On Thu, Jul 08, 2021 at 07:38:05PM -0700, Georgy Yakovlev wrote: > Signed-off-by: Sam James <s...@gentoo.org> > Signed-off-by: Georgy Yakovlev <gyakov...@gentoo.org> > --- > .../2021-07-07-systemd-tmpfiles.en.txt | 48 +++++++++++++++++++ > 1 file changed, 48 insertions(+) > create mode 100644 > 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt > > diff --git a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt > b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt > new file mode 100644 > index 0000000..0960663 > --- /dev/null > +++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt > @@ -0,0 +1,48 @@ > +Title: systemd-tmpfiles replaces opentmpfiles due to security issues > +Author: Georgy Yakovlev <gyakov...@gentoo.org> > +Author: Sam James <s...@gentoo.org> > +Posted: 2021-07-07 > +Revision: 1 > +News-Item-Format: 2.0 > +Display-If-Installed: virtual/tmpfiles
This should be: Display-If-Installed: sys-apps/opentmpfiles > + > +On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a > +root privilege escalation vulnerability (CVE-2017-18925 [0], > +bug #751415 [1], issue 4 [2] upstream). > + > +The use of opentmpfiles is discouraged by its maintainer due to the > +unpatched vulnerability and other long-standing bugs [3]. > + > +Users will start seeing their package manager trying to replace > +sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is > +another provider of virtual/tmpfiles. > + > +Despite the name, 'systemd-tmpfiles' does not depend on systemd, does > +not use dbus, and is just a drop-in replacement for opentmpfiles. It is > +a small binary built from systemd source code, but works separately, > +similarly to eudev or elogind. It is known to work on both glibc and > +musl systems. > + > +Note that systemd-tmpfiles is specifically for non-systemd systems. It > +is intended to be used on an OpenRC system. > + > +If you wish to selectively test systemd-tmpfiles, follow those steps: > + > + 1. # emerge --oneshot sys-apps/systemd-tmpfiles > + 2. # reboot > + > +No other steps required. > + > +If, after reviewing the linked bug reference for opentmpfiles, you feel > +your system is not vulnerable/applicable to the attack described, you > +can unmask[4] opentmpfiles at your own risk: > + > +1. In /etc/portage/package.unmask, add: > +-sys-apps/opentmpfiles > +2. # emerge --oneshot sys-apps/opentmpfiles Something might need to be added cautioning folks that if they unmask this, it may disappear on them in the future if we decide to remove it. William > + > +[0] https://nvd.nist.gov/vuln/detail/CVE-2017-18925 > +[1] https://bugs.gentoo.org/751415 > +[2] https://github.com/OpenRC/opentmpfiles/issues/4 > +[3] https://bugs.gentoo.org/741216 > +[4] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package > -- > 2.32.0 > >
signature.asc
Description: PGP signature
