Hi, Tl;DR: partial fixes for systemd issues pending upload, test packages at usual location.
I've been working for the last two days on backporting the four pending CVEs for systemd. Those are: CVE-2018-1049 In systemd prior to 234 a race condition exists between .mount and ... CVE-2018-15688 buffer overflow vulnerability in the dhcp6 client of systemd allows ... CVE-2018-15686 A vulnerability in unit_deserialize of systemd allows an attacker to ... CVE-2018-6954 systemd-tmpfiles in systemd through 237 mishandles symlinks present in ... The first three were fairly easy to backport. CVE-2018-15686 required a bit more work, but that was nothing compared to CVE-2018-6954. The tempfiles "fixes" are ... challenging, to put it mildly. The implementation between jessie and sid varies quite a bit (no ACL/subvolumes support, major API differences) so backporting the changes is definitely non-trivial. I've been battling quilt and upstream patchsets for hours now, and I can't see the end. Every time I go through the "backport, compile, fix" cycle, I uncover a new thread of code I need to backport upstream for the code to make sense. So I'm giving up on this fix for now. It' just too huge. In comparison, the fix for the previous tmpfiles security issue (CVE-2017-18078, currently unfixed) was a breeze - I backported it in a few minutes, thinking it would help resolve the fuzz for the next patches. Far from it. As a safety precaution, I had uploaded a test package to the usual location before working on the tmpfiles work, here: https://people.debian.org/~anarcat/debian/jessie-lts/ So I intend to upload *those* packages some time next week unless otherwise noted. An alternative to backporting the numerous tmpfiles patches from upstream would be to backport *all* of tmpfiles.c itself from buster or sid. Unfortunately, like many parts of systemd, it's not exactly standalone and would imply significant behavior changes, although we could remove the extra functionality introduced in the later releases and focus on the pieces already present in jessie. I believe that it would be the simplest and safest way to approach this, because backporting the patches themselves is a complete nightmare: upstream is constantly going back and forth in critical API changes (like passing a fd or path) which makes it near impossible to settle on a target across releases. I must also admit that it doesn't help that I'm doing this only with quilt, as opposed to cherry-picking upstream patches through git. Unfortunately, even that is a significant challenge: the complete tmpfiles fix is in #8822, which is a whopping 26 commits, rewriting most of tmpfiles.c functions and doing a significant refactoring of everything. Now if you'll excuse me I'll go out enjoy this beautiful snow and nurse that damaged brain of mine for sunnier days. ;) A. -- They say that time changes things, but you actually have to change them yourself. - Andy Warhol
