Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 512940 (CVE-2014-3477)

Summary: <sys-apps/dbus-1.8.4: local DoS in dbus-daemon (CVE-2014-3477)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: freedesktop-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/06/10/2
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-06-11 08:03:03 UTC
From ${URL} :

D-Bus <http://www.freedesktop.org/wiki/Software/dbus/> is an
asynchronous inter-process communication system, commonly used
for system services or within a desktop session on Linux and other
operating systems.

Alban Crequy at Collabora Ltd. discovered and fixed a denial-of-service
flaw in dbus-daemon, part of the reference implementation of D-Bus.
Additionally, in highly unusual environments the same flaw could lead to
a side channel between processes that should not be able to communicate.

On the stable branch, this is fixed in version 1.8.4:
http://dbus.freedesktop.org/releases/dbus/dbus-1.8.4.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.8.4.tar.gz.asc

On the previous stable branch, this is fixed in version 1.6.20:
http://dbus.freedesktop.org/releases/dbus/dbus-1.6.20.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.6.20.tar.gz.asc

Distributions supporting other versions should base their changes on
this commit:
http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=24c590703ca47eb71ddef453de43126b90954567

Summary:

If a client C1 is prohibited from sending a message to a service S1, and
S1 is not currently running, then C1 can attempt to send a message to
S1's well-known bus name, causing dbus-daemon to start S1 [1]. When S1
has started and obtained its well-known bus name, the dbus-daemon
evaluates its security policy, decides that it will not deliver the
message to S1, and constructs an AccessDenied error. However, instead of
sending that AccessDenied error reply to C1 as a reply to the denied
message, dbus-daemon incorrectly sends it to S1 as a reply to the
request to obtain its well-known bus name.

Impact A: denial of service. S1 will fail to initialize, and exit,
denying service to legitimate clients of S1.

Impact B: side channel. In environments where C1 and S1 are untrusted
and are administratively prohibited from communicating, S1 could also
use these incorrectly-directed error messages as a side channel to
receive information from C1.

Mitigations:

Impact A: if a legitimate client was actively using S1, S1 would already
have been started, so C1 can only deny service to a legitimate client
that only recently became active.

Impact B: in practice processes sharing a system bus can typically
communicate in other ways (non-D-Bus IPC mechanisms, files in /tmp,
etc.), so impact B is not relevant on normal systems. It might be
relevant on systems when an LSM such as SELinux is used in a highly
restrictive configuration.

Footnotes:

[1] This is perhaps unexpected, but the dbus-daemon is behaving as
designed: it cannot necessarily evaluate which security policies it
should apply to S1 until S1 has actually connected back to dbus-daemon,
because S1 might change its uid, SELinux context, etc. during startup.
The conceptual model is that activatable services are always running,
and that the dbus-daemon delaying their startup until they are actually
needed is a form of lazy evaluation. As such, the D-Bus maintainers do
not consider this to be a bug or vulnerability.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-06-18 16:24:28 UTC
*** Bug 513698 has been marked as a duplicate of this bug. ***
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2014-06-18 18:37:21 UTC
Arches, please stabilize: 

=sys-apps/dbus-1.8.4
Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-18 18:48:16 UTC
amd64 stable
Comment 4 Jeroen Roovers gentoo-dev 2014-06-19 20:46:55 UTC
Who is Kristian Fiskerstrand?
Comment 5 Andreas K. Hüttel gentoo-dev 2014-06-19 20:57:07 UTC
(In reply to Jeroen Roovers from comment #4)
> Who is Kristian Fiskerstrand?

https://bugs.gentoo.org/show_bug.cgi?id=K_F
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-20 00:56:41 UTC
(In reply to Jeroen Roovers from comment #4)
> Who is Kristian Fiskerstrand?

He is also going through the padawan process on the security team now.
Comment 7 Jeroen Roovers gentoo-dev 2014-06-20 13:16:44 UTC
(In reply to Yury German from comment #6)
> (In reply to Jeroen Roovers from comment #4)
> > Who is Kristian Fiskerstrand?
> 
> He is also going through the padawan process on the security team now.

You should update the Project:Security wiki page then.
Comment 8 Jeroen Roovers gentoo-dev 2014-06-20 13:17:09 UTC
Stable for HPPA.
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2014-06-23 15:38:34 UTC
x86 stable
Comment 10 Markus Meier gentoo-dev 2014-06-24 19:15:20 UTC
arm stable
Comment 11 Samuli Suominen gentoo-dev 2014-07-03 16:43:35 UTC
The stabilization will continue in bug 516080 for 1.8.6
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-07-04 02:46:15 UTC
CVE-2014-3477 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3477):
  The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x
  before 1.8.4, sends an AccessDenied error to the service instead of a client
  when the client is prohibited from accessing the service, which allows local
  users to cause a denial of service (initialization failure and exit) or
  possibly conduct a side-channel attack via a D-Bus message to an inactive
  service.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2014-07-06 15:09:07 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-01 03:46:54 UTC
Maintainer(s), Thank you for cleanup!
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 15:14:29 UTC
This issue was resolved and addressed in
 GLSA 201412-12 at http://security.gentoo.org/glsa/glsa-201412-12.xml
by GLSA coordinator Mikle Kolyada (Zlogene).