CVE-2013-0292: authentication bypass due to insufficient checks in dbus-glib < 0.100.1

Debian Bug report logs - #700638
CVE-2013-0292: authentication bypass due to insufficient checks in dbus-glib < 0.100.1

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2013-0292: authentication bypass due to insufficient checks in dbus-glib < 0.100.1

Date: Fri, 15 Feb 2013 17:44:49 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package: libdbus-glib-1-2
Version: 0.100-1
Severity: critical
Tags: upstream patch security
Justification: root security hole
Control: fixed -1 0.100.1-1

Sebastian Krahmer discovered and published an authentication bypass
vulnerability in pam_fprintd, caused by a bug in dbus-glib. It is
possible that other users of dbus-glib can be exploited in the same
way. CVE-2013-0292 has been allocated for this vulnerability.

I've just released 0.100.1 upstream and uploaded it to unstable: fixing
this was the only change.

pam_fprintd is not present in stable or oldstable, but I'll check whether
this bug was present in those versions of dbus-glib, in case there are other
exploitation vectors.

    S

- -- System Information:
Debian Release: 7.0
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libdbus-glib-1-2 depends on:
ii  libc6              2.13-38
ii  libdbus-1-3        1.6.8-1
ii  libglib2.0-0       2.33.12+really2.32.4-5
ii  multiarch-support  2.13-38

libdbus-glib-1-2 recommends no packages.

libdbus-glib-1-2 suggests no packages.

- -- no debconf information
-----BEGIN PGP SIGNATURE-----

iQIVAwUBUR50CE3o/ypjx8yQAQid6BAAiiRVd0KBlMPSqXVoGukxVsBfotAtU4jt
Bfl/3Uvz93lxCniRDY64G3yc1PzEAVjLDPEOZMEENBbcP4lahFIuGJ3n0DwP1Kem
cdx5DyW2fgZn81sw3bZCS8fsyqZFRH5xzg2xTgEOENtfklSQRNCiFeown7mJiFpN
BMqlaLfMJj0Scu6lOsR/b4ApeYAZglbGYFfwTzEuXeXyn/wWP4k9mUq1zJwqUyYw
v0WH8tMrG/HxsS3cz9c/TBCPqoyiKkaW3dkidOQSWletzpD2T+tWo+/Zkek+xqwS
6//UCIyj3vrCHUaRbmq2yr/COkHY2gGTibqcz2kRk6HlZUamqey9FCbVHuHpCDAp
uFukgxVxAmvAHpVoqb0WDxVMpu0pGbn5x8n4C70ZNBpe923QP0bTDYuDMysTECQY
TmLa3TGpwdJbpDOLtlO2EcnTHyeuuJNfQ+6BxqNBz5v+hDOVswp48Ogs/ybjTGXQ
sABQW1/obIVRnOhtQxW3Pe8I6zJc/1rN7f/4VUVobxSrjWAq6V3huvFvdRH+Kydf
uRIa9TC34qACaN4kWVzfGcLuFrbabOziqFmjTx1thudSB00A5aaA5XH0ZV9m3+dm
3iluTSf7cmOSJRV7SGYyhzff9ro/Omv6l5HjH6zjhi8azNY0V4oJ8z5Cl6V92JNu
G3pb4/1IVW4=
=UmVJ
-----END PGP SIGNATURE-----

Message #12 received at 700638@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: security@debian.org, 700638@bugs.debian.org

Subject: Re: Bug#700638: CVE-2013-0292: authentication bypass due to insufficient checks in dbus-glib < 0.100.1

Date: Fri, 15 Feb 2013 18:25:39 +0000

[Message part 1 (text/plain, inline)]

found 700638 0.88-2.1
thanks

On 15/02/13 17:44, Simon McVittie wrote:
> pam_fprintd is not present in stable or oldstable, but I'll check whether
> this bug was present in those versions of dbus-glib, in case there are other
> exploitation vectors.

I can confirm that this bug is present in the version of dbus-glib in
squeeze, and that cherry-picking upstream commit 166978a09cf fixes it.

In the packaging used in squeeze, this should be as simple as the
attached debdiff (built but (so far) untested, I'll test it on a squeeze
machine this evening).

Security team: what do you want me to do about this? Should I upload
0.88-2.1+squeeze1 to security-master, or go through the SPU process, or
do you want to handle it?

Thanks,
    S

[dbus-glib_0.88-2.1+squeeze1.diff (text/x-patch, attachment)]

Message #21 received at 700638@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 700638@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#700638: CVE-2013-0292: authentication bypass due to insufficient checks in dbus-glib < 0.100.1

Date: Mon, 18 Feb 2013 09:53:53 +0000

On 15/02/13 17:44, I wrote:
> Severity: critical
> Justification: root security hole
>
> Sebastian Krahmer discovered and published an authentication bypass
> vulnerability in pam_fprintd, caused by a bug in dbus-glib. It is
> possible that other users of dbus-glib can be exploited in the same
> way. CVE-2013-0292 has been allocated for this vulnerability.

On 15/02/13 18:25, Simon McVittie wrote:
> I can confirm that this bug is present in the version of dbus-glib in
> squeeze, and that cherry-picking upstream commit 166978a09cf fixes it.

The debdiff I previously attached works fine on a squeeze machine. If
the distribution 'stable' in debian/changelog is OK, I can upload it at
any time; if not (e.g. if you need 'stable-security' there), there will
be a short delay while I rebuild and re-test.

> Security team: what do you want me to do about this? Should I upload
> 0.88-2.1+squeeze1 to security-master, or go through the SPU process, or
> do you want to handle it?

This question still stands.

Thanks,
    S

Message #26 received at 700638@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Simon McVittie <smcv@debian.org>

Cc: 700638@bugs.debian.org, security@debian.org

Subject: Re: Bug#700638: CVE-2013-0292: authentication bypass due to insufficient checks in dbus-glib < 0.100.1

Date: Mon, 18 Feb 2013 16:20:24 +0100

On Mon, Feb 18, 2013 at 09:53:53AM +0000, Simon McVittie wrote:
> On 15/02/13 17:44, I wrote:
> > Severity: critical
> > Justification: root security hole
> >
> > Sebastian Krahmer discovered and published an authentication bypass
> > vulnerability in pam_fprintd, caused by a bug in dbus-glib. It is
> > possible that other users of dbus-glib can be exploited in the same
> > way. CVE-2013-0292 has been allocated for this vulnerability.
> 
> On 15/02/13 18:25, Simon McVittie wrote:
> > I can confirm that this bug is present in the version of dbus-glib in
> > squeeze, and that cherry-picking upstream commit 166978a09cf fixes it.
> 
> The debdiff I previously attached works fine on a squeeze machine. If
> the distribution 'stable' in debian/changelog is OK, I can upload it at
> any time; if not (e.g. if you need 'stable-security' there), there will
> be a short delay while I rebuild and re-test.

Please upload this to stable, since the 6.0.7 point release is scheduled
for next week.

Cheers,
        Moritz

Message #31 received at 700638-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 700638-close@bugs.debian.org

Subject: Bug#700638: fixed in dbus-glib 0.88-2.1+squeeze1

Date: Mon, 18 Feb 2013 17:47:05 +0000

Source: dbus-glib
Source-Version: 0.88-2.1+squeeze1

We believe that the bug you reported is fixed in the latest version of
dbus-glib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700638@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated dbus-glib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 15 Feb 2013 17:58:34 +0000
Source: dbus-glib
Binary: libdbus-glib-1-dev libdbus-glib-1-2 libdbus-glib-1-doc libdbus-glib-1-2-dbg
Architecture: source all amd64
Version: 0.88-2.1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 libdbus-glib-1-2 - simple interprocess messaging system (GLib-based shared library)
 libdbus-glib-1-2-dbg - simple interprocess messaging system (GLib library debug symbols)
 libdbus-glib-1-dev - simple interprocess messaging system (GLib interface)
 libdbus-glib-1-doc - simple interprocess messaging system (GLib library documentation)
Closes: 700638
Changes: 
 dbus-glib (0.88-2.1+squeeze1) stable; urgency=low
 .
   * Apply patch from upstream 0.100.1 to fix insufficient checking
     leading to authentication bypass in pam_fprintd (CVE-2013-0292)
     (Closes: #700638)
Checksums-Sha1: 
 4066be1400dc0d9eed0ca853206850fad495f3e1 2171 dbus-glib_0.88-2.1+squeeze1.dsc
 d13366afbdb130a8e515ed1af515d86a4be6dca2 19577 dbus-glib_0.88-2.1+squeeze1.diff.gz
 c3b9543727e6c278f134aae67890fe2051a4fa5f 149698 libdbus-glib-1-doc_0.88-2.1+squeeze1_all.deb
 99d5c1b9f04b79e3561a8c5dac309f6415a9b7ab 225884 libdbus-glib-1-dev_0.88-2.1+squeeze1_amd64.deb
 b80b4e94d00a45c8eb6cf35b023ec4c5ca84f951 172742 libdbus-glib-1-2_0.88-2.1+squeeze1_amd64.deb
 d3be6f5d48aec206db93cf7400191d2a61200424 277114 libdbus-glib-1-2-dbg_0.88-2.1+squeeze1_amd64.deb
Checksums-Sha256: 
 06b96c903563ad13183779a21d247939a1f2957c22d87f18c381ed9bfc18c84b 2171 dbus-glib_0.88-2.1+squeeze1.dsc
 7a678a82c2021ecec5e5c6b336a369cff41484b49ef26b0bb8c5df3414345119 19577 dbus-glib_0.88-2.1+squeeze1.diff.gz
 e4ff3a05deead6bfd2045e4c60491208d635e268f8d4fde1d99faabd8a53353c 149698 libdbus-glib-1-doc_0.88-2.1+squeeze1_all.deb
 548e8974126ed894cdc5ef1e7a4b719e7e45fda5511301f5b851e9359567c8ec 225884 libdbus-glib-1-dev_0.88-2.1+squeeze1_amd64.deb
 07d7ab68a257b382b426b82f35da312de858f09154499eacc3f2a6022ebe850e 172742 libdbus-glib-1-2_0.88-2.1+squeeze1_amd64.deb
 c40c9d3019b933160f9ac973b6467ed9635acf9f270b0de494567e3a83f1121c 277114 libdbus-glib-1-2-dbg_0.88-2.1+squeeze1_amd64.deb
Files: 
 bd836fb9d50c92425cf201975c9a1f25 2171 devel optional dbus-glib_0.88-2.1+squeeze1.dsc
 0df12e84015e72bbe74cbcf26b123bfe 19577 devel optional dbus-glib_0.88-2.1+squeeze1.diff.gz
 441e1803e5a48b0ff833a9aee534c17a 149698 doc optional libdbus-glib-1-doc_0.88-2.1+squeeze1_all.deb
 f8c456b66ffc252af7f3b8534baa5911 225884 libdevel optional libdbus-glib-1-dev_0.88-2.1+squeeze1_amd64.deb
 ec810b7bcbcf7e9000b32aac87073c12 172742 libs optional libdbus-glib-1-2_0.88-2.1+squeeze1_amd64.deb
 42ed6b4f02e9581eda93b9459f061e59 277114 debug extra libdbus-glib-1-2-dbg_0.88-2.1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBUSJQZU3o/ypjx8yQAQh7KA/+LoSGXaqKPE/gFj/ipKb3Py6YgTCw5FWx
C+jBiGrxdhbRAyO+34VNttbwTzYYlm59ldDDZt3DoXValKttXu6r8snEfodltLxw
C22utI27ZvnHkEPfZ3BNTlHafiahmQif56mYBSVqThd8SzEHfiZQzDLh82Vzx+3i
sGq9Y7t5I9xCQ1u6RsSHYatDCDLs86IKlDQj5rt8doGbdBo3qSNW7ZpIvNy6VJBX
ZjyHyWZvYxwRIz5TItoPv+JIEmPY1e1BXI2LKoT42qJLqGWTl0QVovUwWuh4i0VK
9BT4DLwuaw9yoJRmvpd1yFJ14JhPDP/dLPfbUrQTX6p9p0LcY7w+QjMz0h9mjdAX
8QZ3tvY3mFe27v35fQKouiolZZvE2DN1bNu/0VRlwyywqCz0y092wNQjFUsfKEmq
7CJF9qA4zEKGJEqLg4UKH/GRCxmkZ6OOxw/QrVt8U+r7Zwd0gNYCcQwkTggXYdIz
RNnTflnKEYPN4AjRyCLNgFpN+FYEX9ly6RT6Y/r2eMq9FOylhckzmHG/Lntgau7/
o1QeG+jraPNvH2Ne6TZumbGHyYkSZ5by8LVYH6/tXudWOIqN/H5o7khu2w8gqeRU
3frZpMDypbonl5Lg00sVkakHMJi4evXLUDVpTVCv4WnGxHiuNPE8mJe+0Ocl+LWR
C20hKMAza58=
=Wcu0
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.