http://bugzilla.suse.com/show_bug.cgi?id=1001765 Bug ID: 1001765 Summary: systemd v209+: local denial-of-service attack Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Reference: http://seclists.org/oss-sec/2016/q3/641 ==================== systemd[1] fails an assertion in manager_invoke_notify_message[2] when a zero-length message is received over its notification socket. After failing the assertion, PID 1 hangs in the pause system call. It is no longer possible to start and stop daemons or cleanly reboot the system. Inetd-style services managed by systemd no longer accept connections. Since the notification socket, /run/systemd/notify, is world-writable, this allows a local user to perform a denial-of-service attack against systemd. Proof-of-concept: NOTIFY_SOCKET=/run/systemd/notify systemd-notify "" This vulnerability is present in all versions of systemd since at least v209[3]. This has been reported to systemd.[4] [1] https://github.com/systemd/systemd/ [2] https://github.com/systemd/systemd/blob/b8fafaf4a1cffd02389d61ed92ca7acb1b8c... [3] https://github.com/systemd/systemd/commit/5ba6985b6c8ef85a8bcfeb1b65239c8634... [4] https://github.com/systemd/systemd/issues/4234 ==================== While systemd-upstream supports release version (232) and two versions down (231,230), this report can be useful for Evergreen openSUSE versions with systemd v210 and future 42.2 release with systemd v228. Check this out, please. Also, please, pay attention on: https://github.com/systemd/systemd/issues/4234#issuecomment-250289253 -- You are receiving this mail because: You are on the CC list for the bug.