Bugzilla – Bug 628607
VUL-0: CVE-2010-1172: dbus-1: dbus-glib flaw
Last modified: 2019-05-22 00:53:46 UTC
Hi. There is a security bug in package 'dbus-1'. This information is from 'vendor-sec'. This bug is NOT PUBLIC. The coordinated release date (CRD) is: 2010-08-09 More information can be found here: https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec CVE number: CVE-2010-1172 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1172 Original posting: ---------- Weitergeleitete Nachricht ---------- Betreff: [vendor-sec] dbus-glib flaw (CVE-2010-1172) Datum: Mittwoch, 4. August 2010, 16:42:05 Von: Vincent Danen <vdanen@redhat.com> An: vendor-sec@lst.de We are aware of a moderate impact flaw in dbus-glib that we would like to disclose on Monday, August 9th. This is not public; if anyone would like the details, please email me with your Red Hat bugzilla email address and I will cc you on the bug. Thanks. -- Vincent Danen / Red Hat Security Response Team _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec ------------------------------------------------------------- -- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
The SWAMPID for this issue is 34983. This issue was rated as moderate. Please submit fixed packages until 2010-08-19. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Is there a fix attached to the CVE? Any more details? For what products do we need to release an update?
0001-Respect-property-access-flags-for-writing-allow-disa.patch == 001-Respect-property-ac ? If so, it does not apply to SLE11-SP1.
(In reply to comment #9) > 0001-Respect-property-access-flags-for-writing-allow-disa.patch == > 001-Respect-property-ac ? Correct, the name was truncated.
For what version of dbus-glib is that patch? Are there patches available for older versions (e.g. the one ship with SLE11-SP2)?
You have to backport the patch.
Still open: For what version of dbus-glib is that patch? Red Hat also maintains products with older versions of dbus-glib, right? I really do not want to duplicate work.
re comment #7: > And, again, what is the list of products we need to release an update for? - openSUSE 11.1 - openSUSE 11.2 - openSUSE 11.3 - SUSE Linux Enterprise Server 10 SP3 - SUSE Linux Enterprise Server 11 SP1 - SUSE Linux Enterprise Server 11 re comment #13: > Still open: For what version of dbus-glib is that patch? - dbus-1-glib v0.86
Created attachment 381281 [details] Patch for openSUSE 11.3
SLE10-SP3 : dbus-1 (includes glib bindings), version 0.60 SLE11 : dbus-1-glib, version 0.76 SLE11-SP1 : dbus-1-glib, version 0.76 openSUSE 11.1: dbus-1-glib, version 0.76 openSUSE 11.2: dbus-1-glib, version 0.80 openSUSE 11.3: dbus-1-glib, version 0.86
Created attachment 382846 [details] test case
Regarding SLE10-SP3: I don't think that we need to provide a fix, as there aren't any affected system daemons in use. If this is not the case, please let me know. Other backports are WIP.
Created attachment 384107 [details] Backport of fix for SLE 11
Created attachment 384108 [details] Backport of fix for SLE 11 SP1
Submit requests created: Request #7780: submit: home:thoenig:branches:SUSE:SLE-11:Update:Test/dbus-1-glib(r2)(cleanup) -> SUSE:SLE-11:Update:Test/dbus-1-glib Request #7781: submit: home:thoenig:branches:SUSE:SLE-11-SP1:Update:Test/dbus-1-glib(r2)(cleanup) -> SUSE:SLE-11-SP1:Update:Test/dbus-1-glib As per discussion with Ludwig those should go out before we handle the updates for openSUSE (which will be after I return from my vacation).
still missing submissions for Moblin20 and Moblin21 (both sources are identical and based on dbus-glib-0.80.tar.bz2)
setup: ~~~~~~ # tar jxvf bug-628607_barbara.tar.bz2 # cd barbara # make # ./barbara-dbus # ./test # in another console before: ~~~~~~ # ./test *** just the introspection data method return sender=:1.50 -> dest=:1.51 reply_serial=2 string "<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd"> <node> <interface name="org.freedesktop.DBus.Introspectable"> <method name="Introspect"> <arg name="data" direction="out" type="s"/> </method> </interface> <interface name="org.freedesktop.DBus.Properties"> <method name="Get"> <arg name="interface" direction="in" type="s"/> <arg name="propname" direction="in" type="s"/> <arg name="value" direction="out" type="v"/> </method> <method name="Set"> <arg name="interface" direction="in" type="s"/> <arg name="propname" direction="in" type="s"/> <arg name="value" direction="in" type="v"/> </method> <method name="GetAll"> <arg name="interface" direction="in" type="s"/> <arg name="props" direction="out" type="a{sv}"/> </method> </interface> <interface name="de.suse.barbara"> <property name="number" type="y" access="readwrite"/> </interface> </node> " *** this property is not exported. One needs to call dbus_glib_global_set_disable_legacy_property_access () to hide it method return sender=:1.50 -> dest=:1.52 reply_serial=2 variant string "just the default" *** this one is readable method return sender=:1.50 -> dest=:1.53 reply_serial=2 variant byte 0 *** this should fail as number is read only method return sender=:1.50 -> dest=:1.54 reply_serial=2 after: ~~~~~~ # ./test *** just the introspection data method return sender=:1.50 -> dest=:1.51 reply_serial=2 string "<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd"> <node> <interface name="org.freedesktop.DBus.Introspectable"> <method name="Introspect"> <arg name="data" direction="out" type="s"/> </method> </interface> <interface name="org.freedesktop.DBus.Properties"> <method name="Get"> <arg name="interface" direction="in" type="s"/> <arg name="propname" direction="in" type="s"/> <arg name="value" direction="out" type="v"/> </method> <method name="Set"> <arg name="interface" direction="in" type="s"/> <arg name="propname" direction="in" type="s"/> <arg name="value" direction="in" type="v"/> </method> <method name="GetAll"> <arg name="interface" direction="in" type="s"/> <arg name="props" direction="out" type="a{sv}"/> </method> </interface> <interface name="de.suse.barbara"> <property name="number" type="y" access="readwrite"/> </interface> </node> " *** this property is not exported. One needs to call dbus_glib_global_set_disable_legacy_property_access () to hide it method return sender=:1.50 -> dest=:1.52 reply_serial=2 variant string "just the default" *** this one is readable method return sender=:1.50 -> dest=:1.53 reply_serial=2 variant byte 0 *** this should fail as number is read only method return sender=:1.50 -> dest=:1.54 reply_serial=2 The last test should behave like what the comment describes, reporting failure rather than a success.
Mandy Wu: You need to rebuild barbara after installing the fixed packages. Can you please confirm that this helps? Thank you!
any progress on box packages?
Yes, will try to get this done by end of this week.
Update released for: dbus-1-glib, dbus-1-glib-32bit, dbus-1-glib-debuginfo, dbus-1-glib-debuginfo-32bit, dbus-1-glib-debuginfo-64bit, dbus-1-glib-debuginfo-x86, dbus-1-glib-debugsource, dbus-1-glib-devel, dbus-1-glib-doc, dbus-1-glib-x86 Products: SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11 (i386, x86_64) SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Update released for: dbus-1-glib, dbus-1-glib-32bit, dbus-1-glib-debuginfo, dbus-1-glib-debuginfo-32bit, dbus-1-glib-debuginfo-64bit, dbus-1-glib-debuginfo-x86, dbus-1-glib-debugsource, dbus-1-glib-devel, dbus-1-glib-doc, dbus-1-glib-x86 Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: NetworkManager, NetworkManager-debuginfo, NetworkManager-debugsource, NetworkManager-devel, NetworkManager-doc, NetworkManager-glib Products: SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11 (i386, x86_64) SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Update released for: NetworkManager, NetworkManager-debuginfo, NetworkManager-debugsource, NetworkManager-devel, NetworkManager-doc, NetworkManager-glib Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Created attachment 398541 [details] Patch for openSUSE 11.3 (v2)
Update released for: gdm, gdm-branding-upstream, gdm-debuginfo, gdm-debugsource, gdm-lang Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: gdm, gdm-branding-upstream, gdm-debuginfo, gdm-debugsource, gdm-lang Products: SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11 (i386, x86_64) SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Update released for: gdm, gdm-branding-upstream, gdm-debuginfo, gdm-debugsource, gdm-lang Products: openSUSE 11.1 (debug, i586, ppc, x86_64) openSUSE 11.2 (debug, i586, x86_64)
Update released for: gdm, gdm-branding-upstream, gdm-debuginfo, gdm-debugsource, gdm-lang, gnome-applets-gdm, gnome-applets-gdm-debuginfo Products: openSUSE 11.3 (debug, i586, x86_64)
Timo, we still need the openSUSE packages.
Created attachment 420240 [details] Patch for openSUSE 11.2
11.2 package submitted with adding this patch 11.3 package submitted by taking rev 15 from the one in Base:System which is exactly the 11.3 version with the fix for this bug
Thanks, Rudi. FWIW: I've been holding off the submission as I wanted to test the patch in first place. I've done so in the mean time and it worked well (11.2 and 11.3). Reassigning to security team for patch info etc.
Update released for: dbus-1-glib, dbus-1-glib-debuginfo, dbus-1-glib-debuginfo-32bit, dbus-1-glib-debuginfo-x86, dbus-1-glib-debugsource, dbus-1-glib-devel, dbus-1-glib-devel-debuginfo, dbus-1-glib-doc Products: openSUSE 11.2 (debug, i586, x86_64) openSUSE 11.3 (debug, i586, x86_64)
all packages released
The SWAMPID for this issue is 34983. This issue was rated as moderate. Please submit fixed packages until 2011-04-20. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: NetworkManager, NetworkManager-debuginfo, NetworkManager-debugsource, NetworkManager-devel, NetworkManager-doc, NetworkManager-glib, NetworkManager-glib-debuginfo Products: openSUSE 11.2 (debug, i586, x86_64) openSUSE 11.3 (debug, i586, x86_64)
This is an autogenerated message for OBS integration: This bug (628607) was mentioned in https://build.opensuse.org/request/show/65220 11.2:Test / dbus-1-glib https://build.opensuse.org/request/show/65221 11.3:Test / dbus-1-glib