dbus: CVE-2023-34969: denial of service when a monitor is active and a message from the driver cannot be delivered

Debian Bug report logs - #1037151
dbus: CVE-2023-34969: denial of service when a monitor is active and a message from the driver cannot be delivered

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dbus: denial of service when a monitor is active and a message from the driver cannot be delivered

Date: Tue, 6 Jun 2023 14:36:01 +0100

Package: dbus
Version: 1.15.4-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Control: found -1 1.14.6-1
Control: found -1 1.12.24-0+deb11u1

If a privileged user with control over the dbus-daemon is using the
org.freedesktop.DBus.Monitoring interface to monitor message bus
traffic, then an unprivileged user with the ability to connect to the
same dbus-daemon can cause a dbus-daemon crash under some circumstances.

When done on the well-known system bus, this is a denial-of-service
vulnerability. Unfortunately, the upstream bug reporter already made
this public information. I'm in the process of releasing dbus 1.15.6,
1.14.8 and 1.12.28 to resolve this; I've also asked MITRE for a CVE ID,
but I have not received one yet.

Mitigation: This can only be done if a monitoring process such
as dbus-monitor or busctl monitor is active on the same dbus-daemon
instance, which is a privileged operation that can only be done by root
or the Unix uid of the message bus. If no monitoring process is active,
then the vulnerable code is not reached.

My guess is that the security team will not want to release DSAs for this
local denial of service, and it's more appropriate to fix in bookworm
and bullseye via their next point releases. Is that assumption correct?

Thanks,
    smcv

Message #14 received at 1037151-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1037151-close@bugs.debian.org

Subject: Bug#1037151: fixed in dbus 1.15.6-1

Date: Tue, 06 Jun 2023 17:34:05 +0000

Source: dbus
Source-Version: 1.15.6-1
Done: Simon McVittie <smcv@debian.org>

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1037151@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 06 Jun 2023 15:06:09 +0100
Source: dbus
Architecture: source
Version: 1.15.6-1
Distribution: experimental
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 1033056 1037151
Changes:
 dbus (1.15.6-1) experimental; urgency=medium
 .
   [ Simon McVittie ]
   * New upstream development release
     - Fixes a denial of service issue if the root or messagebus user is
       monitoring messages on the system bus with the Monitoring interface
       (dbus-monitor, busctl monitor, gdbus monitor or similar)
       (Closes: #1037151)
   * d/rules: Tell dh_shlibdeps where to find dbus-tests' private libraries
     dbus-tests contains an instrumented/debug build of libdbus in a private
     directory, which has more ABI than the production build, and a second
     set of tests which depend on that debug build.
   * d/rules: Extend arbitrary timeout for tests.
     Some mipsel buildds are very slow and have seen the hash test time out
     after 30 seconds (it normally takes about 10 on slower machines).
 .
   [ Helmut Grohne ]
   * Mark dbus-daemon and dbus-bin Multi-Arch: foreign (Closes: #1033056)
Checksums-Sha1:
 3f42b0ad25c231b44cb97fef7e38eb333b453707 3746 dbus_1.15.6-1.dsc
 7256744ea329b8640df9ce2fc4792256f4f5c6c9 1406672 dbus_1.15.6.orig.tar.xz
 95866b0b767a549d2b58c6df3be2b2731c66e293 833 dbus_1.15.6.orig.tar.xz.asc
 9b7b3905ba019b70b6f9dbf8e4a307b1eabb6087 63092 dbus_1.15.6-1.debian.tar.xz
 02c4be4cfb86d8be3439afcc5d9e9fa8af4b9c55 7657 dbus_1.15.6-1_source.buildinfo
Checksums-Sha256:
 0a59be587d8e58b80e28322de3e393748ca8f4abb43d6cae51d9c0f5b8c5aa90 3746 dbus_1.15.6-1.dsc
 f97f5845f9c4a5a1fb3df67dfa9e16b5a3fd545d348d6dc850cb7ccc9942bd8c 1406672 dbus_1.15.6.orig.tar.xz
 55bacc378cf94cdf8b0c23d0ea88e7ffe5c4bb747dc414d953f4467c7543b4fa 833 dbus_1.15.6.orig.tar.xz.asc
 1db00a2e848c851345b2208dd5df2ea1c327260cb21331f0c83657a5cf814e6f 63092 dbus_1.15.6-1.debian.tar.xz
 c97f7a04f753030c5cbd1c82593eec6fe67e6cffa7c4c4d8b8e29bfc11b8446d 7657 dbus_1.15.6-1_source.buildinfo
Files:
 3dcf9c83184ffacdb81fd8b39d44ffa6 3746 admin optional dbus_1.15.6-1.dsc
 3aeb649e58cfac18a3e9c0796e6b0c8e 1406672 admin optional dbus_1.15.6.orig.tar.xz
 765dc4faf48c4b3556a5eeb51bbfce0b 833 admin optional dbus_1.15.6.orig.tar.xz.asc
 e639f9c5aa254714b4de32d5da043301 63092 admin optional dbus_1.15.6-1.debian.tar.xz
 e68512ed7dc9d96a3915068740c46e78 7657 admin optional dbus_1.15.6-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmR/bIgACgkQ4FrhR4+B
TE9LhhAAguEvgxiPREvozQKr9cUADKgUY44bUoamPdhDTW48ani52ivQGWvNx4zD
c3g7tuNxESUzBBYvpDmcWIs8swWOa27jNW7VGUaRnkN5qUIiMRTvNt7FXF5BVVFM
pnlamR9enEAvGUNt0VIfCdwv1bZtn8KeKpKLuH+U/sQ37qa+kU0SHvFFT9y33i9A
fft62t2hGQg6fjjYUCvf2Wh4Cr6/FZ+wTx3XgLJD4ywEAaiN+2wRkZ0qCbuGLMWr
nrcUMLfR42YquL279IQB8LsY9JEqzWFxXWMXxDTLzbjxPFAfFlRgGoTJ3wk5jq6f
wD6LNWEinng1JmwF1hWyxuSAAkrfrTqRXUT0b6IoAhG84++TTjg+gU4dSR0SaRR/
hZ/bFZEo/QUMimzVYyNeaF/gOAAetTiJIHtMgkT9an8/UulMc3h4PK2UrcwQtBmM
hHDxHLOhwaAJwsvQNC7CTiI7sbTbThtGIQtbTsA1hYbOZVetY1nFddkGepoTgtRV
37F5/VZy1Ik2YA9hESBgn1kq2cJJlWqRjy8zRnrPDlKh4rW2H6fD9STQWSH/Aqv6
Ui+k8F9MPvzPygfioWTdArWyaDP1u0G9JUjjhXrdhEOnMcRAMv3QPlHKONz4UtUt
KFwCHy3YfhUq8Y0SnvyMFUZtyro/es3FTz7SB0EuOhnuAS3LHkg=
=XsEm
-----END PGP SIGNATURE-----

Message #19 received at 1037151@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Simon McVittie <smcv@debian.org>, 1037151@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#1037151: dbus: denial of service when a monitor is active and a message from the driver cannot be delivered

Date: Wed, 7 Jun 2023 13:10:57 +0200

Hi Simon,

On Tue, Jun 06, 2023 at 02:36:01PM +0100, Simon McVittie wrote:
> Package: dbus
> Version: 1.15.4-1
> Severity: important
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> Control: found -1 1.14.6-1
> Control: found -1 1.12.24-0+deb11u1
> 
> If a privileged user with control over the dbus-daemon is using the
> org.freedesktop.DBus.Monitoring interface to monitor message bus
> traffic, then an unprivileged user with the ability to connect to the
> same dbus-daemon can cause a dbus-daemon crash under some circumstances.
> 
> When done on the well-known system bus, this is a denial-of-service
> vulnerability. Unfortunately, the upstream bug reporter already made
> this public information. I'm in the process of releasing dbus 1.15.6,
> 1.14.8 and 1.12.28 to resolve this; I've also asked MITRE for a CVE ID,
> but I have not received one yet.
> 
> Mitigation: This can only be done if a monitoring process such
> as dbus-monitor or busctl monitor is active on the same dbus-daemon
> instance, which is a privileged operation that can only be done by root
> or the Unix uid of the message bus. If no monitoring process is active,
> then the vulnerable code is not reached.
> 
> My guess is that the security team will not want to release DSAs for this
> local denial of service, and it's more appropriate to fix in bookworm
> and bullseye via their next point releases. Is that assumption correct?

Yes that sounds fine to do in point release.

Regards,
Salvatore

Send a report that this bug log contains spam.