[Bug 1222180] New: openssh: rewrite systemd notification without linking systemd
https://bugzilla.suse.com/show_bug.cgi?id=1222180 Bug ID: 1222180 Summary: openssh: rewrite systemd notification without linking systemd Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: dmueller@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- openssh carries this patch: https://build.opensuse.org/projects/openSUSE:Factory/packages/openssh/files/... which is linking libsystemd, just for notifying systemd. given the large dependency tree of systemd, this increases the attack surface of openssh, as can be seen via https://www.suse.com/security/cve/CVE-2024-3094.html we should split out sd_notify() into a separate standalone library (or maybe it exists already?) and link that one instead -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180 Dirk Mueller <dmueller@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hpj@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsegitz@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180 Gerald Pfeifer <gp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gp@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180 Frank Krüger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fkrueger@mailbox.org -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180 https://bugzilla.suse.com/show_bug.cgi?id=1222180#c1 --- Comment #1 from Antonio Feijoo <antonio.feijoo@suse.com> --- Related upstream discussion: https://github.com/systemd/systemd/issues/32028 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180 https://bugzilla.suse.com/show_bug.cgi?id=1222180#c2 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kukuk@suse.com --- Comment #2 from Thorsten Kukuk <kukuk@suse.com> --- There is also logind_set_tty.patch For this you need a dbus library, so either libglib or libsystemd (see https://github.com/openssh/openssh-portable/pull/433#issuecomment-2028880211) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180 https://bugzilla.suse.com/show_bug.cgi?id=1222180#c3 --- Comment #3 from Dirk Mueller <dmueller@suse.com> --- haproxy has implemented the sd-notify protocol without systemd: https://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=aa3632962f2032063e76c0... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180 Dirk Mueller <dmueller@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |hpj@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180 https://bugzilla.suse.com/show_bug.cgi?id=1222180#c4 --- Comment #4 from Thorsten Kukuk <kukuk@suse.com> --- (In reply to Dirk Mueller from comment #3)
haproxy has implemented the sd-notify protocol without systemd:
https://git.haproxy.org/?p=haproxy.git;a=commitdiff; h=aa3632962f2032063e76c0fe99085e83a947fedb
As written, this will not help, we still have other patches which requires sshd to be linked against libsystemd, and libsystemd will be loaded via dlopen() anyways. Which opens the question: does the backdoor work, if liblzma is loaded as dependency via dlopen()? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180 https://bugzilla.suse.com/show_bug.cgi?id=1222180#c6 --- Comment #6 from Dirk Mueller <dmueller@suse.com> --- (In reply to Thorsten Kukuk from comment #4)
As written, this will not help, we still have other patches which requires sshd to be linked against libsystemd
it helps but is not sufficient. the login patch could be using plain dbus-1 for example.
and libsystemd will be loaded via dlopen() anyways. Which opens the question: does the backdoor work, if liblzma is loaded as dependency via dlopen()?
I believe it doesn't because it depends on the IFUNCs being executed before libcrypto is initialized. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1222180 https://bugzilla.suse.com/show_bug.cgi?id=1222180#c7 --- Comment #7 from Thorsten Kukuk <kukuk@suse.com> --- (In reply to Dirk Mueller from comment #6)
(In reply to Thorsten Kukuk from comment #4)
As written, this will not help, we still have other patches which requires sshd to be linked against libsystemd
it helps but is not sufficient. the login patch could be using plain dbus-1 for example.
libdbus-1.so is using libsystemd -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com