Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 436028 (CVE-2012-3524) - <sys-apps/dbus-1.6.8,<dev-libs/glib-2.32.4-r1: Local privilege escalation and arbitrary code execution via DBUS_SYSTEM_BUS_ADDRESS (CVE-2012-3524)
Summary: <sys-apps/dbus-1.6.8,<dev-libs/glib-2.32.4-r1: Local privilege escalation and...
Alias: CVE-2012-3524
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
Whiteboard: A1 [glsa]
Depends on: 416725 427544
  Show dependency tree
Reported: 2012-09-23 20:23 UTC by GLSAMaker/CVETool Bot
Modified: 2014-06-01 14:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-09-23 20:23:13 UTC
CVE-2012-3524 (
  libdbus 1.5.x and earlier, when used in setuid or other privileged programs
  in and possibly other products, allows local users to gain privileges
  and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment
  variable.  NOTE: libdbus maintainers state that this is a vulnerability in
  the applications that do not cleanse environment variables, not in libdbus
  itself: "we do not support use of libdbus in setuid binaries that do not
  sanitize their environment before their first call into libdbus."
Comment 1 Agostino Sarubbo gentoo-dev 2012-09-23 22:56:00 UTC
Who sets the whiteboard as [ebuild]? what is for you the fixed version?

Upstream has not yes fixed this issue.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2012-09-24 06:46:48 UTC
dbus-1.6.4 has the patch for this CVE and is for stabilization (as in, -r0 is for stabilization)

dbus-1.6.4-r1 has the patch for this CVE but is for ~arch because of it's systemd dependency (repoman issues)

futhermore if you dig up the Fedora bug for this issue, they disagree it's even a dbus bug and a problem with apps like 'spice'

anyway, nothing for freedesktop-bugs@ to do here, happy hunting security@ for those buggy setuid apps down (like spice)
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2012-09-24 06:47:45 UTC
i'm dropping the patch from next dbus version since it will never land upstream, so you have until then to deal with the buggy apps (like spice :-)
Comment 4 Agostino Sarubbo gentoo-dev 2012-09-24 10:53:27 UTC
I would just point out that upstream has rejected that patch.
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2012-09-24 11:06:16 UTC
(In reply to comment #4)
> I would just point out that upstream has rejected that patch.

that's why I said in Comment #3 this is only temporary until the setuid reverse dependencies have been fixed...
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2012-09-29 16:32:52 UTC
1.6.8 in Portage with...

The another part of the fix is in dev-libs/glib-2.34.0 here:

CCing gnome@ for above ^^ to get it backported into 2.32 series and for stabilization.
Comment 7 Pacho Ramos gentoo-dev 2012-09-29 16:54:51 UTC
This is the patch for glib-2.32... but I don't have time to apply and commit it, Samuli, if you have time now for that feel free to commit:
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2012-09-29 17:19:35 UTC
Patch imported to =dev-libs/glib-2.32.4-r1.

Please test and stabilize:

=dev-util/gdbus-codegen-2.32.4 (from bug
Comment 9 Samuli Suominen (RETIRED) gentoo-dev 2012-09-29 17:21:59 UTC
(In reply to comment #8)
> Patch imported to =dev-libs/glib-2.32.4-r1.
> Please test and stabilize:
> =sys-apps/dbus-1.6.8
> =dev-libs/glib-2.32.4-r1
=dev-util/gdbus-codegen-2.32.4 (from bug 427544)
and new dbus-glib and dbus-python from bug 416725
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2012-10-02 15:41:08 UTC
Stable for HPPA.
Comment 11 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-10-04 08:27:50 UTC
x86 stable (systemd code rolled to -r1)
Comment 12 Agostino Sarubbo gentoo-dev 2012-10-04 19:30:05 UTC
amd64 stable
Comment 13 John J. Aylward 2012-10-06 06:46:36 UTC
Is there a reason that the 1.6.8 ebuild has systemd support missing while 1.6.2 and 1,6,8-r1 have the use flag set up for it?

I'd rather not have to unmask the -r1 just for systemd support on amd64 since 1.6.2 was already stable with it.
Comment 14 Markus Meier gentoo-dev 2012-10-06 10:49:57 UTC
arm stable
Comment 15 Anthony Basile gentoo-dev 2012-10-14 05:12:42 UTC
stable ppc ppc64
Comment 16 Matt Turner gentoo-dev 2012-10-14 05:37:17 UTC
alpha stable
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2012-10-14 14:56:49 UTC
ia64/m68k/s390/sh/sparc stable
Comment 18 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-14 18:04:15 UTC
Thanks, everyone.

Filing a new GLSA request.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-06-01 14:29:50 UTC
This issue was resolved and addressed in
 GLSA 201406-01 at
by GLSA coordinator Chris Reffett (creffett).