Debian Bug report logs -
#930375
CVE-2019-12749: DBusServer DBUS_COOKIE_SHA1 authentication bypass
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, debian-lts@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#930375; Package libdbus-1-3.
(Tue, 11 Jun 2019 16:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, debian-lts@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Tue, 11 Jun 2019 16:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libdbus-1-3
Version: 1.0.0-1
Severity: grave
Tags: security fixed-upstream patch
Forwarded: https://gitlab.freedesktop.org/dbus/dbus/issues/269
Joe Vennix of Apple Information Security discovered an implementation flaw
in the DBUS_COOKIE_SHA1 authentication mechanism. A malicious client with
write access to its own home directory could manipulate a ~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon instances,
standard dbus-daemon instances with non-standard configuration, and the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
For buster this has been fixed in libdbus-1-3 1.12.16-1. I'll close this
bug when I have a bug number.
For stretch this has been fixed in upstream release 1.10.28 and I am
discussing with the security team whether it is DSA-worthy, and if so,
whether to upload 1.10.28-0+deb9u1 or a minimal backport.
For experimental this will be fixed by upstream release 1.13.12 when
I've tested it.
If the Debian LTS team want to address this vulnerability
in jessie (which has an EOL dbus branch that we no
longer support upstream), they should backport upstream commit
<https://gitlab.freedesktop.org/dbus/dbus/commit/525c2314c56504fb232f9ec7f25cf7dda4d4a1c4>
and optionally also the build-time test coverage found in
<https://gitlab.freedesktop.org/dbus/dbus/commit/c251e7ea9525c1fc81360bbaf48f86ef6a0ad598>.
Regards,
smcv
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#930375; Package libdbus-1-3.
(Tue, 11 Jun 2019 16:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Tue, 11 Jun 2019 16:48:05 GMT) (full text, mbox, link).
Message #10 received at 930375@bugs.debian.org (full text, mbox, reply):
Version: 1.12.16-1
On Tue, 11 Jun 2019 at 17:34:40 +0100, Simon McVittie wrote:
> For buster this has been fixed in libdbus-1-3 1.12.16-1. I'll close this
> bug when I have a bug number.
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Tue, 11 Jun 2019 18:30:06 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Tue, 11 Jun 2019 18:30:06 GMT) (full text, mbox, link).
Message #15 received at 930375-done@bugs.debian.org (full text, mbox, reply):
Version: 1.12.16-1
On Tue, 11 Jun 2019 at 17:44:18 +0100, Simon McVittie wrote:
> On Tue, 11 Jun 2019 at 17:34:40 +0100, Simon McVittie wrote:
> > For buster this has been fixed in libdbus-1-3 1.12.16-1. I'll close this
> > bug when I have a bug number.
Now with correct -done address...
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Tue, 11 Jun 2019 18:30:09 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Tue, 11 Jun 2019 18:30:09 GMT) (full text, mbox, link).
Message #20 received at 930375-done@bugs.debian.org (full text, mbox, reply):
Version: 1.13.12-1
On Tue, 11 Jun 2019 at 17:34:40 +0100, Simon McVittie wrote:
> For experimental this will be fixed by upstream release 1.13.12 when
> I've tested it.
Now uploaded.
Marked as fixed in versions 1.10.28-0+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 13 Jun 2019 19:33:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:56:26 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon