Univention Bugzilla – Bug 49659
dbus: Multiple issues (4.4)
Last modified: 2019-06-19 15:52:46 CEST
New Debian dbus 1.10.28-0+deb9u1 fixes: This update addresses the following issue: * dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)
--- mirror/ftp/4.3/unmaintained/4.3-1/source/dbus_1.10.26-0+deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-0/source/dbus_1.10.28-0+deb9u1.dsc @@ -1,3 +1,36 @@ +1.10.28-0+deb9u1 [Sun, 09 Jun 2019 22:42:06 +0100] Simon McVittie <smcv@debian.org>: + + * New upstream stable release + - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 + authentication for identities that differ from the user running the + DBusServer. Previously, a local attacker could manipulate symbolic + links in their own home directory to bypass authentication and + connect to a DBusServer with elevated privileges. The standard + system and session dbus-daemons in their default configuration were + immune to this attack because they did not allow DBUS_COOKIE_SHA1, + but third-party users of DBusServer such as Upstart could be + vulnerable. + - Prevent reading up to 3 bytes beyond the end of a truncated message. + This could in principle be an information leak or denial of service + on the system bus, but is not believed to be exploitable to crash + the system bus or leak interesting information in practice. + - Stop the dbus-daemon leaking memory (an error message) if delivering + the message that triggered auto-activation is forbidden. This is + technically a denial of service because the dbus-daemon will + run out of memory eventually, but it's a very slow and noisy one, + because all the rejected messages are also very likely to have + been logged to the system log, and its scope is typically limited by + the finite number of activatable services available. + - Remove __attribute__((__malloc__)) attribute on dbus_realloc(), + which does not meet the criteria for that attribute in gcc 4.7+, + potentially leading to miscompilation. + - Fix build with gcc 8 -Werror=cast-function-type + - Fix warning from gcc 8 about suspicious use of strncpy() when + populating struct sockaddr_un + - Fix installation of Ducktype documentation with newer yelp-build + versions + * d/control: Update Vcs-Git, Vcs-Browser + 1.10.26-0+deb9u1 [Fri, 02 Mar 2018 08:59:25 +0000] Simon McVittie <smcv@debian.org>: * New upstream stable release <http://10.200.17.11/4.4-0/#4818245372491386413>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-0] 712006e940 Bug #49659: dbus 1.10.28-0+deb9u1 doc/errata/staging/dbus.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) [4.4-0] 7c8fecc967 Bug #49659: dbus 1.10.28-0+deb9u1 doc/errata/staging/dbus.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)
<http://errata.software-univention.de/ucs/4.4/148.html>