Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 516080 (CVE-2014-3532)

Summary: <sys-apps/dbus-1.8.6: two local DoS vulnerabilities in dbus-daemon (CVE-2014-{3532,3533})
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: freedesktop-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2014/q3/4
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-07-02 16:13:53 UTC
From ${URL}:
Impact: denial of service (force system services to exit)
Access required: local
Versions affected by CVE-2014-3532: dbus >= 1.3.0 on Linux >= 2.6.37-rc4
Versions affected by CVE-2014-3533: dbus >= 1.3.0 on all Unix platforms

Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's support
for file descriptor passing. A malicious process could force system
services or user applications to be disconnected from the D-Bus system
bus by sending them a message containing a file descriptor, then causing
that file descriptor to exceed the kernel's maximum recursion depth
(itself introduced to fix a DoS) before dbus-daemon forwards the message
to the victim process. Most services and applications exit when
disconnected from the system bus, leading to a denial of service. This
is tracked as fd.o#80163 and CVE-2014-3532.

Additionally, Alban discovered that bug fd.o#79694, a bug previously
reported by Alejandro Martínez Suárez which was not believed to be a
security flaw, could be used for a similar denial of service, by causing
dbus-daemon to attempt to forward invalid file descriptors to a victim
process when file descriptors become associated with the wrong message.
Its security implications are tracked as fd.o#80469 and CVE-2014-3533.

For the 1.8.x stable branch, these vulnerabilities are fixed in version
1.8.6. For the 1.6.x old-stable branch, these vulnerabilities are fixed
in version 1.6.22.

All earlier versions of dbus with the file descriptor passing feature
(1.3.0 and up) are believed to be vulnerable. Distributions that
backport security fixes should backport git commits
07f4c12efe3b9bd45d109bc5fbaf6d9dbf69d78e and
9ca90648fc870c24d852ce6d7ce9387a9fc9a94a, attached.

References:

[fd.o#79694] https://bugs.freedesktop.org/show_bug.cgi?id=79694
[fd.o#80469] https://bugs.freedesktop.org/show_bug.cgi?id=80469
[fd.o#80163] https://bugs.freedesktop.org/show_bug.cgi?id=80163

Regards,
    S
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2014-07-03 16:43:01 UTC
Please, test and stabilize:

=sys-apps/dbus-1.8.6
Comment 2 Agostino Sarubbo gentoo-dev 2014-07-04 19:32:42 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-07-05 02:05:08 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-07-05 10:51:53 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-07-05 11:26:33 UTC
alpha stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-07-05 11:27:15 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-07-05 11:27:42 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-07-05 11:28:06 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-07-05 11:28:57 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-07-05 11:29:21 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2014-07-06 15:02:37 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-07-26 03:41:48 UTC
CVE-2014-3533 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3533):
  dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause
  a denial of service (disconnect) via a certain sequence of crafted messages
  that cause the dbus-daemon to forward a message containing an invalid file
  descriptor.

CVE-2014-3532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3532):
  dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux
  2.6.37-rc4 or later, allows local users to cause a denial of service
  (system-bus disconnect of other services or applications) by sending a
  message containing a file descriptor, then exceeding the maximum recursion
  depth before the initial message is forwarded.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-08-01 03:32:38 UTC
Maintainer(s), Thank you for cleanup!
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 15:14:36 UTC
This issue was resolved and addressed in
 GLSA 201412-12 at http://security.gentoo.org/glsa/glsa-201412-12.xml
by GLSA coordinator Mikle Kolyada (Zlogene).