Bugzilla – Bug 697105
VUL-0: CVE-2012-3524: libdbus using getenv() in suids
Last modified: 2018-10-19 18:14:10 UTC
libdbus, as part of the dbus package is also using getenv() (directly or indirectly via own dbus functions) if linked against suid binaries such as Xorg. libhal which is using dbus generates its config as obtained via the system bus as found via "DBUS_SYSTEM_BUS_ADDRESS" variable. libdbus should check the dumpable flag via prctl() (in case the program is using fscaps) and euid != uid || egid != gid check as fallback.
Since a lot of other libs are affected too, I will try to get a CVE for the whole "issue-set".
p5->p3 mass change, please ignore
Created attachment 497975 [details] getenv+suid patch My patch proposal (untested). Will let discuss that on oss-sec.
Please let me know when this discussion has been carried out and the patch has been submitted upstream. Thanks!
Created attachment 498135 [details] new patch using __secure_getenv Will point upstream to this. Do not forget to call autoheader, as this will also add __secure_getenv function check in configure.ac script.
Is there a CVE# for this in the meantime?
Not yet. I dont know whether mitre will assign CVE's to hardening patches. If they do, I will add it here.
Also please check here: https://bugs.freedesktop.org/show_bug.cgi?id=52202 It definitely needs fixing, and its likely that a fix comes from upstream, as new libdbus has option like: DBUS_SYSTEM_BUS_ADDRESS=unixexec:path=/bin/rm,arg1=-rf,arg2=/ (example taken from private x-org list mail)
The SWAMPID for this issue is 48826. This issue was rated as important. Please submit fixed packages until 2012-08-29. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
CVE-2012-3524 but I dont know whether they assigned it to the specific getenv() issue
This is an autogenerated message for OBS integration: This bug (697105) was mentioned in https://build.opensuse.org/request/show/131874 Factory / dbus-1
Update released for: dbus-1, dbus-1-32bit, dbus-1-debuginfo, dbus-1-debugsource, dbus-1-devel, dbus-1-devel-doc, dbus-1-x11, dbus-1-x11-debuginfo, dbus-1-x11-debugsource Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: dbus-1, dbus-1-x11 Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: dbus-1, dbus-1-32bit, dbus-1-debuginfo, dbus-1-debuginfo-32bit, dbus-1-debuginfo-x86, dbus-1-debugsource, dbus-1-devel, dbus-1-devel-doc, dbus-1-x11, dbus-1-x11-debuginfo, dbus-1-x11-debugsource Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
There's a minor regression in this patchset, since dbus-daemon-launch-helper is a setuid binary that links libdbus, and does its own environment sanitization. Specifically, it attempts to pass through DBUS_STARTER_ADDRESS, but that now fails, meaning a d-d-l-h-activated program won't be able to find the system bus by asking for its starter bus. (I believe there's no commonly-used software that depends on this, but it's still documented as possible and d-d-l-h clearly attempts to make it work, and we have internal software that depended on being able to ask for the starter bus.) Colin Walters and I put together a patch that works around this: http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5 It depends on a predecessor commit that just removes the DBUS_VERBOSE logic in the activation helper, since it's not useful. This is in the D-Bus 1.6.8 release.
it seems our autolaunch-helper is linked statically against libdbus (12.1 at least), so this does not affect us via the dbus update. (Not exploitable either as its mode 04710). Timo, can you confirm this? Is it linked statically on all our dists?
Hm, it might be that the launch-helper got the new dbus lib as its likely shipped in the dbus update itself with the newly patched libdbus. :/
openSUSE-SU-2012:1287-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 697105 CVE References: CVE-2012-3524 Sources used: openSUSE 12.2 (src): dbus-1-1.5.12-4.6.1, dbus-1-x11-1.5.12-4.6.1 openSUSE 12.1 (src): dbus-1-1.5.8-2.6.1, dbus-1-x11-1.5.8-2.6.1 openSUSE 11.4 (src): dbus-1-1.4.1-7.27.1
This is an autogenerated message for OBS integration: This bug (697105) was mentioned in https://build.opensuse.org/request/show/137179 Evergreen:11.2 / dbus-1
(In reply to comment #28) > it seems our autolaunch-helper is linked statically > against libdbus (12.1 at least), so this does not affect us > via the dbus update. > > (Not exploitable either as its mode 04710). > > Timo, can you confirm this? Is it linked statically on all our dists? This is for 12.2 (I have no data for other distros): linux-mnes:~ # ldd /lib/dbus-1/dbus-daemon-launch-helper linux-gate.so.1 (0xb7761000) libexpat.so.1 => /usr/lib/libexpat.so.1 (0xb7722000) libpthread.so.0 => /lib/libpthread.so.0 (0xb7707000) librt.so.1 => /lib/librt.so.1 (0xb76fe000) libc.so.6 => /lib/libc.so.6 (0xb7558000) /lib/ld-linux.so.2 (0xb7762000) Sebastian, please let me know when you have an updated patch and how we should proceed.
This is an autogenerated message for OBS integration: This bug (697105) was mentioned in https://build.opensuse.org/request/show/137426 Factory / dbus-1
Timo, it all depends on whether we can reproduce the issue from comment #27. We can still use our patch, but if the "d-d-l-h-activated program"'s fail, we also need to apply the patch from comment #27. It doesnt sound like this is a common case but required by some specification/docs.
hm, apparently this also causes bnc#783657
This is an autogenerated message for OBS integration: This bug (697105) was mentioned in https://build.opensuse.org/request/show/137509 Evergreen:11.2 / dbus-1
(In reply to comment #35) > hm, apparently this also causes bnc#783657 That's why this bug as blocks bug #783657 as of last Sunday.
On route fixing bug #783657 it turned out that not only the patch mentioned in comment #27 is required to cleanup the fallout but a series of four patches: http://cgit.freedesktop.org/dbus/dbus/commit/?id=23fe78ceefb6cefcd58a49c77d1154b68478c8d2 http://cgit.freedesktop.org/dbus/dbus/commit/?id=4b351918b9f70eaedbdb3ab39208bc1f131efae0 http://cgit.freedesktop.org/dbus/dbus/commit/?id=57ae3670508bbf4ec57049de47c9cae727a64802 http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5 (cf. http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1066406.html) I have backported this series for all supported products.
Created attachment 509194 [details] Patch series for SLE11-SP1
Created attachment 509195 [details] Patch series for openSUSE 11.4
Created attachment 509196 [details] Patch series for openSUSE 12.1
Created attachment 509197 [details] Patch series for openSUSE 12.2
SLE11-SP1: Submit request id #22082 openSUSE 11.3: Maintenance request id #137865 openSUSE 12.1: Maintenance request id #137865 openSUSE 12.2: Maintenance request id #137865 Reassigning for patch info. N.B. The packages need QA ahead of release.
The SWAMPID for this issue is 49673. This issue was rated as important. Please submit fixed packages until 2012-10-19. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/49673
Update released for: dbus-1, dbus-1-32bit, dbus-1-debuginfo, dbus-1-debuginfo-32bit, dbus-1-debuginfo-64bit, dbus-1-debuginfo-x86, dbus-1-debugsource, dbus-1-devel, dbus-1-devel-doc, dbus-1-x11, dbus-1-x11-debuginfo, dbus-1-x11-debugsource, dbus-1-x86 Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
released (all but opensuse but that will be released soonish)
openSUSE-SU-2012:1418-1: An update that solves 6 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 381621,394383,428963,432901,437293,443307,503074,697105,707817,743149,783657 CVE References: CVE-2006-6107,CVE-2008-0595,CVE-2008-3834,CVE-2008-4311,CVE-2010-4352,CVE-2012-3524 Sources used: openSUSE 12.2 (src): dbus-1-1.5.12-4.10.1, dbus-1-x11-1.5.12-4.10.1 openSUSE 12.1 (src): dbus-1-1.5.8-2.10.1, dbus-1-x11-1.5.8-2.10.1 openSUSE 11.4 (src): dbus-1-1.4.1-7.31.1, dbus-1-x11-1.4.1-7.31.1
This is an autogenerated message for OBS integration: This bug (697105) was mentioned in https://build.opensuse.org/request/show/140737 https://build.opensuse.org/request/show/141044
*** Bug 912016 has been marked as a duplicate of this bug. ***