Bug 1162108 - (CVE-2020-1712) VUL-0: CVE-2020-1712: systemd: heap use-after-free when asynchronous Polkit queries are performed while handling Dbus messages
(CVE-2020-1712)
VUL-0: CVE-2020-1712: systemd: heap use-after-free when asynchronous Polkit q...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/252068/
CVSSv3.1:SUSE:CVE-2020-1712:7.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-29 12:02 UTC by Alexandros Toptsoglou
Modified: 2020-05-28 14:35 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 16 Alexandros Toptsoglou 2020-02-05 10:07:15 UTC
now public through oss 

Hello,

A heap use-after-free vulnerability was found in systemd, when asynchronous
Polkit queries are performed while handling Dbus messages. A local unprivileged
attacker can abuse this flaw to crash systemd services or potentially execute
code and elevate their privileges, by sending specially crafted Dbus messages.

CVE-2020-1712 has been assigned to this issue.

This flaw happens due to the way bus_verify_polkit_async() works. Some DBus
interfaces use a cache to store objects for a short period and they clear it as
soon as the bus is again in the idle state. However, if a DBus method uses
bus_verify_polkit_async(), the method may have to wait a while until the polkit
action is resolved and when that happens the method handler is called again,
with the userdata previously allocated. If the polkit request takes too long,
the clearing of the cache would free the stored objects before the method is
called the second time, causing the use-after-free vulnerability.

The issue was reported by Tavis Ormandy, Google Project Zero.

Upstream fix is included in v245-rc1:
https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2
Comment 17 Swamp Workflow Management 2020-02-06 02:13:01 UTC
SUSE-SU-2020:0331-1: An update that solves one vulnerability and has 9 fixes is now available.

Category: security (important)
Bug References: 1106383,1133495,1139459,1151377,1151506,1154043,1155574,1156482,1159814,1162108
CVE References: CVE-2020-1712
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    systemd-228-150.82.1
SUSE OpenStack Cloud 8 (src):    systemd-228-150.82.1
SUSE OpenStack Cloud 7 (src):    systemd-228-150.82.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    systemd-228-150.82.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    systemd-228-150.82.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    systemd-228-150.82.1
SUSE Linux Enterprise Server 12-SP4 (src):    systemd-228-150.82.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    systemd-228-150.82.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    systemd-228-150.82.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    systemd-228-150.82.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    systemd-228-150.82.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    systemd-228-150.82.1
SUSE Enterprise Storage 5 (src):    systemd-228-150.82.1
SUSE CaaS Platform 3.0 (src):    systemd-228-150.82.1
HPE Helion Openstack 8 (src):    systemd-228-150.82.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-02-06 14:13:31 UTC
SUSE-SU-2020:0335-1: An update that solves two vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108
CVE References: CVE-2019-20386,CVE-2020-1712
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    systemd-234-24.39.1
SUSE Linux Enterprise Server 15-LTSS (src):    systemd-234-24.39.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    systemd-234-24.39.1, systemd-mini-234-24.39.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    systemd-234-24.39.1, systemd-mini-234-24.39.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    systemd-234-24.39.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    systemd-234-24.39.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    systemd-234-24.39.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    systemd-234-24.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-02-06 20:15:59 UTC
SUSE-SU-2020:0353-1: An update that solves one vulnerability and has 13 fixes is now available.

Category: security (important)
Bug References: 1106383,1127557,1133495,1139459,1140631,1150595,1151377,1151506,1154043,1154948,1155574,1156482,1159814,1162108
CVE References: CVE-2020-1712
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    systemd-228-157.9.1
SUSE Linux Enterprise Server 12-SP5 (src):    systemd-228-157.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Franck Bui 2020-02-10 09:36:16 UTC
As SLE12-SP2+, SLE15+ distros have been fixed, I think I'm done so re-assigning this to the security team.
Comment 22 Swamp Workflow Management 2020-02-11 23:16:48 UTC
openSUSE-SU-2020:0208-1: An update that solves two vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108
CVE References: CVE-2019-20386,CVE-2020-1712
Sources used:
openSUSE Leap 15.1 (src):    systemd-234-lp151.26.7.1, systemd-mini-234-lp151.26.7.1
Comment 24 Swamp Workflow Management 2020-03-25 17:27:15 UTC
SUSE-RU-2020:0793-1: An update that solves one vulnerability and has four fixes is now available.

Category: recommended (moderate)
Bug References: 1139459,1161262,1162108,1164717,1165579
CVE References: CVE-2020-1712
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    systemd-234-24.46.1, systemd-mini-234-24.46.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    systemd-234-24.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2020-03-30 22:14:32 UTC
openSUSE-RU-2020:0415-1: An update that solves one vulnerability and has four fixes is now available.

Category: recommended (moderate)
Bug References: 1139459,1161262,1162108,1164717,1165579
CVE References: CVE-2020-1712
Sources used:
openSUSE Leap 15.1 (src):    systemd-234-lp151.26.13.1, systemd-mini-234-lp151.26.13.1
Comment 26 Alexandros Toptsoglou 2020-05-12 12:35:11 UTC
Done
Comment 27 OBSbugzilla Bot 2020-05-28 09:40:24 UTC
This is an autogenerated message for OBS integration:
This bug (1162108) was mentioned in
https://build.opensuse.org/request/show/809872 15.2 / systemd