Regression in CVE-2012-3524 security update

Bug #1058343 reported by Geoffrey Thomas on 2012-09-28
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dbus (Ubuntu)
Low
Marc Deslauriers
Hardy
Low
Marc Deslauriers
Lucid
Low
Marc Deslauriers
Natty
Low
Marc Deslauriers
Oneiric
Low
Marc Deslauriers
Precise
Low
Marc Deslauriers
Quantal
Low
Marc Deslauriers

Bug Description

There's a minor regression in CVE-2012-3524-dbus.patch, since dbus-daemon-launch-helper is a setuid binary that links libdbus, and does its own environment sanitization. Specifically, it attempts to pass through DBUS_STARTER_ADDRESS, but that now fails, meaning a d-d-l-h-activated program won't be able to find the system bus by asking for its starter bus. (I believe there's no commonly-used software that depends on this, but it's still documented as possible and d-d-l-h clearly attempts to make it work, and my company has internal software that depended on being able to ask for the starter bus.)

Colin Walters and I put together a patch that works around this:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5
It depends on a predecessor commit that just removes the DBUS_VERBOSE logic in the activation helper, since it's not useful.

This is in the D-Bus 1.6.8 release. Those two commits should be trivially backportable to older releases, though.

If you think this is serious enough to warrant an update, let me know if you want debdiffs for the current Ubuntu releases. We're working around this locally for now.

Geoffrey Thomas (geofft) on 2012-09-28
security vulnerability: no → yes
Changed in dbus (Ubuntu Hardy):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Low
Changed in dbus (Ubuntu Lucid):
status: New → Confirmed
Changed in dbus (Ubuntu Natty):
status: New → Confirmed
Changed in dbus (Ubuntu Oneiric):
status: New → Confirmed
Changed in dbus (Ubuntu Quantal):
status: New → Confirmed
Changed in dbus (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in dbus (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in dbus (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in dbus (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in dbus (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in dbus (Ubuntu Precise):
status: New → Confirmed
Changed in dbus (Ubuntu Quantal):
importance: Undecided → Low
Changed in dbus (Ubuntu Precise):
importance: Undecided → Low
Changed in dbus (Ubuntu Oneiric):
importance: Undecided → Low
Changed in dbus (Ubuntu Natty):
importance: Undecided → Low
Changed in dbus (Ubuntu Lucid):
importance: Undecided → Low
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.6.4-1ubuntu3

---------------
dbus (1.6.4-1ubuntu3) quantal-proposed; urgency=low

  * REGRESSION FIX: some applications launched with the activation helper
    may need DBUS_STARTER_ADDRESS. (LP: #1058343)
    - debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
      starter address to the default system bus address.
  * Fix unclean shutdown after dbus upgrade (LP: #740390)
    - debian/libdbus-1-3.postinst: trigger an upstart re-exec before
      shutdown or reboot so that it can safely unmount the root
      filesystem.
 -- Marc Deslauriers <email address hidden> Wed, 03 Oct 2012 07:14:40 -0400

Changed in dbus (Ubuntu Quantal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.4.18-1ubuntu1.3

---------------
dbus (1.4.18-1ubuntu1.3) precise-security; urgency=low

  * REGRESSION FIX: some applications launched with the activation helper
    may need DBUS_STARTER_ADDRESS. (LP: #1058343)
    - debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
      starter address to the default system bus address.
  * REGRESSION FIX: unclean shutdown after dbus upgrade (LP: #740390)
    - debian/libdbus-1-3.postinst: trigger an upstart re-exec before
      shutdown or reboot so that it can safely unmount the root
      filesystem.
 -- Marc Deslauriers <email address hidden> Wed, 03 Oct 2012 06:12:39 -0400

Changed in dbus (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.1.20-1ubuntu3.9

---------------
dbus (1.1.20-1ubuntu3.9) hardy-security; urgency=low

  * REGRESSION FIX: some applications launched with the activation helper
    may need DBUS_STARTER_ADDRESS. (LP: #1058343)
    - debian/patches/87-CVE-2012-3524-regression-fix.patch: hardcode the
      starter address to the default system bus address.
 -- Marc Deslauriers <email address hidden> Wed, 03 Oct 2012 12:59:30 -0400

Changed in dbus (Ubuntu Hardy):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.2.16-2ubuntu4.7

---------------
dbus (1.2.16-2ubuntu4.7) lucid-security; urgency=low

  * REGRESSION FIX: some applications launched with the activation helper
    may need DBUS_STARTER_ADDRESS. (LP: #1058343)
    - debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
      starter address to the default system bus address.
  * REGRESSION FIX: unclean shutdown after dbus upgrade (LP: #740390)
    - debian/libdbus-1-3.postinst: trigger an upstart re-exec before
      shutdown or reboot so that it can safely unmount the root
      filesystem.
 -- Marc Deslauriers <email address hidden> Wed, 03 Oct 2012 07:05:52 -0400

Changed in dbus (Ubuntu Lucid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.4.6-1ubuntu6.4

---------------
dbus (1.4.6-1ubuntu6.4) natty-security; urgency=low

  * REGRESSION FIX: some applications launched with the activation helper
    may need DBUS_STARTER_ADDRESS. (LP: #1058343)
    - debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
      starter address to the default system bus address.
  * REGRESSION FIX: unclean shutdown after dbus upgrade (LP: #740390)
    - debian/libdbus-1-3.postinst: trigger an upstart re-exec before
      shutdown or reboot so that it can safely unmount the root
      filesystem.
 -- Marc Deslauriers <email address hidden> Wed, 03 Oct 2012 07:03:55 -0400

Changed in dbus (Ubuntu Natty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.4.14-1ubuntu1.3

---------------
dbus (1.4.14-1ubuntu1.3) oneiric-security; urgency=low

  * REGRESSION FIX: some applications launched with the activation helper
    may need DBUS_STARTER_ADDRESS. (LP: #1058343)
    - debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
      starter address to the default system bus address.
  * REGRESSION FIX: unclean shutdown after dbus upgrade (LP: #740390)
    - debian/libdbus-1-3.postinst: trigger an upstart re-exec before
      shutdown or reboot so that it can safely unmount the root
      filesystem.
 -- Marc Deslauriers <email address hidden> Wed, 03 Oct 2012 07:02:41 -0400

Changed in dbus (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers