Bug 1113666 - (CVE-2018-15687) VUL-0: CVE-2018-15687: systemd: Dereference of symlinks in chown_recursive.c:chown_one() allows for modification of file privileges
(CVE-2018-15687)
VUL-0: CVE-2018-15687: systemd: Dereference of symlinks in chown_recursive.c:...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/218051/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-29 08:01 UTC by Karol Babioch
Modified: 2019-11-15 07:55 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-10-29 08:01:07 UTC
A race condition in chown_one() of systemd allows an attacker to cause systemd
to set arbitrary permissions on arbitrary files. Affected releases are systemd
versions up to and including 239.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1639076
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15687
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15687.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15687
https://github.com/systemd/systemd/pull/10517/commits
Comment 1 Karol Babioch 2018-10-29 08:38:58 UTC
According to my analysis the vulnerable code first appeared in a1164ae380, which was introduced with version v235. This would mean that our code is not affected by this.

Could a systemd maintainer please verify this?
Comment 2 Franck Bui 2018-10-30 14:25:43 UTC
Until StateDirectory= and friends are not chowned recursively when a service is started, this is only needed by Factory (v239) indeed.
Comment 3 Franck Bui 2018-10-30 14:34:33 UTC
The fix has been backported to Factory so re-assigning this bug to the secteam.
Comment 4 Marcus Meissner 2019-11-15 07:55:12 UTC
fixed