Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 650
    • Issues 650
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 212
    • Merge Requests 212
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #10569

Closed
Open
Opened Jun 13, 2019 by Alicha CH@alichaReporter

[3.9] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)

dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.

Joe Vennix of Apple Information Security discovered an implementation flaw
in the DBUS_COOKIE_SHA1 authentication mechanism. A malicious client with
write access to its own home directory could manipulate a ~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.

This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the standard
session dbus-daemon, for the same reason.

However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon instances,
standard dbus-daemon instances with non-standard configuration, and the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).

Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x < 1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >= 1.10.28

References:

https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2

Patch:

https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016

(from redmine: issue id 10569, created on 2019-06-13, closed on 2019-06-20)

  • Relations:
    • parent #10567 (closed)
  • Changesets:
    • Revision 4197c781 by Natanael Copa on 2019-06-17T09:53:00Z:
main/dbus: upgrade to 1.10.28 (CVE-2019-12749)

fixes #10569
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
3.9.5
Milestone
3.9.5
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/aports#10569