Advisory ROSA-SA-2021-1982

Software: system 219
OS: Cobalt 7.9

CVE-ID: CVE-2013-4392
CVE-Crit: HIGH
CVE-DESC: systemd when updating file permissions allows local users to change SELinux permissions and security contexts for arbitrary files via a symbolic link attack on unspecified files.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-7795
CVE-Crit: MEDIUM
CVE-DESC: The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received via the notify socket.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-1000082
CVE-Crit: CRITICAL
CVE-DESC: systemd v233 and earlier cannot safely analyze usernames starting with a numeric digit (e.g., “0day”) when running the service in question with root privileges rather than user privileges.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-18078
CVE-Crit: HIGH
CVE-DESC: systemd-tmpfiles in systemd up to 237 attempts to support ownership/permission changes for hardlinked files even when sysctl fs.protected_hardlinks is disabled, allowing local users to circumvent perceived access restrictions by using vectors that include a hardlink to a file for which the user does not have write access, as demonstrated by changing the owner of the / etc / passwd file.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-9217
CVE-Crit: HIGH
CVE-DESC: systemd-resolved via 233 allows remote attackers to cause a denial of service (daemon failure) via a crafted DNS response with an empty question section.
CVE-STATUS: default
CVE-REV: Default

CVE-ID: CVE-2017-9445
CVE-Crit: HIGH
CVE-DESC: from systemd to 233, certain sizes passed by dns_packet_new to systemd-resolved may cause the buffer to be allocated too small. A malicious DNS server could exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating too small a buffer and subsequently write arbitrary data outside of it.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-1049
CVE-Crit: MEDIUM
CVE-DESC: In systemd before 234, a race condition exists between the .mount and .automount modules, so that requests for automatic mounts from the kernel may not be serviced by systemd, causing the kernel to hold the mount point and any processes that try to use that mount will hang. This race condition can result in a denial of service until mount points are disabled.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-16888
CVE-Crit: MEDIUM
CVE-DESC: it was discovered that systemd incorrectly checks the contents of PIDFile files before using them to kill processes. When a service is started from an unprivileged user (such as the User field set in a service file), a local attacker who can write to the PID file of said service could exploit this vulnerability to trick systemd into killing other services and/or privileged. processes. Versions prior to v237 are vulnerable.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-15687
CVE-Crit: MEDIUM
CVE-DESC: chown_one () systemd race condition allows an attacker to force systemd to set arbitrary permissions on arbitrary files. The affected releases are versions of systemd up to and including 239.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-16864
CVE-Crit: HIGH
CVE-DESC: An unconstrained memory allocation that could cause a stack conflict with another memory region was detected in systemd-journald when a program with long command line arguments calls syslog. A local attacker could exploit this vulnerability to crash systemd-journald or escalate their privileges. Versions prior to v240 are vulnerable.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-16865
CVE-Crit: HIGH
CVE-DESC: An unconstrained memory allocation that could cause a stack conflict with another memory region was detected in systemd-journald while sending a large number of journal socket entries. A local attacker, or a remote attacker if systemd-journal-remote is used, could exploit this vulnerability to crash systemd-journald or execute code with journald privileges. Versions prior to v240 are vulnerable.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-6954
CVE-Crit: HIGH
CVE-DESC: systemd-tmpfiles in systemd - 237 improperly handles symbolic links present in nonterminal path components, which allows local users to gain ownership of arbitrary files via vectors, including creating a directory and a file in that directory and then replacing that directory with a symbolic link. This happens even if sysctl fs.protected_symlinks is enabled.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-3842
CVE-Crit: HIGH
CVE-DESC: in systemd before v242-rc4, it was discovered that pam_systemd improperly sanitizes the environment before using the XDG_SEAT variable. In some specific configurations, an attacker could set an XDG_SEAT environment variable that allows commands to be checked against polkit policies using the “allow_active” element rather than “allow_any”.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-20386
CVE-Crit: LOW
CVE-DESC: a problem was detected in button_open in login / logind-button.c in systemd before 243. The udevadm trigger command may leak memory.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-3843
CVE-Crit: HIGH
CVE-DESC: It was discovered that the systemd service using the DynamicUser property could create a SUID / SGID binary that would be allowed to run as a temporary UID / GID of the service even after the service has terminated. A local attacker could exploit this vulnerability to access resources that would in the future belong to a potentially different service when the UID / GID is recycled.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-3844
CVE-Crit: HIGH
CVE-DESC: It was discovered that the systemd service using the DynamicUser property could gain new privileges by executing SUID binaries, allowing binaries belonging to the service’s temporary group to be created with the setgid bit set. A local attacker could exploit this vulnerability to access resources that will belong to a potentially different service in the future when the GID is redesigned.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-13776
CVE-Crit: MEDIUM
CVE-DESC: from systemd to v245, numeric usernames, such as those consisting of decimal digits or 0x followed by hexadecimal digits, are incorrectly handled, as demonstrated by using root privileges when user account privileges 0x0 were assumed. NOTE: this issue occurs due to an incomplete fix for CVE-2017-1000082.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-1712
CVE-Crit: HIGH
CVE-DESC: A post-release heap usage vulnerability was discovered in systemd prior to v245-rc1, where asynchronous Polkit requests are executed when processing dbus messages. A local unprivileged attacker could exploit this vulnerability to disable systemd services or potentially execute code and elevate their privileges by sending specially crafted dbus messages.
CVE-STATUS: default
CVE-REV: default