[Pkg-utopia-maintainers] Bug#629938: libdbus-1-3: local DoS via messages with non-native byte order

Simon McVittie smcv at debian.org
Sun Jun 12 12:26:03 UTC 2011


On Thu, 09 Jun 2011 at 19:20:27 +0100, Simon McVittie wrote:
> Tags: security
> Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=38120
> 
> lbdbus-1-3, used by dbus-daemon, swaps the byte-order of incoming messages
> into native endianness but does not swap the byte-order mark in messages
> when swapping their byte order. As a result, if a message in non-native byte
> order is sent through dbus-daemon to a system service like Avahi or
> NetworkManager, that system service is likely to interpret the message as
> invalid and disconnect from the system bus, leading to a local DoS.

I've fixed this upstream and in sid and experimental. Still waiting for a
CVE ID - or should I ask for one elsewhere?

Here is a proposed stable update (either for security or stable updates),
and a test-case (marshal.c). The proposed stable update is also available
on the debian-squeeze branch in git.

The test case requires libdbus-1-dev, libdbus-glib-1-dev and libglib2.0-dev,
and can be run with:

    gcc -otest-marshal marshal.c \
        `pkg-config --cflags --libs dbus-1 dbus-glib-1 glib-2.0`
    ./test-marshal

For it to work, it must be run by a user whose home directory (according
to /etc/passwd, not $HOME) can be written.

Successful output looks like this:

    /demarshal/le: OK
    /demarshal/be: OK
    /demarshal/needed/le: OK
    /demarshal/needed/be: OK

Unsuccessful output on a little-endian architecture looks like this:

    /demarshal/le: OK
    /demarshal/be: **
    ERROR:marshal.c:193:test_endian: assertion failed (get_uint32 (output, OFFSET_BODY_LENGTH, output[0]) == 8): (134217728 == 8)
    Aborted

Big-endian architectures should fail /demarshal/le in a similar way.

(You can also unpack /usr/lib/dbus-1.0/test/test-marshal from dbus-1-dbg of
an appropriate architecture in unstable - it's the same test-case, and
should hopefully work with an older libdbus.)

Regards,
    S
-------------- next part --------------
A non-text attachment was scrubbed...
Name: marshal.c
Type: text/x-csrc
Size: 8748 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20110612/4cc09191/attachment-0001.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dbus_1.2.24-4+squeeze1.diff
Type: text/x-diff
Size: 4225 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20110612/4cc09191/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 793 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20110612/4cc09191/attachment-0001.pgp>


More information about the Pkg-utopia-maintainers mailing list