Bug 49659 - dbus: Multiple issues (4.4)
dbus: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-0-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-16 14:23 CEST by Quality Assurance
Modified: 2019-06-19 15:52 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.1 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) NVD


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-06-16 14:23:43 CEST
New Debian dbus 1.10.28-0+deb9u1 fixes:
This update addresses the following issue:
* dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as  used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less  common, uses of dbus-daemon), allows cookie spoofing because of symlink  mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the  libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication  mechanism.) A malicious client with write access to its own home directory  could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a  different uid to read and write in unintended locations. In the worst case,  this could result in the DBusServer reusing a cookie that is known to the  malicious client, and treating that cookie as evidence that a subsequent  client connection came from an attacker-chosen uid, allowing authentication  bypass. (CVE-2019-12749)
Comment 1 Quality Assurance univentionstaff 2019-06-16 15:30:17 CEST
--- mirror/ftp/4.3/unmaintained/4.3-1/source/dbus_1.10.26-0+deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-0/source/dbus_1.10.28-0+deb9u1.dsc
@@ -1,3 +1,36 @@
+1.10.28-0+deb9u1 [Sun, 09 Jun 2019 22:42:06 +0100] Simon McVittie <smcv@debian.org>:
+
+  * New upstream stable release
+    - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
+      authentication for identities that differ from the user running the
+      DBusServer. Previously, a local attacker could manipulate symbolic
+      links in their own home directory to bypass authentication and
+      connect to a DBusServer with elevated privileges. The standard
+      system and session dbus-daemons in their default configuration were
+      immune to this attack because they did not allow DBUS_COOKIE_SHA1,
+      but third-party users of DBusServer such as Upstart could be
+      vulnerable.
+    - Prevent reading up to 3 bytes beyond the end of a truncated message.
+      This could in principle be an information leak or denial of service
+      on the system bus, but is not believed to be exploitable to crash
+      the system bus or leak interesting information in practice.
+    - Stop the dbus-daemon leaking memory (an error message) if delivering
+      the message that triggered auto-activation is forbidden. This is
+      technically a denial of service because the dbus-daemon will
+      run out of memory eventually, but it's a very slow and noisy one,
+      because all the rejected messages are also very likely to have
+      been logged to the system log, and its scope is typically limited by
+      the finite number of activatable services available.
+    - Remove __attribute__((__malloc__)) attribute on dbus_realloc(),
+      which does not meet the criteria for that attribute in gcc 4.7+,
+      potentially leading to miscompilation.
+    - Fix build with gcc 8 -Werror=cast-function-type
+    - Fix warning from gcc 8 about suspicious use of strncpy() when
+      populating struct sockaddr_un
+    - Fix installation of Ducktype documentation with newer yelp-build
+      versions
+  * d/control: Update Vcs-Git, Vcs-Browser
+
 1.10.26-0+deb9u1 [Fri, 02 Mar 2018 08:59:25 +0000] Simon McVittie <smcv@debian.org>:
 
   * New upstream stable release

<http://10.200.17.11/4.4-0/#4818245372491386413>
Comment 2 Philipp Hahn univentionstaff 2019-06-17 13:01:13 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-0] 712006e940 Bug #49659: dbus 1.10.28-0+deb9u1
 doc/errata/staging/dbus.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

[4.4-0] 7c8fecc967 Bug #49659: dbus 1.10.28-0+deb9u1
 doc/errata/staging/dbus.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
Comment 3 Arvid Requate univentionstaff 2019-06-19 15:52:46 CEST
<http://errata.software-univention.de/ucs/4.4/148.html>