CVE-2018-6954

Publication date 13 February 2018

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
systemd	18.10 cosmic	Fixed 239-7ubuntu10.4
	18.04 LTS bionic	Fixed 237-3ubuntu10.9
	17.10 artful	Ignored end of life
	16.04 LTS xenial	Fixed 229-4ubuntu21.15
	14.04 LTS trusty	Not affected

Notes

mdeslaur

original fix was incomplete, see second pull

chrisccoulson

Fix reverted in xenial because it breaks containers running on pre-2.6.39 kernels

mdeslaur

fix was re-introduced in xenial in 229-4ubuntu21.15

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
systemd	Upstream: https://github.com/systemd/systemd/pull/8358 Upstream: https://github.com/systemd/systemd/pull/8822 Upstream: 936f6bd

Severity score breakdown

Parameter	Value
Base score	7.8 · High
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-3816-1
systemd vulnerabilities
12 November 2018

USN-3816-2
systemd vulnerability
19 November 2018

Other references

https://www.cve.org/CVERecord?id=CVE-2018-6954