#4394: systemd-240
---------------------+-----------------------
Reporter: renodr | Owner: renodr
Type: task | Status: assigned
Priority: highest | Milestone: 8.4
Component: Book | Version: SVN
Severity: normal | Resolution:
Keywords: |
---------------------+-----------------------
Changes (by renodr):
* priority: normal => highest
Comment:
Arbitrary Code Execution Fix (CVE-2018-15688):
{{{
An out-of-bounds write has been found in the dhcpv6 option handing code of
systemd-networkd up to and including v239.
It was discovered that systemd-network does not correctly keep track of a
buffer size in the dhcp6_option_append_ia() function, when constructing
DHCPv6 packets. This flaw may lead to an integer underflow that can be
used to produce an heap-based buffer overflow. A malicious host on the
same network segment as the victim's one may advertise itself as a DHCPv6
server and exploit this flaw to cause a Denial of Service or potentially
gain code execution on the victim's machine. The overflow can be triggered
relatively easy by advertising a DHCPv6 server with a server-id >= 493
characters long.
}}}
Privilege Escalation issue (CVE-2018-15687):
{{{
A security issue has been found in systemd up to and including 239, where
a race condition in the chown_one() function can be used to escalate
privileges via a crafted symlink.
}}}
Privilege Escalation Issue (CVE-2018-15686):
{{{
A security issue has been found in systemd up to and including 239, where
the use of fgets() allows an attacker to escalate privilege via a crafted
service with NotifyAccess.
}}}
That's in addition to the vulnerability in the description above.
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/4394#comment:2>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://lists.linuxfromscratch.org/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
