Package: dbus
Severity: serious
Justification: local privilege escalation
Tags: security
Hi,
CVE-2012-3524 is about setuid binaries linking libdbus being easily
trickable to do bad things via a malicious PATH (for finding dbus-launch),
or through a DBUS_* address variable using the unixexec address type.
Initially the D-Bus developers thought that this should be fixed on the
application side (hence the comment in the security-tracker), but decided
that it would be better to have a defense-in-depth approach, and change
_dbus_getenv to not succeed if the current program is setuid or similar,
since that's faster than patching every relevant program.
There's a patch in the D-Bus 1.6.6 release that implements this. Many
other distros, including RHEL/Fedora, SUSE, and Ubuntu have taken this
patch already. There are some other hardening things in the 1.6.6 release
that broke gnome-keyring, prompting a 1.6.8 release a few hours later to
revert those; you should either take 1.6.8, or just backport the four
patches that weren't reverted in 1.6.8:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=23fe78ceefb6cefcd58a49c77d1154b68478c8d2
http://cgit.freedesktop.org/dbus/dbus/commit/?id=4b351918b9f70eaedbdb3ab39208bc1f131efae0
http://cgit.freedesktop.org/dbus/dbus/commit/?id=57ae3670508bbf4ec57049de47c9cae727a64802
http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5
I think these are all easily backportable, but I'm happy to supply a
debdiff if that'd make it easier for you.
More discussion of the issue can be found at
https://bugs.freedesktop.org/show_bug.cgi?id=52202
https://bugzilla.novell.com/show_bug.cgi?id=697105
https://bugzilla.redhat.com/show_bug.cgi?id=847402
http://seclists.org/oss-sec/2012/q3/29
--
Geoffrey Thomas
gtho...@mokafive.com
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
