dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.

Joe Vennix of Apple Information Security discovered an implementation flaw
in the DBUS_COOKIE_SHA1 authentication mechanism. A malicious client with
write access to its own home directory could manipulate a ~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.

This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the standard
session dbus-daemon, for the same reason.

However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon instances,
standard dbus-daemon instances with non-standard configuration, and the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).

Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x < 1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >= 1.10.28

References:

https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2

Patch:

https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016

(from redmine: issue id 10569, created on 2019-06-13, closed on 2019-06-20)

• Relations:
  • parent #10567 (closed)
• Changesets:
  • Revision 4197c781 by Natanael Copa on 2019-06-17T09:53:00Z:

main/dbus: upgrade to 1.10.28 (CVE-2019-12749)

fixes #10569