found 700638 0.88-2.1
thanks
On 15/02/13 17:44, Simon McVittie wrote:
> pam_fprintd is not present in stable or oldstable, but I'll check whether
> this bug was present in those versions of dbus-glib, in case there are other
> exploitation vectors.
I can confirm that this bug is present in the version of dbus-glib in
squeeze, and that cherry-picking upstream commit 166978a09cf fixes it.
In the packaging used in squeeze, this should be as simple as the
attached debdiff (built but (so far) untested, I'll test it on a squeeze
machine this evening).
Security team: what do you want me to do about this? Should I upload
0.88-2.1+squeeze1 to security-master, or go through the SPU process, or
do you want to handle it?
Thanks,
S
diffstat for dbus-glib_0.88-2.1 dbus-glib_0.88-2.1+squeeze1
dbus-glib-0.88/debian/changelog | 8 +
debian/patches/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch | 52 ++++++++++
2 files changed, 60 insertions(+)
diff -u dbus-glib-0.88/debian/changelog dbus-glib-0.88/debian/changelog
--- dbus-glib-0.88/debian/changelog
+++ dbus-glib-0.88/debian/changelog
@@ -1,3 +1,11 @@
+dbus-glib (0.88-2.1+squeeze1) stable; urgency=low
+
+ * Apply patch from upstream 0.100.1 to fix insufficient checking
+ leading to authentication bypass in pam_fprintd (CVE-2013-0292)
+ (Closes: #700638)
+
+ -- Simon McVittie <[email protected]> Fri, 15 Feb 2013 17:58:34 +0000
+
dbus-glib (0.88-2.1) unstable; urgency=high
* Non-maintainer upload.
only in patch2:
unchanged:
--- dbus-glib-0.88.orig/debian/patches/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch
+++ dbus-glib-0.88/debian/patches/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch
@@ -0,0 +1,52 @@
+From 166978a09cf5edff4028e670b6074215a4c75eca Mon Sep 17 00:00:00 2001
+From: Colin Walters <[email protected]>
+Date: Thu, 14 Feb 2013 10:19:34 -0500
+Subject: [PATCH] CVE-2013-0292: dbus-gproxy: Verify sender of
+ NameOwnerChanged signals to be o.f.DBus
+
+Anyone can hop on the bus and emit a signal whose interface is
+o.f.DBus; it's expected at the moments that clients (and notably DBus
+libraries) check the sender.
+
+This could previously be used to trick a system service using dbus-glib
+into thinking a malicious signal came from a privileged source, by
+claiming that ownership of the privileged source's well-known name had
+changed from the privileged source's real unique name to the attacker's
+unique name.
+
+[altered to be NULL-safe so it won't crash on peer connections -smcv]
+Signed-off-by: Simon McVittie <[email protected]>
+Reviewed-by: Simon McVittie <[email protected]>
+---
+ dbus/dbus-gproxy.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c
+index 2fc52f9..c3ae9ec 100644
+--- a/dbus/dbus-gproxy.c
++++ b/dbus/dbus-gproxy.c
+@@ -1250,8 +1250,11 @@ dbus_g_proxy_manager_filter (DBusConnection *connection,
+ GSList *tmp;
+ const char *sender;
+
++ sender = dbus_message_get_sender (message);
++
+ /* First we handle NameOwnerChanged internally */
+- if (dbus_message_is_signal (message,
++ if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 &&
++ dbus_message_is_signal (message,
+ DBUS_INTERFACE_DBUS,
+ "NameOwnerChanged"))
+ {
+@@ -1280,8 +1283,6 @@ dbus_g_proxy_manager_filter (DBusConnection *connection,
+ }
+ }
+
+- sender = dbus_message_get_sender (message);
+-
+ /* dbus spec requires these, libdbus validates */
+ g_assert (dbus_message_get_path (message) != NULL);
+ g_assert (dbus_message_get_interface (message) != NULL);
+--
+1.7.10.4
+
