This bug was fixed in the package systemd - 229-4ubuntu11
---------------
systemd (229-4ubuntu11) xenial; urgency=medium
* 73-usb-net-by-mac.rules: Split kernel command line import line.
Reportedly this makes the rule actually work on some platforms. Thanks
Alp Toker! (LP: #1593379)
* fsckd: Do not exit on idle timeout if there are still clients connected
(Closes: #788050, LP: #1547844)
* libnss-*.prerm: Remove possible [key=value] options from NSS modules as
well. (LP: #1625584)
* Backport networkd 231. Compared to 229 this has a lot of fixes, some of
which we need for good netplan support. Backporting them individually
would be a lot more work and a lot less robust, and we did not use/support
networkd in 16.04 so far. Drop the other network related patches as they
are included in this backport now. (LP: #1627641)
* debian/tests/networkd: Re-enable the the DHCPv6 tests. The DHCPv6
behaviour is fixed with the above backport now.
* pid1: process zero-length notification messages again. Just remove the
assertion, the "n" value was not used anyway. This fixes a local DoS due
to unprocessed/unclosed fds which got introduced by the previous fix.
(LP: #1628687)
* pid1: Robustify manager_dispatch_notify_fd(). If
manager_dispatch_notify_fd() fails and returns an error then the handling
of service notifications will be disabled entirely leading to a
compromised system. (side issue of LP: #1628687)
-- Martin Pitt <martin.p...@ubuntu.com> Tue, 04 Oct 2016 21:43:04
+0200
** Changed in: systemd (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1628687
Title:
Assertion failure when PID 1 receives a zero-length message over
notify socket
Status in systemd:
Fix Released
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Xenial:
Fix Released
Status in systemd source package in Yakkety:
Fix Released
Bug description:
Environment:
Xenial 16.04.1
Amd64
Description.
Systemd fails an assertion in manager_invoke_notify_message when a
zero-length message is received over /run/systemd/notify. This allows
a local user to perform a denial-of-service attack against PID 1.
How to trigger the bug:
$ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify "";
done
The following entries are written into /var/log/syslog, at this point
systemd is crashed.
Sep 28 20:57:20 ubuntu systemd[1]: Started User Manager for UID 1000.
Sep 28 20:57:28 ubuntu systemd[1]: Assertion 'n > 0' failed at
../src/core/manager.c:1501, function manager_invoke_notify_message(). Aborting.
Sep 28 20:57:29 ubuntu systemd[1]: Caught <ABRT>, dumped core as pid 1307.
Sep 28 20:57:29 ubuntu systemd[1]: Freezing execution.
Public bug: https://github.com/systemd/systemd/issues/4234
The original USN/security fix in
https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu10 introduced
another local DoS due to fd exhaustion:
NOTIFY_SOCKET=/run/systemd/notify python3 -c 'from systemd import
daemon; daemon.notify("", fds=[0]*100)'
Run this a few times and watch "sudo ls -l /proc/1/fd" grow.
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628687/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
