Hi all, A security issue has been reported to oss-security [1] regarding D-Bus < 1.8.4, allowing denial of service or, under certain conditions, side-channel communication between processes that should not be able to communicate. Please see the original post to oss-security below for additional information. This vulnerability has been assigned CVE-2014-3477.
The D-Bus package in Arch Linux is currently in version 1.8.2 and therefore seems to be vulnerable. It has already been flagged as out-of-date but does not appear to have been updated yet. [1] http://marc.info/?l=oss-security&m=140242136131355&w=2 Regards, Remi > D-Bus <http://www.freedesktop.org/wiki/Software/dbus/> is an > asynchronous inter-process communication system, commonly used > for system services or within a desktop session on Linux and other > operating systems. > > Alban Crequy at Collabora Ltd. discovered and fixed a denial-of-service > flaw in dbus-daemon, part of the reference implementation of D-Bus. > Additionally, in highly unusual environments the same flaw could lead to > a side channel between processes that should not be able to communicate. > > On the stable branch, this is fixed in version 1.8.4: > http://dbus.freedesktop.org/releases/dbus/dbus-1.8.4.tar.gz > http://dbus.freedesktop.org/releases/dbus/dbus-1.8.4.tar.gz.asc > > On the previous stable branch, this is fixed in version 1.6.20: > http://dbus.freedesktop.org/releases/dbus/dbus-1.6.20.tar.gz > http://dbus.freedesktop.org/releases/dbus/dbus-1.6.20.tar.gz.asc > > Distributions supporting other versions should base their changes on > this commit: > http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=24c590703ca47eb71ddef453de43126b90954567 > > Summary: > > If a client C1 is prohibited from sending a message to a service S1, and > S1 is not currently running, then C1 can attempt to send a message to > S1's well-known bus name, causing dbus-daemon to start S1 [1]. When S1 > has started and obtained its well-known bus name, the dbus-daemon > evaluates its security policy, decides that it will not deliver the > message to S1, and constructs an AccessDenied error. However, instead of > sending that AccessDenied error reply to C1 as a reply to the denied > message, dbus-daemon incorrectly sends it to S1 as a reply to the > request to obtain its well-known bus name. > > Impact A: denial of service. S1 will fail to initialize, and exit, > denying service to legitimate clients of S1. > > Impact B: side channel. In environments where C1 and S1 are untrusted > and are administratively prohibited from communicating, S1 could also > use these incorrectly-directed error messages as a side channel to > receive information from C1. > > Mitigations: > > Impact A: if a legitimate client was actively using S1, S1 would already > have been started, so C1 can only deny service to a legitimate client > that only recently became active. > > Impact B: in practice processes sharing a system bus can typically > communicate in other ways (non-D-Bus IPC mechanisms, files in /tmp, > etc.), so impact B is not relevant on normal systems. It might be > relevant on systems when an LSM such as SELinux is used in a highly > restrictive configuration.
signature.asc
Description: OpenPGP digital signature
