Arch Linux Security Advisory ASA-201901-4 ========================================= Severity: Medium Date : 2019-01-08 CVE-ID : CVE-2018-6954 CVE-2018-16866 Package : systemd Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-615 Summary ======= The package systemd before version 240.0-3 is vulnerable to multiple issues including arbitrary file overwrite and information disclosure. Resolution ========== Upgrade to 240.0-3. # pacman -Syu "systemd>=240.0-3" The problems have been fixed upstream in version 240.0. Workaround ========== None. Description =========== - CVE-2018-6954 (arbitrary file overwrite) systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on. - CVE-2018-16866 (information disclosure) An out-of-bounds read has been found in the journald component of systemd >= v221 and < v240, in the syslog_parse_identifier() function in journald-syslog.c. A crafted syslog message whose last character is ':' can trigger this vulnerability to leak information about the content of the memory. Impact ====== A local attacker is able to obtain ownership of arbitrary files or disclose information using a specially crafted syslog message. References ========== https://github.com/systemd/systemd/issues/7986 https://github.com/systemd/systemd/pull/8822 https://www.qualys.com/2019/01/09/system-down/system-down.txt https://www.openwall.com/lists/oss-security/2019/01/09/3 https://github.com/systemd/systemd/commit/a6aadf4ae0bae185dc4c414d492a4a781c80ffe5 https://github.com/systemd/systemd/commit/8595102d3ddde6d25c282f965573a6de34ab4421 https://security.archlinux.org/CVE-2018-6954 https://security.archlinux.org/CVE-2018-16866