An out-of-bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data.
Tag: systemd
ASA-2019-00010 – systemd: Stack overflow when receiving many journald entries
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges.
ASA-2019-00009 – systemd: Stack overflow when calling syslog from a command with long cmdline
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges.
ASA-2018-00092 – systemd: Privilege escalation by following non-terminal symlinks
Before version v240, the systemd-tmpfiles program will follow symlinks present in a non-terminal path component while adjusting permissions and ownership. Often -- and particularly with "Z" type entries -- an attacker can introduce such a symlink and take control of arbitrary files on the system to gain root. The "fs.protected_symlinks" sysctl does not prevent this attack. Version v239 contained a partial fix, but only for the easy-to-exploit recursive "Z" type entries.
ASA-2018-00006 – systemd: Usage of fgets() in systemd allows for state injection during data deserialization
systemd has the ability to serialize and deserialize data. In some functions of this feature, lines longer than LINE_MAX aren't properly handled and the content of a property longer than that is interpreted as serialized state. This allows an attacker to corrupt or to inject values in the state of the service when systemd needs to deserialize data.
ASA-2018-00005 – systemd: The function chown_one() in systemd can dereference symlinks and is prone to race condition
Race condition in chown_one() in systemd allows an attacker to arbitrarily change permission of files. In some situations, systemd needs to recursively change ownership of files. In the case when the file is not a link, it needs to re-set the file mode because it can be changed by the operating system. Due to the racy behaviour of the function, an attacker can bypass the check and change the mode of any file in the system.
ASA-2018-00002 – systemd: Out-of-bounds write in systemd-networkd dhcpv6 option handling
DHCPv6 client in systemd-networkd doesn't properly validate if the buffer has enough space to store DHCP6Option passed by a DHCP server and as result allows out-of-bounds write during option handling.