[gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

From: Georgy Yakovlev <gyakovlev@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Cc: Georgy Yakovlev <gyakovlev@gentoo.org>, Sam James <sam@gentoo.org>
Subject: [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item
Date: Thu,  8 Jul 2021 19:38:05 -0700	[thread overview]
Message-ID: <20210709023805.1357699-1-gyakovlev@gentoo.org> (raw)

Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
---
 .../2021-07-07-systemd-tmpfiles.en.txt        | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt

diff --git a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
new file mode 100644
index 0000000..0960663
--- /dev/null
+++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
@@ -0,0 +1,48 @@
+Title: systemd-tmpfiles replaces opentmpfiles due to security issues
+Author: Georgy Yakovlev <gyakovlev@gentoo.org>
+Author: Sam James <sam@gentoo.org>
+Posted: 2021-07-07
+Revision: 1
+News-Item-Format: 2.0
+Display-If-Installed: virtual/tmpfiles
+
+On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a
+root privilege escalation vulnerability (CVE-2017-18925 [0],
+bug #751415 [1], issue 4 [2] upstream).
+
+The use of opentmpfiles is discouraged by its maintainer due to the
+unpatched vulnerability and other long-standing bugs [3].
+
+Users will start seeing their package manager trying to replace
+sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is
+another provider of virtual/tmpfiles.
+
+Despite the name, 'systemd-tmpfiles' does not depend on systemd, does
+not use dbus, and is just a drop-in replacement for opentmpfiles. It is
+a small binary built from systemd source code, but works separately,
+similarly to eudev or elogind. It is known to work on both glibc and
+musl systems.
+
+Note that systemd-tmpfiles is specifically for non-systemd systems. It
+is intended to be used on an OpenRC system.
+
+If you wish to selectively test systemd-tmpfiles, follow those steps:
+
+ 1. # emerge --oneshot sys-apps/systemd-tmpfiles
+ 2. # reboot
+
+No other steps required.
+
+If, after reviewing the linked bug reference for opentmpfiles, you feel
+your system is not vulnerable/applicable to the attack described, you
+can unmask[4] opentmpfiles at your own risk:
+
+1. In /etc/portage/package.unmask, add:
+-sys-apps/opentmpfiles
+2. # emerge --oneshot sys-apps/opentmpfiles
+
+[0] https://nvd.nist.gov/vuln/detail/CVE-2017-18925
+[1] https://bugs.gentoo.org/751415
+[2] https://github.com/OpenRC/opentmpfiles/issues/4
+[3] https://bugs.gentoo.org/741216
+[4] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package
-- 
2.32.0

next             reply	other threads:[~2021-07-09  2:38 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-09  2:38 Georgy Yakovlev [this message]
2021-07-09  2:49 ` [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item William Hubbs
2021-07-09  4:04   ` Joonas Niilola
2021-07-09  4:27     ` William Hubbs
2021-07-09  4:43 ` Georgy Yakovlev
2021-07-09  7:11   ` Michał Górny
2021-07-09  8:28     ` Georgy Yakovlev
2021-07-09 11:57       ` Ulrich Mueller
2021-07-09 17:07         ` Georgy Yakovlev
2021-07-09 11:33   ` Ulrich Mueller
2021-07-09  6:50 ` Tomas Mozes
2021-07-09  8:29   ` Georgy Yakovlev
2021-07-09 19:22 ` [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: restore " Georgy Yakovlev
2021-07-09 19:39 ` [gentoo-dev] [PATCH] 2021-07-09-systemd-tmpfiles: re-add " Georgy Yakovlev
2021-07-11 13:53   ` Thomas Deutschmann
2021-07-11 16:50     ` William Hubbs
2021-07-12 14:42     ` Michael Orlitzky
2021-07-13 22:04     ` Andreas K. Huettel
2021-07-14  0:28       ` Aaron Bauman
2021-07-14  8:49         ` Andreas K. Huettel
2021-07-14 14:23           ` Aaron Bauman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0960663 )
 OR (
bs:"[gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210709023805.1357699-1-gyakovlev@gentoo.org \
    --to=gyakovlev@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    --cc=sam@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox