*** This bug is a security vulnerability *** Public security bug reported:
There's a minor regression in CVE-2012-3524-dbus.patch, since dbus- daemon-launch-helper is a setuid binary that links libdbus, and does its own environment sanitization. Specifically, it attempts to pass through DBUS_STARTER_ADDRESS, but that now fails, meaning a d-d-l-h-activated program won't be able to find the system bus by asking for its starter bus. (I believe there's no commonly-used software that depends on this, but it's still documented as possible and d-d-l-h clearly attempts to make it work, and my company has internal software that depended on being able to ask for the starter bus.) Colin Walters and I put together a patch that works around this: http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5 It depends on a predecessor commit that just removes the DBUS_VERBOSE logic in the activation helper, since it's not useful. This is in the D-Bus 1.6.8 release. Those two commits should be trivially backportable to older releases, though. If you think this is serious enough to warrant an update, let me know if you want debdiffs for the current Ubuntu releases. We're working around this locally for now. ** Affects: dbus (Ubuntu) Importance: Undecided Status: New ** This bug has been flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1058343 Title: Regression in CVE-2012-3524 security update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1058343/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
