Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
View Bug Activity | Format For Printing | XML | Clone This Bug
RH reports: (name edited) Kimmo H reported a DoS flaw in D-Bus to the freedesktop.org bugzilla. To quote his bug: I found a nasty bug from match_rule_equal() that can cause matches to be removed from another connections (thanks goes to other guys for finding reproducable use case for the bug). This flaw can cause a local user to disable the the ability of another process to receive certain messages. This flaw does not contain any potential for arbitrary code execution. Here is a more details description from Kimmo: We don't have the software public yet, but the use case was the following. There are three processes A, B, and C. All of them add the same match (same value). A is started first, then B, and lastly C. Now, B and C are closed: if B is closed before C, A's match is removed; but if C is closed before B, A's match is not removed (no buggy behaviour). (B and C call dbus_bus_remove_match on exit.) I've assigned CVE-2006-6107 to this flaw. The current embargo date is 2006-12-12 at 14:00 UTC. The bug was public for a short period of time, so it's possible a third party is aware of this, but I suspect given the low severity of the flaw there won't be much attention before a public announcement. Here is the proposed patch: diff -pur 0.61-osso23/bus/signals.c 0.61-osso23.new/bus/signals.c --- 0.61-osso23/bus/signals.c 2006-11-23 16:46:52.589602192 +0200 +++ 0.61-osso23.new/bus/signals.c 2006-11-23 16:49:28.873843376 +0200 @@ -1067,6 +1067,9 @@ match_rule_equal (BusMatchRule *a, if (a->flags != b->flags) return FALSE; + if (a->matches_go_to != b->matches_go_to) + return FALSE; + if ((a->flags & BUS_MATCH_MESSAGE_TYPE) && a->message_type != b->message_type) return FALSE;
Are there any news about this one? The embargo was supposed to end earlier today. Is 0.62 affected by this, as it is the stable ebuild for all supported arches but alpha. CC'ing cardoe as the maintainer
Yes I know. Yes the release happened today. Yes I just got home from work so I can address it now. Yes all versions of D-Bus are affected. It's a local denial of service attack that would have to target specific applications that use D-Bus.
committed 1.0.2 which is fixed. Removed previous 1.0.x series. Kept current stable versions in the tree, however they are vulnerable.
Added 0.62-r2 with the security fix backported to it. Just get the arches to start stablize that version.
Thx Doug Arches please test and mark stable. Target keywords are: dbus-0.62-r2.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"
Test fails, but x86 is stable
ppc stable
sparc stable.
amd64 all set
Stable for HPPA.
ppc64 done
*** Bug 158123 has been marked as a duplicate of this bug. ***
Looking at the ebuild itself, some more arches have marked it stable. Removing those arches. Now waiting on alpha and mips... who I've been waiting on for a while to even stablize 0.62-r1 (maybe 3-4 weeks)
kloeri took care of alpha.
(In reply to comment #14) > kloeri took care of alpha. > OK TTV i vote no because of the very specific conditions to comply with before exploiting that low-severity bug.
I concur with the low severity, although it does not seem too difficult to exploit.
Voting NO and closing. Feel free to reopen if you disagree. Removing Alpha has they have already marked stable.
