Bug 14056

Summary: CVE-2021-33910 [SYSTEMD] Memory Allocation with an Excessive Size Value that results in an operating system crash.
Product: buildroot Reporter: Francis Hu <francisjy.hu>
Component: OtherAssignee: unassigned
Status: RESOLVED MOVED    
Severity: critical CC: buildroot, yann.morin.1998
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:

Description Francis Hu 2021-07-31 02:35:50 UTC 
Hi:
There is an systemd issue reported by NVD in https://nvd.nist.gov/vuln/detail/CVE-2021-33910.
The hyper link is shown below.
https://github.com/systemd/systemd-stable/commit/4a1c5f34bd3e1daed4490e9d97918e504d19733b

The issue description:
basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.
Comment 1 Fabrice Fontaine 2021-08-06 17:11:31 UTC 
systemd has been bumped to version 249.1 since July 20 and https://git.buildroot.net/buildroot/commit/?id=fbd9566220f2812baeff5dbd727bfc30fe4e93ea so master is not affected by this CVE. 

However, LTS branches are still using version 247.3, they should be bumped to 247.9.
Comment 2 Yann E. MORIN 2024-06-15 14:59:26 UTC 
Thank you for your report.

The issue tracker for the Buildroot project has been moved to
the Gitlab.com issue tracker:
    https://gitlab.com/buildroot.org/buildroot/-/issues

We are taking this opportunity to close old issues in this old
tracker. If you believe your issue is still relevant, please
open one in the new issue tracker.

Thank you!