Bugzilla – Bug 881137
VUL-0: CVE-2014-3477: dbus-1: DoS in dbus-daemon
Last modified: 2014-07-05 18:04:25 UTC
Via distros. Planned CRD: 2014-06-10 From: Simon McVittie <simon.mcvittie@collabora.co.uk> Date: Tue, 03 Jun 2014 16:04:45 +0100 If a client C1 is prohibited from sending a message to a service S1, and S1 is not currently running, then C1 can attempt to send a message to S1's well-known bus name, causing dbus-daemon to start S1 [1]. When S1 has started and obtained its well-known bus name, the dbus-daemon evaluates its security policy, decides that it will not deliver the message to S1, and constructs an AccessDenied error. However, instead of sending that AccessDenied error reply to C1 as a reply to the denied message, dbus-daemon incorrectly sends it to S1 as a reply to the request to obtain its well-known bus name. Impact A: denial of service. S1 will fail to initialize, and exit, denying service to legitimate clients of S1. Impact B: side channel. In environments where C1 and S1 are untrusted and are administratively prohibited from communicating, S1 could also use these incorrectly-directed error messages as a side channel to receive information from C1. [1] This is perhaps unexpected, but the dbus-daemon is behaving as designed: it cannot necessarily evaluate which security policies it should apply to S1 until S1 has actually connected back to dbus-daemon, because S1 might change its uid, SELinux context, etc. during startup. The conceptual model is that activatable services are always running, and that the dbus-daemon delaying their startup until they are actually needed is a form of lazy evaluation. As such, the D-Bus maintainers do not consider this to be a bug or vulnerability.
Created attachment 593152 [details] Patch for dbus DoS
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-06-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/57734
Affected packages: SLE-11-SP3: dbus-1 SLE-10-SP3-TERADATA: dbus-1
Issue is public
openSUSE-SU-2014:0821-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 881137 CVE References: CVE-2014-3477 Sources used: openSUSE 13.1 (src): dbus-1-1.7.4-4.12.1, dbus-1-x11-1.7.4-4.12.2 openSUSE 12.3 (src): dbus-1-1.6.8-2.18.1, dbus-1-x11-1.6.8-2.18.1
Update released for: dbus-1, dbus-1-debuginfo, dbus-1-devel, dbus-1-devel-doc, dbus-1-glib, dbus-1-gtk, dbus-1-java, dbus-1-mono, dbus-1-mono-debuginfo, dbus-1-python, dbus-1-qt3, dbus-1-qt3-devel, dbus-1-x11 Products: SLE-DEBUGINFO 10-SP3-TERADATA (x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: dbus-1, dbus-1-32bit, dbus-1-64bit, dbus-1-debuginfo, dbus-1-debuginfo-32bit, dbus-1-debuginfo-64bit, dbus-1-debuginfo-x86, dbus-1-debugsource, dbus-1-devel, dbus-1-devel-doc, dbus-1-x11, dbus-1-x11-debuginfo, dbus-1-x11-debugsource, dbus-1-x86 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0846-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 881137 CVE References: CVE-2014-3477 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): dbus-1-1.2.10-3.29.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): dbus-1-1.2.10-3.29.1, dbus-1-x11-1.2.10-3.29.1 SUSE Linux Enterprise Server 11 SP3 (src): dbus-1-1.2.10-3.29.1, dbus-1-x11-1.2.10-3.29.1 SUSE Linux Enterprise Desktop 11 SP3 (src): dbus-1-1.2.10-3.29.1, dbus-1-x11-1.2.10-3.29.1
all packages fixed
openSUSE-SU-2014:0874-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 881137 CVE References: CVE-2014-3477 Sources used: openSUSE 11.4 (src): dbus-1-1.4.1-7.35.1, dbus-1-x11-1.4.1-7.35.1