Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 687900 (CVE-2019-12749)

Summary: <sys-apps/dbus-1.12.16: authentication bypass through manipulated symlinks (CVE-2019-12749)
Product: Gentoo Security Reporter: Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: freedesktop-bugs
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A1 [glsa+ cve]
Package list:
sys-apps/dbus-1.12.16
 Runtime testing required: ---

Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-06-12 07:28:33 UTC 
dbus 1.12.16 (2019-06-11)
=========================

The “tree cat” release.

Security fixes:

• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
  authentication for identities that differ from the user running the
  DBusServer. Previously, a local attacker could manipulate symbolic
  links in their own home directory to bypass authentication and connect
  to a DBusServer with elevated privileges. The standard system and
  session dbus-daemons in their default configuration were immune to this
  attack because they did not allow DBUS_COOKIE_SHA1, but third-party
  users of DBusServer such as Upstart could be vulnerable.
  Thanks to Joe Vennix of Apple Information Security.
  (dbus#269, Simon McVittie)
Comment 1 Larry the Git Cow gentoo-dev 2019-06-12 07:30:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f9ebc0d9df37658801b5f733f6865d7d49cebab

commit 3f9ebc0d9df37658801b5f733f6865d7d49cebab
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-06-12 07:29:39 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-06-12 07:30:13 +0000

    sys-apps/dbus: Security bump to version 1.12.16
    
    Bug: https://bugs.gentoo.org/687900
    Package-Manager: Portage-2.3.67, Repoman-2.3.14
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-apps/dbus/Manifest            |   1 +
 sys-apps/dbus/dbus-1.12.16.ebuild | 286 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 287 insertions(+)
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-06-21 08:58:08 UTC 
Arches, please stabilize...
Comment 3 Rolf Eike Beer archtester 2019-06-23 10:31:20 UTC 
sparc stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-06-23 12:11:45 UTC 
amd64 stable
Comment 5 Rolf Eike Beer archtester 2019-06-23 20:01:37 UTC 
hppa stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-06-26 06:50:54 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-06-26 10:28:40 UTC 
s390 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-06-27 07:37:29 UTC 
ia64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-06-27 07:39:10 UTC 
ppc stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-06-27 07:40:44 UTC 
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-06-27 09:20:42 UTC 
alpha stable
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2019-07-22 02:19:07 UTC 
arm64 stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-07-28 10:48:02 UTC 
sh stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-07-28 10:51:59 UTC 
arm stable
Comment 15 Larry the Git Cow gentoo-dev 2019-07-28 11:24:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=833afb297c0c28a7c8110ceb1c8d380e46700661

commit 833afb297c0c28a7c8110ceb1c8d380e46700661
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-07-28 11:22:37 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-07-28 11:23:32 +0000

    sys-apps/dbus: Security cleanup
    
    Bug: https://bugs.gentoo.org/687900
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sys-apps/dbus/Manifest               |   2 -
 sys-apps/dbus/dbus-1.12.12-r1.ebuild | 281 ----------------------------------
 sys-apps/dbus/dbus-1.12.12-r2.ebuild | 287 -----------------------------------
 sys-apps/dbus/dbus-1.12.14.ebuild    | 286 ----------------------------------
 4 files changed, 856 deletions(-)
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2019-09-08 17:47:31 UTC 
This issue was resolved and addressed in
 GLSA 201909-08 at https://security.gentoo.org/glsa/201909-08
by GLSA coordinator Thomas Deutschmann (whissi).