[Pkg-utopia-maintainers] Bug#689070: Please take upstream D-Bus patches for CVE-2012-3524
Geoffrey Thomas
gthomas at mokafive.com
Fri Sep 28 21:30:37 UTC 2012
Package: dbus
Severity: serious
Justification: local privilege escalation
Tags: security
Hi,
CVE-2012-3524 is about setuid binaries linking libdbus being easily
trickable to do bad things via a malicious PATH (for finding dbus-launch),
or through a DBUS_* address variable using the unixexec address type.
Initially the D-Bus developers thought that this should be fixed on the
application side (hence the comment in the security-tracker), but decided
that it would be better to have a defense-in-depth approach, and change
_dbus_getenv to not succeed if the current program is setuid or similar,
since that's faster than patching every relevant program.
There's a patch in the D-Bus 1.6.6 release that implements this. Many
other distros, including RHEL/Fedora, SUSE, and Ubuntu have taken this
patch already. There are some other hardening things in the 1.6.6 release
that broke gnome-keyring, prompting a 1.6.8 release a few hours later to
revert those; you should either take 1.6.8, or just backport the four
patches that weren't reverted in 1.6.8:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=23fe78ceefb6cefcd58a49c77d1154b68478c8d2
http://cgit.freedesktop.org/dbus/dbus/commit/?id=4b351918b9f70eaedbdb3ab39208bc1f131efae0
http://cgit.freedesktop.org/dbus/dbus/commit/?id=57ae3670508bbf4ec57049de47c9cae727a64802
http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5
I think these are all easily backportable, but I'm happy to supply a
debdiff if that'd make it easier for you.
More discussion of the issue can be found at
https://bugs.freedesktop.org/show_bug.cgi?id=52202
https://bugzilla.novell.com/show_bug.cgi?id=697105
https://bugzilla.redhat.com/show_bug.cgi?id=847402
http://seclists.org/oss-sec/2012/q3/29
--
Geoffrey Thomas
gthomas at mokafive.com
More information about the Pkg-utopia-maintainers
mailing list