On 27/12/2021 12:25, Ulrich Windl wrote:
Wols Lists <antlists@xxxxxxxxxxxxxxx> schrieb am 27.12.2021 um 13:18 in
Nachricht <8802ee4d-230d-8013-553d-8615515ce4ae@xxxxxxxxxxxxxxx>:
On 27/12/2021 12:09, Ulrich Windl wrote:
Well, but why write "Failed to kill unit \x7b__SERVICE__\x7d.service" when
"unit {__SERVICE__} has an invalid name" (the message I'd suggest)?
I mean: I see no problem_outputting_ the original service name, especially
when it's considered to be an invalid name.
I guess it's seen as a possible attack vector.
Well, usually I wouldn't consider braces to be "evil" characters (unless used in LOG4J, maybe).
It's not paranoia if they really are out to get you.
Did you actually read up on the vulnerability? As I read it, EVERYTHING
made perfect sense *in* *isolation*.
It's only when somebody realised the COMBINATION was a very stupid idea
that the shit hit the fan.
The road to hell is paved with good intentions.
Your typical vulnerability now is getting several seemingly unconnected
poor decisions to play against each other. You only need somebody to
parse the output of journald and bingo - there's a repeat of the log4j
disaster only now it's systemd that's the vulnerability.
Call it paranoid, but if some idiot decides to un-escape that sequence,
it won't be down to systemd.
Cheers,
Wol
