Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 596772

Summary: <sys-apps/dbus-1.10.12: format string vulnerability
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: freedesktop-bugs
Priority: Normal Flags: kensington: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2016/10/10/9
Whiteboard: A2 [glsa]
Package list:
=sys-apps/dbus-1.10.12
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-10-10 13:20:36 UTC
From ${URL} :

Bug tracked as: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Versions affected: dbus >= 1.4.0
Mitigated in: dbus >= 1.9.10, 1.8.x >= 1.8.16, 1.6.x >= 1.6.30
Fixed in: dbus >= 1.11.6, 1.10.x >= 1.10.12, 1.8.x >= 1.8.22
Exploitable by: local users
Impact: unknown, possibly arbitrary code execution
Reporter: Simon McVittie, Collabora Ltd.

D-Bus <http://www.freedesktop.org/wiki/Software/dbus/> is an
asynchronous inter-process communication system, commonly used
for system services or within a desktop session on Linux and other
operating systems.

A format string vulnerability in the reference bus implementation,
dbus-daemon, could potentially allow local users to cause arbitrary
code execution or denial of service.

In versions of dbus-daemon that are also vulnerable to CVE-2015-0245,
this format string vulnerability is available to all local users.
These versions should be patched or updated immediately.

In versions of dbus-daemon where CVE-2015-0245 was already fixed, this
is not believed to be exploitable in practice, because the relevant
message is ignored unless it comes from the owner of the bus name
org.freedesktop.systemd1. On the system bus, this bus name is only
allowed to be owned by uid 0; it is intended to be owned by systemd,
and no mechanism is currently known by which an attacker who does not
already have root privileges could induce systemd to send messages
that would trigger the format string vulnerability.

Patching or updating dbus-daemon is strongly recommended. A minimal
patch is attached to this advisory.

Please reference fd.o #98157 or
<https://bugs.freedesktop.org/show_bug.cgi?id=98157> in any notices
that refer to this vulnerability.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-10-11 05:09:23 UTC
commit f88bce681f1945fed09ba3bee25f0dd7e7596e63
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Tue Oct 11 07:00:57 2016

    sys-apps/dbus: Security bump to versions 1.8.22 and 1.10.12 (bug #596772).

    Package-Manager: portage-2.3.1
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-10-14 08:36:12 UTC
Arches please test and mark stable =sys-apps/dbus-1.10.12 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-15 04:54:16 UTC
Stable for HPPA PPC64.
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2016-10-16 11:17:34 UTC
Stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2016-10-19 10:27:16 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-10-19 10:28:38 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2016-10-24 18:09:34 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-19 14:37:55 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-19 15:14:47 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-20 09:47:43 UTC
ppc stable.

Maintainer(s), please cleanup.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-08 23:46:29 UTC
New GLSA request filed.

Cleanup PR: https://github.com/gentoo/gentoo/pull/3396
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:09:51 UTC
This issue was resolved and addressed in
 GLSA 201701-20 at https://security.gentoo.org/glsa/201701-20
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-01-11 12:17:57 UTC
reopening for cleanup