Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 528900 (CVE-2014-7824)

Summary: <sys-apps/dbus-1.8.10: denial of service via incomplete fix for CVE-2014-3636 (CVE-2014-7824)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: freedesktop-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-11-11 09:14:35 UTC
From ${URL} :

CVE: CVE-2014-7824
Tracked as:
Impact: local denial of service
Access required: local
Versions believed to be vulnerable: dbus >= 1.3.0
Fixed in: dbus 1.6.x >= 1.6.26, 1.8.x >= 1.8.10, all versions >= 1.9.2
Credit: discovered by Simon McVittie at Collabora Ltd.

D-Bus <> is an
asynchronous inter-process communication system, commonly used
for system services or within a desktop session on Linux and other
operating systems.

The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on
incorrect reasoning, and does not fully prevent the attack described as
"CVE-2014-3636 part A", which is repeated below. Preventing that attack
requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a
higher value. CVE-2014-7824 has been allocated for this vulnerability.

To avoid propagating that higher limit to activatable system services,
it is desirable to start the system dbus-daemon as root so it can store
its previous limit, raise its limit, drop root privileges (which its
default configuration will do automatically), and restore the previous
limit before launching activatable services. Some operating system
distributions, such as anything using the upstream-supplied systemd
units, start the system dbus-daemon as root already; others, such as
Debian 7, currently start the system dbus-daemon under its less
privileged uid and will need minor modifications to their init scripts.

This is fixed in dbus 1.6.26, 1.8.10 and 1.9.2, released today. The
patch used in 1.8.x and 1.9.x is attached; it applies to 1.6.x with
trivial adjustments. Older versions are no longer security-supported by
the D-Bus maintainers, but any distributions needing those versions are
invited to share backported security fixes in the appropriate upstream
branches (dbus-1.4, etc.).

Attack details (repeating CVE-2014-3636 part A):

By queuing up the maximum allowed number of fds, a malicious sender
could reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n, typically
1024 on Linux). This would act as a denial of service in two ways:

* new clients would be unable to connect to the dbus-daemon
* when receiving a subsequent message from a non-malicious client that
  contained a fd, dbus-daemon would receive the MSG_CTRUNC flag,
  indicating that the list of fds was truncated; kernel fd-passing APIs
  do not provide any way to recover from that, so dbus-daemon responds
  to MSG_CTRUNC by disconnecting the sender, causing denial of service
  to that sender

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2014-11-11 23:38:47 UTC
1.8.10 in tree with as only change over 1.8.8, looks like the commit we want for this bug

please test and stabilize:

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-12 09:12:36 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-11-13 09:51:47 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-11-13 09:52:30 UTC
x86 stable
Comment 5 Markus Meier gentoo-dev 2014-11-14 21:29:41 UTC
arm stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2014-11-20 14:28:33 UTC
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2014-11-20 15:48:25 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-11-29 13:29:36 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-12-01 09:18:09 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-03 09:58:23 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-12-13 14:20:11 UTC
Added to existing glsa draft.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 15:14:51 UTC
This issue was resolved and addressed in
 GLSA 201412-12 at
by GLSA coordinator Mikle Kolyada (Zlogene).
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2015-01-11 00:45:37 UTC
CVE-2014-7824 (
  D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x
  before 1.9.2 allows local users to cause a denial of service (prevention of
  new connections and connection drop) by queuing the maximum number of file
  descriptors.  NOTE: this vulnerability exists because of an incomplete fix
  for CVE-2014-3636.1.