Ubuntu Security Notice 5928-1 - It was discovered that systemd did not properly validate the time and accuracy values provided to the format_timespan function. An attacker could possibly use this issue to cause a buffer overrun, leading to a denial of service attack. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that systemd did not properly manage the fs.suid_dumpable kernel configurations. A local attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10.
509bb5498c466727e8b77069e58b5b38ba7506e8a8d8e979018a2f971776f7e6
=========================================================================
Ubuntu Security Notice USN-5928-1
March 07, 2023
systemd vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in systemd.
Software Description:
- systemd: system and service manager
Details:
It was discovered that systemd did not properly validate the time and
accuracy values provided to the format_timespan() function. An attacker
could possibly use this issue to cause a buffer overrun, leading to a
denial of service attack. This issue only affected Ubuntu 14.04 ESM, Ubuntu
16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2022-3821)
It was discovered that systemd did not properly manage the fs.suid_dumpable
kernel configurations. A local attacker could possibly use this issue to
expose sensitive information. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-4415)
It was discovered that systemd did not properly manage a crash with long
backtrace data. A local attacker could possibly use this issue to cause a
deadlock, leading to a denial of service attack. This issue only affected
Ubuntu 22.10. (CVE-2022-45873)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
systemd 251.4-1ubuntu7.1
Ubuntu 22.04 LTS:
systemd 249.11-0ubuntu3.7
Ubuntu 20.04 LTS:
systemd 245.4-4ubuntu3.20
Ubuntu 18.04 LTS:
systemd 237-3ubuntu10.57
Ubuntu 16.04 ESM:
systemd 229-4ubuntu21.31+esm3
Ubuntu 14.04 ESM:
systemd 204-5ubuntu20.31+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5928-1
CVE-2022-3821, CVE-2022-4415, CVE-2022-45873
Package Information:
https://launchpad.net/ubuntu/+source/systemd/251.4-1ubuntu7.1
https://launchpad.net/ubuntu/+source/systemd/249.11-0ubuntu3.7
https://launchpad.net/ubuntu/+source/systemd/245.4-4ubuntu3.20
https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.57