 642503 642749 643699 647495 650739 657284 657979 662029 Changes: systemd (43-1) experimental; urgency=low . [ Tollef Fog Heen ] * Target upload at experimental due to libkmod dependency * New upstream release - Update bash-completion for new verbs and arguments. Closes: #650739 - Fixes local DoS (CVE-2012-1101). Closes: #662029 - No longer complains if the kernel lacks audit support. Closes: #642503 * Fix up git-to-source package conversion script which makes gitpkg happier. * Add libkmod-dev to build-depends * Add symlink from /bin/systemd to /lib/systemd/systemd. * Add --with-distro=debian to configure flags, due to no /etc/os-release yet. * Add new symbols for libsystemd-login0 to symbols file. * Install a tmpfiles.d file for the /dev/initctl → /run/initctl migration. Closes: #657979 * Disable coredump handling, it’s not ready yet. * If /run is a symlink, don’t try to do the /var/run → /run migration. Ditto for /var/lock → /run/lock. Closes: #647495 . [ Michael Biebl ] * Add Build-Depends on liblzma-dev for journal log compression. * Add Build-Depends on libgee-dev, required to build systemadm. * Bump Standards-Version to 3.9.2. No further changes. * Add versioned Build-Depends on automake and autoconf to ensure we have recent enough versions. Closes: #657284 * Add packages for libsystemd-journal and libsystemd-id128. * Update symbols file for libsystemd-login. * Update configure flags, use rootprefix instead of rootdir. * Copy intltool files instead of symlinking them. * Re-indent init-functions script. * Remove workarounds for services using X-Interactive. The LSB X-Interactive support turned out to be broken and has been removed upstream so we no longer need any special handling for those type of services. * Install new systemd-journalctl, systemd-cat and systemd-cgtop binaries. * Install /var/lib/systemd directory. * Install /var/log/journal directory where the journal files are stored persistently. * Setup systemd-journald to not read from /proc/kmsg (ImportKernel=no). * Avoid error messages from systemctl in postinst if systemd is not running by checking for /sys/fs/cgroup/systemd before executing systemctl. Closes: #642749 * Stop installing lib-init-rw (auto)mount units and try to cleanup /lib/init/rw in postinst. Bump dependency on initscripts accordingly. Closes: #643699 * Disable pam_systemd for non-interactive sessions to work around an issue with sudo. * Use new dh_installdeb maintscript facility to handle obsolete conffiles. Bump Build-Depends on debhelper accordingly. * Rename bash completion file systemctl-bash-completion.sh → systemd-bash-completion.sh. * Update /sbin/init symlink. The systemd binary was moved to $pkglibdir. Checksums-Sha1: bb974011ce5e29a604cab0e0a05b142ecef0c86a 2835 systemd_43-1.dsc 5d2d36bbe34ae6391dd8b4e639dd207adb936d08 852432 systemd_43.orig.tar.xz 35997dc00def7467174214c4d0299188036ca2d4 19761 systemd_43-1.debian.tar.gz 7a4ef753659a2c4a363345c9142191807418636e 1413450 systemd_43-1_amd64.deb 80199a3f91d98cbb0329f0ded296d1c229b5cf00 12438 systemd-sysv_43-1_amd64.deb 9d01e7d00c57c0a38ac9781a268dc3d9b86281a4 29934 libpam-systemd_43-1_amd64.deb 8c36e02defd3df3d683db084110f22ef3d568ab4 62760 systemd-gui_43-1_amd64.deb 89a8757e2c17937f2392eab42fb014bf583b3e64 26640 libsystemd-login0_43-1_amd64.deb 520e4bb6e8e345adbfd2865d69a15aeb8648fdc8 9340 libsystemd-login-dev_43-1_amd64.deb 932591ba1e628bded0eb6421f512e51f466504ba 12104 libsystemd-daemon0_43-1_amd64.deb 2aded6ada3773799d80d6177349c0bef690d5ae6 11798 libsystemd-daemon-dev_43-1_amd64.deb 1110136c89ea182d610d558381d37e765ce7f99c 39654 libsystemd-journal0_43-1_amd64.deb baedc99a7a6c0983ec63d6a9a30e327db1aeb662 8956 libsystemd-journal-dev_43-1_amd64.deb bf004140ac91dd9a3d53d7ee4e9cf94e92a096ec 18070 libsystemd-id128-0_43-1_amd64.deb 5a2e5c22b081162c2f821d5643632ee6007d45c0 8326 libsystemd-id128-dev_43-1_amd64.deb Checksums-Sha256: 9600dfb2592f203f57913c8f2e2a36735232836b7bd4e9fbe9aaa862a7c1e231 2835 systemd_43-1.dsc 3070e48e43bc0811fa8da5ba4832a11dac73b1625db94d42d4c15dc279335dd7 852432 systemd_43.orig.tar.xz 69f773a0d961c514a601abc7f80ebd2ab29f6a10a6123ae1d5502cd8b21957a7 19761 systemd_43-1.debian.tar.gz ca73313faaec564eb2479521090facf8cf951d48810c43482aa0e019062be3f8 1413450 systemd_43-1_amd64.deb dfaec61ae458d56031496de4eb47e6b0ad8bbcc8a9ca7654d53242625453b8e8 12438 systemd-sysv_43-1_amd64.deb 918a920dcd827daa430b79119af44a87f7546d12705d615482075d21eb8cdd89 29934 libpam-systemd_43-1_amd64.deb ed16d3e16742aea2350757a18aeca2507a383fb17e3b5fe2e8d14d7ec6144af8 62760 systemd-gui_43-1_amd64.deb be3d7742022dbb145621000a0523d35bb14df3415c71c03903eaafedbc795949 26640 libsystemd-login0_43-1_amd64.deb 60a896ef6e0549371ba452396e2bfc149869854c16e76b670b1c59c369b4a958 9340 libsystemd-login-dev_43-1_amd64.deb 16e6abcb20b27f40f5a19f7594a1bc5e36d793be43aa307a5b7a4863836025d4 12104 libsystemd-daemon0_43-1_amd64.deb cf46a0c222f274a20804a8b1912c1e0db86de44cbc9c070b46cef27e5962f13f 11798 libsystemd-daemon-dev_43-1_amd64.deb 15ef6d8bec90df99060b3d93c60a7fd14c2e644a0ea78b633fbd311e4771a665 39654 libsystemd-journal0_43-1_amd64.deb 4a4ea823e25e6ad0dbcded849a3485ad30451968536169ba65bb2969f88f8584 8956 libsystemd-journal-dev_43-1_amd64.deb ae3752a394394dba7fe80ffb8b3725b3e26bb1aa40d319521d1262d6ceb16106 18070 libsystemd-id128-0_43-1_amd64.deb 7c2b57f862cedc30d18c71cfd88106e19fa4ebb06d74a5f30acd8847ef80936c 8326 libsystemd-id128-dev_43-1_amd64.deb Files: f55c95d29e254caa9a6d3e368ea62a2e 2835 admin extra systemd_43-1.dsc 446cc6db7625617af67e2d8e5f503a49 852432 admin extra systemd_43.orig.tar.xz d36dfae8bdd55fcb2e9c27a20ae30811 19761 admin extra systemd_43-1.debian.tar.gz 5a894852af669c0475e4977205d98317 1413450 admin extra systemd_43-1_amd64.deb c8686b5c13ce3584574529bcc53fdf93 12438 admin extra systemd-sysv_43-1_amd64.deb d6491090073baf3bae3d76864821c41f 29934 admin extra libpam-systemd_43-1_amd64.deb 9e58f4f469f4fcda615c6f0f9f1d6fe6 62760 admin extra systemd-gui_43-1_amd64.deb dbf3f2558e7138f59b3791f549c25f29 26640 libs extra libsystemd-login0_43-1_amd64.deb 8e633b470f1ed62ee7aba05f59423cda 9340 libdevel extra libsystemd-login-dev_43-1_amd64.deb 74cb5a4abd5270d6b93685b92ed86956 12104 libs extra libsystemd-daemon0_43-1_amd64.deb 54b504093a9c73905b74cf4245eb9e01 11798 libdevel extra libsystemd-daemon-dev_43-1_amd64.deb 95e14c147a9ac0065048d0fe9b6b9a5a 39654 libs extra libsystemd-journal0_43-1_amd64.deb 156271ae92ad86824313e7fd16ce163e 8956 libdevel extra libsystemd-journal-dev_43-1_amd64.deb 6b613aa348e480e676691c2763ed9deb 18070 libs extra libsystemd-id128-0_43-1_amd64.deb 771beee1bdf1dcd1b1a452424411d2d0 8326 libdevel extra libsystemd-id128-dev_43-1_amd64.deb

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPVxgbAAoJELZaSHHKGdcXlmsP/2YP7XUSEFzGASrCuJmNC3Tc Z3gIvvNgcLHit20/Pml1XQG3hRTwCmMA/ICwlkRd071GjSMDz5flzEYkSq+jAj52 69Xlq082sEXm4PVYXCpP2vERcxGdT03AkmVVSKKpvnL4CO90dKM9/TyKcnGv03i6 LbOclcKG+amy7fvugfWs+MDD+sn5ZVs/O8tBHiNXR1G/aIdcSUisDWVXbqV5jFAu wTrEkIPf8VVFIv9+aN0AESWMSO/QlHy5KTNWP2pcvqjjjRXQxwjaNyA6qIaiuABU O5Nmounu/TQV9nZgRKRQcDvC2bace6XFC8E5cf4li/OEm6PWs2O8m8Wm+P2Ws3E2 RiAhMw9ji0k24+ik4nsvWOC8ll3h7qG+VUPmbEOcQuq74aNUH8zz8hZYWa+bcywP tPGEEnze4JWDq9xCrDHobN1R3ZxTACi3r3fu2WCSxAl2HlpMfVAVhNL5V8kSpmST kH2iI2Y0XqRp+EwN+9UYRKFo1r+H324USqySkQapFJDSza4gOEYP+agTr2axJh/s /EIEHNoxfY7XUUnUEc6pc75JWZ1ABfOzbjCEHkEhmNP60AglxOfh/BNaEsPK55HS ZzBM8Lmn5tX0kk4V5zsXp17ZFqnPQEeujCocXP9wQqUUKCMvPRkvgtLcdKXHh5gO IX7W4//2PJjpIiGm/WuF =arqo -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 16 Jun 2012 07:38:15 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 28 19:30:29 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.