CVE-2022-4415 – systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting
https://notcve.org/view.php?id=CVE-2022-4415
A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting. • https://github.com/systemd/systemd/commit/b7641425659243c09473cd8fb3aef2c0d4a3eb9c https://www.openwall.com/lists/oss-security/2022/12/21/3 https://access.redhat.com/security/cve/CVE-2022-4415 https://bugzilla.redhat.com/show_bug.cgi?id=2155515 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-45873 – systemd: deadlock in systemd-coredump via a crash with a long backtrace
https://notcve.org/view.php?id=CVE-2022-45873
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file. systemd 250 y 251 permiten a los usuarios locales lograr un punto muerto en systemd-coredump al desencadenar un bloqueo que tiene un largo backtrace. Esto ocurre en parse_elf_object enshared/elf-util.c. • https://github.com/systemd/systemd/commit/076b807be472630692c5348c60d0c2b7b28ad437 https://github.com/systemd/systemd/pull/24853#issuecomment-1326561497 https://github.com/systemd/systemd/pull/25055#issuecomment-1313733553 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MS5N5SLYAHKENLAJWYBDKU55ICU3SVZF https://access.redhat.com/security/cve/CVE-2022-45873 https://bugzilla.redhat.com/show_bug.cgi?id=2149063 • CWE-400: Uncontrolled Resource Consumption CWE-833: Deadlock •
CVE-2022-3821 – systemd: buffer overrun in format_timespan() function
https://notcve.org/view.php?id=CVE-2022-3821
An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. Se descubrió un problema de error de uno en uno en Systemd en la función format_timespan() de time-util.c. Un atacante podría proporcionar valores específicos de tiempo y precisión que provoquen una saturación del búfer en format_timespan(), lo que provocará una Denegación de Servicio (DoS). An off-by-one error flaw was found in systemd in the format_timespan() function of time-util.c. • https://bugzilla.redhat.com/show_bug.cgi?id=2139327 https://github.com/systemd/systemd/commit/9102c625a673a3246d7e73d8737f3494446bad4e https://github.com/systemd/systemd/issues/23928 https://github.com/systemd/systemd/pull/23933 https://lists.debian.org/debian-lts-announce/2023/06/msg00036.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RVBQC2VLSDVQAPJTEMTREXDL4HYLXG2P https://security.gentoo.org/glsa/202305-15 https://access.redhat.com/security/cve/CVE-2022- • CWE-193: Off-by-one Error •
CVE-2022-2526 – systemd-resolved: use-after-free when dealing with DnsStream in resolved-dns-stream.c
https://notcve.org/view.php?id=CVE-2022-2526
A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later. Se ha encontrado una vulnerabilidad de uso de memoria previamente liberada en systemd. Este problema ocurre debido a que las funciones on_stream_io() y dns_stream_complete() en "resolved-dns-stream.c" no incrementan el conteo de referencias para el objeto DnsStream. • https://github.com/systemd/systemd/commit/d973d94dec349fb676fdd844f6fe2ada3538f27c https://security.netapp.com/advisory/ntap-20221111-0005 https://access.redhat.com/security/cve/CVE-2022-2526 https://bugzilla.redhat.com/show_bug.cgi?id=2109926 • CWE-416: Use After Free •
CVE-2021-3997
https://notcve.org/view.php?id=CVE-2021-3997
A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp. Se ha encontrado un fallo en systemd. Una recursión no controlada en systemd-tmpfiles puede conllevar a una denegación de servicio en el momento del arranque cuando son creados demasiados directorios anidados en /tmp. • https://access.redhat.com/security/cve/CVE-2021-3997 https://bugzilla.redhat.com/show_bug.cgi?id=2024639 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1 https://security.gentoo.org/glsa/202305-15 https://www.openwall.com/lists/oss-security/2022/01/10/2 • CWE-674: Uncontrolled Recursion •