On the toolforge bastions, we use a stretch backport of systemd241 in order to make our cgroups system work (part of the trusty deprecation project). The systemd crash bug requires a patch, which is available in buster, but we don't have a package available for the toolforge bastions to use at this time.
Stretch backports does not include this patch yet. https://packages.debian.org/stretch-backports/systemd
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Add component/systemd241 to Udebcomponents | operations/puppet | production | +1 -1 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Andrew | T287004 CVE CVE-2021-33910 (systemd crash) on Cloud VPS | |||
| Resolved | MoritzMuehlenhoff | T287036 Figure out a patched backport of systemd 241 for stretch |
@aborrero do you think we can expect a patched backport from the official repo eventually?
How far are we from moving the bastions to buster? Maybe it makes sense to do the last push?
@MoritzMuehlenhoff on IRC:
I'll backport the fix on top of 241-5~bpo9+1 tomorrow, stretch-backports isn't updated in Debian any longer, but I can push an updated deb to apt.wikimedia.org
I believe all the heavy lifting work for stretch is basically done (grid support, see T277653 and subtasks). The last push is mostly community migration and such.
I've built a backported systemd package on top of the last version in stretch-backports. It can be fetched from deneb.eqiad.wmnet:/var/cache/pbuilder/result/stretch-amd64/*241-5~bpo9+wmf1*
This needs to be imported to some component which is limited to Toolforge and not stretch-wikimedia/main (since the other stretch hosts use the default systemd version in Debian). Can someone take it from here?
Debdiff below:
diff -Nru systemd-241/debian/changelog systemd-241/debian/changelog --- systemd-241/debian/changelog 2019-06-07 20:51:26.000000000 +0000 +++ systemd-241/debian/changelog 2021-07-21 11:46:16.000000000 +0000 @@ -1,3 +1,9 @@ +systemd (241-5~bpo9+wmf1) stretch-wikimedia; urgency=medium + + * Fix CVE-2021-33910 in systemd 241 (as used by Toolforge) T287036 + + -- Moritz Mühlenhoff <mmuhlenhoff@wikimedia.org> Wed, 21 Jul 2021 13:46:16 +0200 + systemd (241-5~bpo9+1) stretch-backports; urgency=medium * Rebuild for stretch-backports. diff -Nru systemd-241/debian/patches/CVE-2021-33910.patch systemd-241/debian/patches/CVE-2021-33910.patch --- systemd-241/debian/patches/CVE-2021-33910.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-241/debian/patches/CVE-2021-33910.patch 2021-07-21 11:46:08.000000000 +0000 @@ -0,0 +1,61 @@ +Backport to 241 as found in stretch-backports. + +From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Wed, 23 Jun 2021 11:46:41 +0200 +Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path + +The path may have unbounded length, for example through a fuse mount. + +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo +and each mountpoint is passed to mount_setup_unit(), which calls +unit_name_path_escape() underneath. A local attacker who is able to mount a +filesystem with a very long path can crash systemd and the whole system. + +https://bugzilla.redhat.com/show_bug.cgi?id=1970887 + +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we +can't easily check the length after simplification before doing the +simplification, which in turns uses a copy of the string we can write to. +So we can't reject paths that are too long before doing the duplication. +Hence the most obvious solution is to switch back to strdup(), as before +7410616cd9dbbec97cf98d75324da5cda2b2f7a2. +--- + src/basic/unit-name.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/src/basic/unit-name.c ++++ b/src/basic/unit-name.c +@@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, ch + } + + int unit_name_path_escape(const char *f, char **ret) { +- char *p, *s; ++ _cleanup_free_ char *p = NULL; ++ char *s; + + assert(f); + assert(ret); + +- p = strdupa(f); ++ p = strdup(f); + if (!p) + return -ENOMEM; + +@@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f, + if (!path_is_normalized(p)) + return -EINVAL; + +- /* Truncate trailing slashes */ ++ /* Truncate trailing slashes and skip leading slashes */ + delete_trailing_chars(p, "/"); +- +- /* Truncate leading slashes */ +- p = skip_leading_chars(p, "/"); +- +- s = unit_name_escape(p); ++ s = unit_name_escape(skip_leading_chars(p, "/")); + } + if (!s) + return -ENOMEM; diff -Nru systemd-241/debian/patches/series systemd-241/debian/patches/series --- systemd-241/debian/patches/series 2019-06-07 20:51:26.000000000 +0000 +++ systemd-241/debian/patches/series 2021-07-21 11:46:16.000000000 +0000 @@ -36,3 +36,4 @@ debian/Add-env-variable-for-machine-ID-path.patch debian/Drop-seccomp-system-call-filter-for-udev.patch debian/Revert-build-sys-require-libmount-2.30-6795.patch +CVE-2021-33910.patch
Change 705891 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):
[operations/puppet@production] Add component/systemd241 to Udebcomponents
Change 705891 merged by Muehlenhoff:
[operations/puppet@production] Add component/systemd241 to Udebcomponents
Mentioned in SAL (#wikimedia-operations) [2021-07-21T14:01:37Z] <moritzm> imported systemd 241-5~bpo9+wmf1 to component/systemd241 T287036
Mentioned in SAL (#wikimedia-cloud) [2021-07-21T14:35:17Z] <majavah> updating systemd on toolforge stretch bastions T287036