[Stable Update] 2019-01-19 - Security update to Systemd v239 series

philm · 19 January 2019 18:26

Hi community,

Welcome to our third stable update of 2019. So what do we have with this one?

We addressed the following security issues within systemd v239 series:

CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess.
CVE-2018-15687: A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files.
CVE-2018-6954_2: systemd-tmpfiles in systemd through 239 mishandles symlinks present in non-terminal path components.
CVE-2018-16864: An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog.
CVE-2018-16865: An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket.
CVE-2018-16866: An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'.

This is also addressed with v239.6-4 in our testing branch and with v240.275-1 in our unstable branch.

We hope with all these changes Manjaro to be more efficient for you all.

FOSDEM19

Some of our core developers will join PINE64 Inc. at FOSDEM19 in Brussels. We will establish an even more closer relationship with this ARM based company. Also we are looking forward to see your reactions on the big announcement PINE64 Inc. will do at FOSDEM19. Stay tuned for any upcoming news.

Partnership with FCS Linux Aarhus

We are happy to announce a new partnership with FCS Linux Aarhus owned by @linux-aarhus. This enables us to offer you Laptops with Manjaro pre-installed and Manjaro Stickers you can use on your own hardware or gift them to a friend. For each sale FCS will donate a percentage to the Manjaro project.

Manjaro v18.0.2 released!

To end the year with a high note we updated our flagship ISOs of Manjaro Illyria with the latest packages. It comes with refreshed packages and updated tools. You may want to download our XFCE Edition with the latest 4.13 packages, aswell as our most recent styling efforts. Our KDE fans may try our KDE Edition with the latest KDE v5.14 instead. And our GNOME fans may try our Gnome Edition with the latest GNOME v3.30.

Current supported Kernels

linux316 3.16.62
linux318 3.18.131 [EOL]
linux44 4.4.167
linux49 4.9.149
linux414 4.14.92
linux417 4.17.19 [EOL]
linux418 4.18.20 [EOL]
linux419 4.19.14
linux420 4.20.1
linux414-rt 4.14.87_rt49
linux416-rt 4.16.18_rt11
linux418-rt 4.18.16_rt9

Package Updates (Sat Jan 12 10:12:43 CET 2019)

stable core x86_64: 4 new and 4 removed package(s)
stable multilib x86_64: 1 new and 1 removed package(s)

No issue, everything went smoothly
Yes there was an issue. I was able to resolve it myself.(Please post your solution)
Yes i am currently experiencing an issue due to the update. (Please post about it)

0 voters

Check if your mirror has already synced:

Mirror-Check Service

philm · 20 January 2019 01:31

Known issues and solutions

This is a wiki post; please edit as necessary.
Please, consider subscribing to the Stable Updates Announcements RSS feed

I do not see any updates for systemd, what's going on?

First, verify if your mirror is actually up to date. You may check the state of each mirror here. If it isn't up to date, you may either wait or refresh your mirrors list to get up to date mirrors immediately.

If your mirror is up to date, the problem might be that your using version 239.3XX-X of systemd packages. Current version of systemd packages in repos is 239.6-2.2. Since your local version is higher than the one in the repositories, by default, the package manager will simply keep the higher version of those packages and give you a warning.

systemd provided by version 239.3XX-X packages is vulnerable to at least several flaws presented in the following announcement. In order to be fully protected against the vulnerabilities detailed in this announcement, you need to downgrade systemd packages to 239.6-2.2.

In order to do that, use one of the way presented below (or equivalent):

Run sudo pacman -Syyuu in a terminal.
Run pamac update --enable-downgrade in a terminal.
Open Pamac GUI, go in Preferences, check "Enable downgrade" and close the Preferences window. Once this is done, force Pamac to refresh package databases. Once the package databases will be refreshed, Pamac will allow you to downgrade packages; click on Commit to confirm the downgrade. Once it is done, you may disable "Enable downgrade" if you do not want to keep this option turned on.

Notifications looking weird in XFCE

Since the package dunst includes now dunstfy in the main package notifications may not displayed properly in XFCE. Please uninstall that package to solve that issue. Normally not needed in that edition.

Potential issues with dunstify-1.3.2-1 package

Upstream decided to include dunstify now in the dunst package. However, they didn't add any replace, conflicts tags to that package, as Arch never packaged dunstify before. Therefore we try to remove dunstify automatically via manjaro-system package. On rare cases however, a manual user invention might be needed to remove the package. If that is the case, please issue the following command manually on your system: sudo pacman -Rdd dunstify && sudo pacman -Syu

Items from previous update sets

`Warning: PACKAGE: directory permissions differ on FILENAME`

A file or directory on your system has a set of permissions which is different to those in the new package. You can either ignore it (because you changed it yourself) or you can change them so they match.

For example, for this message:

Warning: blueman: directory permissions differ on /usr/share/polkit-1/rules.d/filesystem: 750  package: 755

you can change the local file to match the package with:

sudo chmod 755 /usr/share/polkit-1/rules.d/filesystem

How do I do updates via TTY-terminal?

Press CTRL+ALT+F2 (or F3, F4, F5, F6) to go into a pure command line interface.
Log in with your credentials.
Once logged in, you'll have access to a CLI shell, like if you were using a terminal. Use pamac upgrade or sudo pacman -Syyu (or other equivalent command) to update your system.

To go back to your regular desktop, press CTRL+ALT+F7. On some systems, it can be CTRL+ALT+F1 instead.

i3 changed its default config path

It seems that (from version >= 4.16) i3 is looking for its configuration in ~/.config/i3/config instead of ~/.i3/config.
Copy your config to the new path and all should work as before. (reported from an i3-gaps user).

I can't open Nemo with elevated privileges (as root)

Workaround found: Use the dbus-x11 package instead of the regular dbus package. This package is available in the official repositories and provides dbus compiled without the --without-x option.

To replace dbus with dbus-x11 package, simply install dbus-x11 with your favorite package manager: dbus will be replaced by dbus-x11.

AMD-Ucode introduction

Unless you've already done this previously, All users of AMD-APUs/CPUs should install this update like this:

sudo pacman -Syyu
sudo pacman -S amd-ucode
sudo pacman -R intel-ucode
sudo update-grub

Step 3 is optional.

Rebuilding fontconfig cache: failed to write cache

Please ignore this message. Upstream already works on a solution. More about the issue here.

LibreOffice has no window decoration in KDE

New line export SAL_USE_VCLPLUGIN=gtk3_kde5, once merged into existing /etc/profile.d/libreoffice-fresh.sh , fixes a moderately longterm issue. If it doesn't work for you, you may use gtk instead of gtk3_kde5 as UI framework.

Installing glibc (2.28-4) breaks the dependency “glibc=2.27” required by lib32-glibc

Install the update either:

from terminal: sudo pacman -Syu or;
with Octopi instead of Pamac.

Something using Perl/Python/glibc broke

Rebuilds needed!

If it's an AUR package, try to reinstall it from AUR. It most likely needs to be rebuilt.
If it's a repo package, please report and check back regularly for updates.

I've lost a Thunderbird addon/feature

Thunderbird 60 disables incompatible addons by default. There's an about:config switch should you want to force-enable the addon, but many addons simply will not work with the newer Quantum-based Thunderbird.

Read more about Thunderbird 60 here: Thunderbird 60

Firefox - WebGL not working anymore

You may try the following solution:

Open about:config and set security.sandbox.content.read_path_whitelist to /sys/.

klaude_kraap · 19 January 2019 18:31

tty ?
should i install this update using tty?

guys, this is also a good time to make a backup of you important data.

philm · 19 January 2019 18:29

This should work also in a regular graphical session.

Frog · 19 January 2019 18:41

systemd shipped with systemd 239.3XX packages is vulnerable to at least some of those flaws (like system down). Since no epoch is used, people who are on higher version will never get the fixes unless they enable downgrades.

philm · 19 January 2019 18:45

I know the situation, however 239.3XX was not working for everyone and we currently don't support these packages in our stable branch. So yes, a pacman -Syyuu is in order to address these cases.

Frog · 19 January 2019 19:10

Yup. I'll write some guidance in the Wiki post just in case some people are still running those versions and wondering why the package manager detects "nothing".

LA-MJ · 19 January 2019 18:51

Another (un)happy 239.3xx user reporting

emmanuel · 19 January 2019 19:07

Everything went well

Termy · 19 January 2019 19:07

So from a security standpoint it would be better to downgrade? Are there any problems possbile / to be expected when doing so?

philm · 19 January 2019 19:14

We had systemd v239.303 with some security fixes in this December update. Since then a lot of people reported issues, we went back to v239.6-2, which don't have any security patches. With v239.6-2.2 this is now addressed. So a downgrade to the "new" package in the stable repositories should be not a problem.

linuxkumpel · 19 January 2019 20:09

After today’s security update for systemd I simply ignore the following message:

Warnung: lib32-systemd: Lokale Version (240.275-1) ist neuer als multilib (239.6-4)
Warnung: libsystemd: Lokale Version (240.275-1) ist neuer als core (239.6-4)
Warnung: systemd: Lokale Version (240.275-1) ist neuer als core (239.6-4)
Warnung: systemd-sysvcompat: Lokale Version (240.275-1) ist neuer als core (239.6-4)

Reason, everything works. Use testing branch Xfce 4.13.2.

annoying_daniel · 19 January 2019 21:13

Is the time on this generated report UTC+1?

philm · 19 January 2019 21:17

?!? the latest was generated on 2019-01-19 22:04 UTC+1. Simply refresh your browser cache and reload the page.

leedaz · 20 January 2019 09:18

Getting...

warning: directory permissions differ on /usr/share/polkit-1/rules.d/ filesystem: 755 package: 750

Do I need to address this, and if so how ? Thanks.

philm · 20 January 2019 09:31

You can fix it via sudo chmod 750 /usr/share/polkit-1/rules.d/filesystem which is already posted in the troubleshoot wiki post. Simply click on Items from previous update sets.

Kadee · 20 January 2019 09:29

I feel sorry for @philm; he supplies the documentation, but people won't read it...

leedaz · 20 January 2019 09:33

Thanks philm, I did look there, but couldn't find anything, will take another look, but thanks.

philm · 20 January 2019 09:36

In the past it was 750, then they changed it to 755 and now back. Please watch is if you want to know more about file permissions in Linux:

https://www.youtube.com/watch?v=k1yzI7c6Fzk

Kadee · 20 January 2019 09:39

Aw, no fun... he's sober in this one.