[Bug 1222180] New: openssh: rewrite systemd notification without linking systemd
https://bugzilla.suse.com/show_bug.cgi?id=1222180 Bug ID: 1222180 Summary: openssh: rewrite systemd notification without linking systemd Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: dmueller@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- openssh carries this patch: https://build.opensuse.org/projects/openSUSE:Factory/packages/openssh/files/... which is linking libsystemd, just for notifying systemd. given the large dependency tree of systemd, this increases the attack surface of openssh, as can be seen via https://www.suse.com/security/cve/CVE-2024-3094.html we should split out sd_notify() into a separate standalone library (or maybe it exists already?) and link that one instead -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180
Dirk Mueller
https://bugzilla.suse.com/show_bug.cgi?id=1222180
Johannes Segitz
https://bugzilla.suse.com/show_bug.cgi?id=1222180
Gerald Pfeifer
https://bugzilla.suse.com/show_bug.cgi?id=1222180
Frank Krüger
https://bugzilla.suse.com/show_bug.cgi?id=1222180
https://bugzilla.suse.com/show_bug.cgi?id=1222180#c1
--- Comment #1 from Antonio Feijoo
https://bugzilla.suse.com/show_bug.cgi?id=1222180
https://bugzilla.suse.com/show_bug.cgi?id=1222180#c2
Thorsten Kukuk
https://bugzilla.suse.com/show_bug.cgi?id=1222180
https://bugzilla.suse.com/show_bug.cgi?id=1222180#c3
--- Comment #3 from Dirk Mueller
https://bugzilla.suse.com/show_bug.cgi?id=1222180
Dirk Mueller
https://bugzilla.suse.com/show_bug.cgi?id=1222180
https://bugzilla.suse.com/show_bug.cgi?id=1222180#c4
--- Comment #4 from Thorsten Kukuk
haproxy has implemented the sd-notify protocol without systemd:
https://git.haproxy.org/?p=haproxy.git;a=commitdiff; h=aa3632962f2032063e76c0fe99085e83a947fedb
As written, this will not help, we still have other patches which requires sshd to be linked against libsystemd, and libsystemd will be loaded via dlopen() anyways. Which opens the question: does the backdoor work, if liblzma is loaded as dependency via dlopen()? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180
https://bugzilla.suse.com/show_bug.cgi?id=1222180#c6
--- Comment #6 from Dirk Mueller
As written, this will not help, we still have other patches which requires sshd to be linked against libsystemd
it helps but is not sufficient. the login patch could be using plain dbus-1 for example.
and libsystemd will be loaded via dlopen() anyways. Which opens the question: does the backdoor work, if liblzma is loaded as dependency via dlopen()?
I believe it doesn't because it depends on the IFUNCs being executed before libcrypto is initialized. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180
https://bugzilla.suse.com/show_bug.cgi?id=1222180#c7
--- Comment #7 from Thorsten Kukuk
(In reply to Thorsten Kukuk from comment #4)
As written, this will not help, we still have other patches which requires sshd to be linked against libsystemd
it helps but is not sufficient. the login patch could be using plain dbus-1 for example.
libdbus-1.so is using libsystemd -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com