Source: systemd Version: 241-3 Severity: important Tags: security upstream Control: found -1 232-25+deb9u11 Control: found -1 232-1
Hi, The following vulnerabilities were published for systemd. CVE-2019-3843[0]: | It was discovered that a systemd service that uses DynamicUser | property can create a SUID/SGID binary that would be allowed to run as | the transient service UID/GID even after the service is terminated. A | local attacker may use this flaw to access resources that will be | owned by a potentially different service in the future, when the | UID/GID will be recycled. CVE-2019-3844[1]: | It was discovered that a systemd service that uses DynamicUser | property can get new privileges through the execution of SUID | binaries, which would allow to create binaries owned by the service | transient group with the setgid bit set. A local attacker may use this | flaw to access resources that will be owned by a potentially different | service in the future, when the GID will be recycled. More details are in [2] and [3]. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-3843 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3843 [1] https://security-tracker.debian.org/tracker/CVE-2019-3844 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3844 [2] https://bugs.chromium.org/p/project-zero/issues/detail?id=1771 [3] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596 Please adjust the affected versions in the BTS as needed. I think affected versions are back to the one in stretch were support for DynamicUsers were added. Overall though the issue seems to be low impacted, thus I have marked it as no-dsa for stretch, but let us know if this is wrong assessment for severity. Regards, Salvatore
