Ariadne Conill 🐰Apr 2, 2024

as I explain in my blog, the real problem is libraries which are large amalgamations of unrelated routines, such as libsystemd in the case of CVE-2024-3094.

a good solution is to split up these giant libraries into smaller ones, thus allowing for the dependency graphs of programs to remain leaner.

there is nothing about sd_notify() which requires LZMA compression. nothing. it is a function which writes a supplied string to a UNIX socket, the path of which is provided on an environmental variable.

Show threadFirstyear
@ariadne systemd never documented the sd notify unix socket, forcing people to intitally exec() to a binary and later linking to their own library.
Apr 2, 2024 at 7:45amWeb
Show threadAriadne Conill 🐰Apr 2, 2024

@firstyear riveting tale, if only it were actually true:

https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html

> These functions send a single datagram with the state string as payload to the socket referenced in the $NOTIFY_SOCKET environment variable.

sd_notify

Show threadAriadne Conill 🐰Apr 2, 2024
@firstyear this string is present since the beginning of sd_notify()'s manpage in 2010: https://github.com/systemd/systemd/commit/f9378423b9758861850748aeb49ae0d3300e56e6
man: document sd-daemon.[ch] · systemd/systemd@f937842

The systemd System and Service Manager . Contribute to systemd/systemd development by creating an account on GitHub.

GitHub
Show threadFirstyearApr 2, 2024
@ariadne Yep youre right and I missed that. Ive read that documentation many times and never saw that line, and many others have missed it also. To improve its visibility maybe it needs it's own section rather than being a single line in the middle of the NOTES section? It shouldnt be an afterthought.