Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 522982 (CVE-2014-3635)

Summary: <sys-apps/dbus-1.8.8: Multiple vulnerabilities (CVE-2014-{3635,3636,3637,3638,3639)
Product: Gentoo Security Reporter: Samuli Suominen <ssuominen>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cgit.freedesktop.org/dbus/dbus/tree/NEWS?h=dbus-1.8
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Samuli Suominen gentoo-dev 2014-09-17 06:07:22 UTC
+The "smashy smashy egg man" release.
+
+Security fixes:
+
+• Do not accept an extra fd in the padding of a cmsg message, which
+ could lead to a 4-byte heap buffer overrun.
+ (CVE-2014-3635, fd.o #83622; Simon McVittie)
+
+• Reduce default for maximum Unix file descriptors passed per message
+ from 1024 to 16, preventing a uid with the default maximum number of
+ connections from exhausting the system bus' file descriptors under
+ Linux's default rlimit. Distributors or system administrators with a
+ more restrictive fd limit may wish to reduce these limits further.
+
+ Additionally, on Linux this prevents a second denial of service
+ in which the dbus-daemon can be made to exceed the maximum number
+ of fds per sendmsg() and disconnect the process that would have
+ received them.
+ (CVE-2014-3636, fd.o #82820; Alban Crequy)
+
+• Disconnect connections that still have a fd pending unmarshalling after
+ a new configurable limit, pending_fd_timeout (defaulting to 150 seconds),
+ removing the possibility of creating an abusive connection that cannot be
+ disconnected by setting up a circular reference to a connection's
+ file descriptor.
+ (CVE-2014-3637, fd.o #80559; Alban Crequy)
+
+• Reduce default for maximum pending replies per connection from 8192 to 128,
+ mitigating an algorithmic complexity denial-of-service attack
+ (CVE-2014-3638, fd.o #81053; Alban Crequy)
+
+• Reduce default for authentication timeout on the system bus from
+ 30 seconds to 5 seconds, avoiding denial of service by using up
+ all unauthenticated connection slots; and when all unauthenticated
+ connection slots are used up, make new connection attempts block
+ instead of disconnecting them.
+ (CVE-2014-3639, fd.o #80919; Alban Crequy)
Comment 1 Samuli Suominen gentoo-dev 2014-09-17 06:10:38 UTC
Please test and stabilize:

=sys-apps/dbus-1.8.8 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Jeroen Roovers gentoo-dev 2014-09-17 09:50:17 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-09-17 12:08:35 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-09-17 12:08:49 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-09-19 10:35:08 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-09-19 10:36:51 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-09-20 11:05:51 UTC
alpha stable
Comment 8 Markus Meier gentoo-dev 2014-09-21 20:18:18 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-09-27 10:39:10 UTC
ia64 stable
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-10-05 13:13:37 UTC
CVE-2014-3639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3639):
  The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not
  properly close old connections, which allows local users to cause a denial
  of service (incomplete connection consumption and prevention of new
  connections) via a large number of incomplete connections.

CVE-2014-3638 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3638):
  The bus_connections_check_reply function in config-parser.c in D-Bus before
  1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of
  service (CPU consumption) via a large number of method calls.

CVE-2014-3637 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3637):
  D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not
  properly close connections for processes that have terminated, which allows
  local users to cause a denial of service via a D-bus message containing a
  D-Bus connection file descriptor.

CVE-2014-3635 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3635):
  Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before
  1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is
  set to an odd number, allows remote attackers to cause a denial of service
  (dbus-daemon crash) or possibly execute arbitrary code by sending one more
  file descriptor than the limit, which triggers a heap-based buffer overflow
  or an assertion failure.
Comment 11 Agostino Sarubbo gentoo-dev 2014-10-05 15:07:17 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-12-13 14:21:23 UTC
Added to existing glsa draft.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 15:14:43 UTC
This issue was resolved and addressed in
 GLSA 201412-12 at http://security.gentoo.org/glsa/glsa-201412-12.xml
by GLSA coordinator Mikle Kolyada (Zlogene).