Debian 10203 Published by

A systemd security update has been released for Debian GNU/Linux 9 Extended LTS to address two security issues.





Packagesystemd
Version232-25+deb9u16 (stretch)
Related CVEs CVE-2022-3821  CVE-2023-26604

Systemd is a system and service manager. The following security vulnerabilities have been fixed.

CVE-2023-26604

systemd does not adequately block local privilege escalation for
some Sudo configurations, e.g., plausible sudoers files in which the
"systemctl status" command may be executed. Specifically, systemd does not
set LESSSECURE to 1, and thus other programs may be launched from the less
program. This presents a substantial security risk when running systemctl
from Sudo, because less executes as root when the terminal size is too
small to show the complete systemctl output.

This update introduces a new systemd environment variable called
$SYSTEMD_PAGERSECURE. By default it is set to true which means LESSSECURE
is set to 1. However only the less pager implements such a security
feature and thus will be used whenever $SYSTEMD_PAGERSECURE is true. You
can disable this feature by setting $SYSTEMD_PAGERSECURE to false.

As a general precaution we recommend to carefully review an existing
sudoers file and reassess if certain privileges are still required for
normal users.

CVE-2022-3821

An off-by-one error issue was discovered in Systemd in format_timespan()
function of time-util.c. An attacker could supply specific values for time
and accuracy that leads to buffer overrun in format_timespan(), leading to
a Denial of Service.


For Debian 9 stretch, these problems have been fixed in version 232-25+deb9u16.

We recommend that you upgrade your systemd packages.

Further information about Extended LTS security advisories can be found in the  dedicated section of our website.