[Bug 1152187] Re: [MIR] systemd

Seth Arnold 1152187 at bugs.launchpad.net
Wed Mar 20 00:53:40 UTC 2013 

I was asked to expand the audit I performed earlier (summarized in
comment #5 above). I reviewed version 198-0ubuntu0ppa2 from pitti's PPA.

Again, this is not intended to be a complete audit. Not everything I found
is a security issue, I'm just reporting things that looked surprising to me.


timedated

- Forces /etc/localtime to symlink
- Racecondition between valid_timezone() and write_data_timezone()
  low risk because ../usr/share/zoneinfo/ is prepended, untrusted accounts
  shouldn't have write access here
- hwclock_set_timezone() and hwclock_reset_timezone() look misused or abused:
  both are used to 'seal' the Linux kernel's magic settimeofday(2) handling to
  adjust for CMOS-based clock being set to local time (windows) or UTC (unix).
  The 'tz' variable should otherwise be unused. So calling these functions
  multiple times in one boot is probably useless.
- write_data_local_rtc() appears to leave 'w' without terminating NUL
- SetTime timespec_store() doesn't appear to account for wraparound
- Many strings in timedatectl.c aren't localized

hostnamed

- read_full_file() realloc grows buf by one byte each loop iteration
  this will be bad performance for files between 4K and 4M.
- hostname_is_valid() will allow invalid names such as '.' or '..' or '_hi'
- Many strings in hostnamectl.c aren't localized

ACK for including both timedated and hostnamed in main, provided that
upstream is consulted for the settimeofday(2) issues, timespec_store()
wraparound issue, and hostname_is_valid() issue.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1152187

Title:
  [MIR] systemd

Status in “systemd” package in Ubuntu:
  Fix Released

Bug description:
  * The package is in universe and built on all archs:
  https://launchpad.net/ubuntu/+source/systemd/44-10ubuntu1

  * Rationale:

  - in a first step we want systemd-services promoted to replace ubuntu-
  system-services

  -  We will also want to move from consolekit to logind soon
  (https://blueprints.launchpad.net/ubuntu/+spec/foundations-1303
  -consolekit-logind-migration)

  - udev has been merged in the systemd source upstream so we will want
  to build it from there at some point as well

  we don't plan to use the systemd init system at this point

  * Security:

  there has been some security issues in the past
  http://secunia.com/advisories/search/?search=systemd
  http://secunia.com/advisories/48220/
  http://secunia.com/advisories/48208/
  http://secunia.com/advisories/48331/

  Those are mostly logind issue and have been fixed upstream.

  Our current package is outdated but we do plan to update it before
  starting using logind. There should be no issue with the services

  * Quality:
  - there is no RC bug in debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=systemd
  - there is no bug open in launchpad: https://launchpad.net/ubuntu/+source/systemd/+bugs
  - upstream is active and responsive to issues

  The desktop bugs team is subscribed to the package in launchpad,
  foundations/desktop will maintain the package and look to the bug
  reports regularly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1152187/+subscriptions

More information about the foundations-bugs mailing list