Bug 1222180 - openssh: rewrite systemd notification without linking systemd
Summary: openssh: rewrite systemd notification without linking systemd
Status: NEW
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Hans Petter Jansson
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-30 09:15 UTC by Dirk Mueller
Modified: 2024-05-03 12:43 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Mueller 2024-03-30 09:15:12 UTC 
openssh carries this patch: 

https://build.opensuse.org/projects/openSUSE:Factory/packages/openssh/files/openssh-7.7p1-systemd-notify.patch?expand=1

which is linking libsystemd, just for notifying systemd.  given the large dependency tree of systemd, this increases the attack surface of openssh, as can be seen via https://www.suse.com/security/cve/CVE-2024-3094.html

we should split out sd_notify() into a separate standalone library (or maybe it exists already?) and link that one instead
Comment 1 Antonio Feijoo 2024-04-01 09:01:28 UTC 
Related upstream discussion: https://github.com/systemd/systemd/issues/32028
Comment 2 Thorsten Kukuk 2024-04-02 07:22:38 UTC 
There is also logind_set_tty.patch
For this you need a dbus library, so either libglib or libsystemd (see https://github.com/openssh/openssh-portable/pull/433#issuecomment-2028880211)
Comment 3 Dirk Mueller 2024-04-03 18:44:16 UTC 
haproxy has implemented the sd-notify protocol without systemd: 

https://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=aa3632962f2032063e76c0fe99085e83a947fedb
Comment 4 Thorsten Kukuk 2024-04-04 06:54:58 UTC 
(In reply to Dirk Mueller from comment #3)
> haproxy has implemented the sd-notify protocol without systemd: 
> 
> https://git.haproxy.org/?p=haproxy.git;a=commitdiff;
> h=aa3632962f2032063e76c0fe99085e83a947fedb

As written, this will not help, we still have other patches which requires sshd to be linked against libsystemd, and libsystemd will be loaded via dlopen() anyways. Which opens the question: does the backdoor work, if liblzma is loaded as dependency via dlopen()?
Comment 5 Antonio Larrosa 2024-04-16 06:48:18 UTC 
https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c was already submitted to openssh (will be available in 9.8) to support systemd notifications without linking to systemd. For completion, the discussion on it can be read at https://bugzilla.mindrot.org/show_bug.cgi?id=2641#c13 . I'll try to backport it to 9.6
Comment 6 Dirk Mueller 2024-05-02 09:06:58 UTC 
(In reply to Thorsten Kukuk from comment #4)

> As written, this will not help, we still have other patches which requires
> sshd to be linked against libsystemd

it helps but is not sufficient. the login patch could be using plain dbus-1 for example. 

> and libsystemd will be loaded via
> dlopen() anyways. Which opens the question: does the backdoor work, if
> liblzma is loaded as dependency via dlopen()?

I believe it doesn't because it depends on the IFUNCs being executed before libcrypto is initialized.
Comment 7 Thorsten Kukuk 2024-05-03 12:43:15 UTC 
(In reply to Dirk Mueller from comment #6)
> (In reply to Thorsten Kukuk from comment #4)
> 
> > As written, this will not help, we still have other patches which requires
> > sshd to be linked against libsystemd
> 
> it helps but is not sufficient. the login patch could be using plain dbus-1
> for example. 

libdbus-1.so is using libsystemd