Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 436028 (CVE-2012-3524) - <sys-apps/dbus-1.6.8,<dev-libs/glib-2.32.4-r1: Local privilege escalation and arbitrary code execution via DBUS_SYSTEM_BUS_ADDRESS (CVE-2012-3524)
Summary: <sys-apps/dbus-1.6.8,<dev-libs/glib-2.32.4-r1: Local privilege escalation and...
Status: RESOLVED FIXED
Alias: CVE-2012-3524
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: http://cgit.freedesktop.org/dbus/dbus...
Whiteboard: A1 [glsa]
Keywords:
Depends on: 416725 427544
Blocks:
  Show dependency tree
 
Reported: 2012-09-23 20:23 UTC by GLSAMaker/CVETool Bot
Modified: 2014-06-01 14:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-09-23 20:23:13 UTC
CVE-2012-3524 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3524):
  libdbus 1.5.x and earlier, when used in setuid or other privileged programs
  in X.org and possibly other products, allows local users to gain privileges
  and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment
  variable.  NOTE: libdbus maintainers state that this is a vulnerability in
  the applications that do not cleanse environment variables, not in libdbus
  itself: "we do not support use of libdbus in setuid binaries that do not
  sanitize their environment before their first call into libdbus."
Comment 1 Agostino Sarubbo gentoo-dev 2012-09-23 22:56:00 UTC
Who sets the whiteboard as [ebuild]? what is for you the fixed version?

Upstream has not yes fixed this issue.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2012-09-24 06:46:48 UTC
dbus-1.6.4 has the patch for this CVE and is for stabilization (as in, -r0 is for stabilization)

dbus-1.6.4-r1 has the patch for this CVE but is for ~arch because of it's systemd dependency (repoman issues)

futhermore if you dig up the Fedora bug for this issue, they disagree it's even a dbus bug and a problem with apps like 'spice'

anyway, nothing for freedesktop-bugs@ to do here, happy hunting security@ for those buggy setuid apps down (like spice)
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2012-09-24 06:47:45 UTC
i'm dropping the patch from next dbus version since it will never land upstream, so you have until then to deal with the buggy apps (like spice :-)
Comment 4 Agostino Sarubbo gentoo-dev 2012-09-24 10:53:27 UTC
I would just point out that upstream has rejected that patch.
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2012-09-24 11:06:16 UTC
(In reply to comment #4)
> I would just point out that upstream has rejected that patch.

that's why I said in Comment #3 this is only temporary until the setuid reverse dependencies have been fixed...
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2012-09-29 16:32:52 UTC
1.6.8 in Portage with...

http://cgit.freedesktop.org/dbus/dbus/commit/?id=23fe78ceefb6cefcd58a49c77d1154b68478c8d2

The another part of the fix is in dev-libs/glib-2.34.0 here:

http://git.gnome.org/browse/glib/commit/?id=d6cbb29f598d677d5fc1c974cba6d9f646cff491

CCing gnome@ for above ^^ to get it backported into 2.32 series and for stabilization.
Comment 7 Pacho Ramos gentoo-dev 2012-09-29 16:54:51 UTC
This is the patch for glib-2.32... but I don't have time to apply and commit it, Samuli, if you have time now for that feel free to commit:
http://git.gnome.org/browse/glib/commit/?h=glib-2-32&id=4c2928a54482913cf236bff0e66650a8f47e17ea
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2012-09-29 17:19:35 UTC
Patch imported to =dev-libs/glib-2.32.4-r1.

Please test and stabilize:

=sys-apps/dbus-1.6.8
=dev-libs/glib-2.32.4-r1
=dev-util/gdbus-codegen-2.32.4 (from bug
Comment 9 Samuli Suominen (RETIRED) gentoo-dev 2012-09-29 17:21:59 UTC
(In reply to comment #8)
> Patch imported to =dev-libs/glib-2.32.4-r1.
> 
> Please test and stabilize:
> 
> =sys-apps/dbus-1.6.8
> =dev-libs/glib-2.32.4-r1
=dev-util/gdbus-codegen-2.32.4 (from bug 427544)
and new dbus-glib and dbus-python from bug 416725
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2012-10-02 15:41:08 UTC
Stable for HPPA.
Comment 11 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-10-04 08:27:50 UTC
x86 stable (systemd code rolled to -r1)
Comment 12 Agostino Sarubbo gentoo-dev 2012-10-04 19:30:05 UTC
amd64 stable
Comment 13 John J. Aylward 2012-10-06 06:46:36 UTC
Is there a reason that the 1.6.8 ebuild has systemd support missing while 1.6.2 and 1,6,8-r1 have the use flag set up for it?

I'd rather not have to unmask the -r1 just for systemd support on amd64 since 1.6.2 was already stable with it.
Comment 14 Markus Meier gentoo-dev 2012-10-06 10:49:57 UTC
arm stable
Comment 15 Anthony Basile gentoo-dev 2012-10-14 05:12:42 UTC
stable ppc ppc64
Comment 16 Matt Turner gentoo-dev 2012-10-14 05:37:17 UTC
alpha stable
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2012-10-14 14:56:49 UTC
ia64/m68k/s390/sh/sparc stable
Comment 18 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-14 18:04:15 UTC
Thanks, everyone.

Filing a new GLSA request.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-06-01 14:29:50 UTC
This issue was resolved and addressed in
 GLSA 201406-01 at http://security.gentoo.org/glsa/glsa-201406-01.xml
by GLSA coordinator Chris Reffett (creffett).