Date: Wed, 5 Feb 2020 10:59:55 +0100 From: Riccardo Schirone <rschiron@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2020-1712 systemd: use-after-free when asynchronous polkit queries are performed Hello, A heap use-after-free vulnerability was found in systemd, when asynchronous Polkit queries are performed while handling Dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. CVE-2020-1712 has been assigned to this issue. This flaw happens due to the way bus_verify_polkit_async() works. Some DBus interfaces use a cache to store objects for a short period and they clear it as soon as the bus is again in the idle state. However, if a DBus method uses bus_verify_polkit_async(), the method may have to wait a while until the polkit action is resolved and when that happens the method handler is called again, with the userdata previously allocated. If the polkit request takes too long, the clearing of the cache would free the stored objects before the method is called the second time, causing the use-after-free vulnerability. The issue was reported by Tavis Ormandy, Google Project Zero. Upstream fix is included in v245-rc1: https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2 Thanks, -- Riccardo Schirone Red Hat -- Product Security Email: rschiron@...hat.com PGP-Key ID: CF96E110 Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.