Bug 904017 (CVE-2014-7824) - VUL-0: CVE-2014-7824: dbus-1: Denial of service via incomplete fix for CVE-2014-3636
Summary: VUL-0: CVE-2014-7824: dbus-1: Denial of service via incomplete fix for CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2014-7824
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Fridrich Strba
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-05 12:41 UTC by Johannes Segitz
Modified: 2015-04-08 12:38 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-11-05 12:41:37 UTC 
See bnc#896453 for CVE-2014-3636. Right now there is no fixed CRD date, only " I
intend to address it in dbus 1.8.10 within the next few days". Looks like SLE 12 and all openSUSE variants are affected. 

Date: Tue, 04 Nov 2014 13:20:44 +0000
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
To: distros@vs.openwall.org

The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on
incorrect reasoning, and does not fully prevent the attack described as
"CVE-2014-3636 part A", which is repeated below. Preventing that attack
requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a
higher value.

To avoid propagating that higher limit to activatable system services,
it is desirable to start the system dbus-daemon as root so it can store
its previous limit, raise its limit, drop root privileges (which its
default configuration will do automatically), and restore the previous
limit before launching activatable services. Some operating system
distributions, such as anything using the upstream-supplied systemd
units, start the system dbus-daemon as root already; others, such as
Debian 7, currently start the system dbus-daemon under its less
privileged uid and will need minor modifications to their init scripts.

Suggested patches are attached. Patch 0001 is not strictly required, but
if it is skipped, it will be necessary to replace each occurrence of
DBUS_SYSTEM_LOG_WARNING with DBUS_SYSTEM_LOG_INFO in patch 0002.

Tracked as: https://bugs.freedesktop.org/show_bug.cgi?id=85105
Category: related to CWE-774: Allocation of File Descriptors or Handles
Without Limits or Throttling
Impact: local denial of service
Access required: local
Versions believed to be vulnerable: dbus >= 1.3.0
Credit: discovered by Simon McVittie at Collabora Ltd.

Attack details (repeating CVE-2014-3636 part A):

By queuing up the maximum allowed number of fds, a malicious sender
could reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n, typically
1024 on Linux). This would act as a denial of service in two ways:

* new clients would be unable to connect to the dbus-daemon
* when receiving a subsequent message from a non-malicious client that
  contained a fd, dbus-daemon would receive the MSG_CTRUNC flag,
  indicating that the list of fds was truncated; kernel fd-passing APIs
  do not provide any way to recover from that, so dbus-daemon responds
  to MSG_CTRUNC by disconnecting the sender, causing denial of service
  to that sende
Comment 1 Johannes Segitz 2014-11-05 12:43:00 UTC 
Created attachment 612484 [details]
Patch for the issue
Comment 2 Johannes Segitz 2014-11-05 12:43:57 UTC 
Created attachment 612485 [details]
Additional log level

Patch 0001 is not strictly required, but
if it is skipped, it will be necessary to replace each occurrence of
DBUS_SYSTEM_LOG_WARNING with DBUS_SYSTEM_LOG_INFO in patch 0002.
Comment 4 Johannes Segitz 2014-11-07 08:36:26 UTC 
Created attachment 612756 [details]
updated patch

From: Simon McVittie <simon.mcvittie@collabora.co.uk>

Proposed release date is Monday 10th, 16:00 UTC.

I have replaced the original suggested patch with this one, which
mentions the CVE ID and does not need additional patches applied first.
This is hopefully going to be the only change between dbus 1.8.8 and
1.8.10, other than the usual NEWS/configure.ac noise.
Comment 5 Fridrich Strba 2014-11-10 16:31:16 UTC 
Embargo is over
Comment 6 Bernhard Wiedemann 2014-11-10 17:00:29 UTC 
This is an autogenerated message for OBS integration:
This bug (904017) was mentioned in
https://build.opensuse.org/request/show/260719 Factory / dbus-1
https://build.opensuse.org/request/show/260720 13.1 / dbus-1
https://build.opensuse.org/request/show/260721 13.2 / dbus-1
Comment 8 Bernhard Wiedemann 2014-11-10 18:00:27 UTC 
This is an autogenerated message for OBS integration:
This bug (904017) was mentioned in
https://build.opensuse.org/request/show/260731 12.3 / dbus-1
Comment 9 Bernhard Wiedemann 2014-11-10 19:00:25 UTC 
This is an autogenerated message for OBS integration:
This bug (904017) was mentioned in
https://build.opensuse.org/request/show/260747 13.1 / dbus-1
Comment 10 Swamp Workflow Management 2014-12-29 10:05:43 UTC 
SUSE-SU-2014:1724-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 904017
CVE References: CVE-2014-3636,CVE-2014-7824
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    dbus-1-1.8.12-6.1, dbus-1-x11-1.8.12-6.5
SUSE Linux Enterprise Server 12 (src):    dbus-1-1.8.12-6.1, dbus-1-x11-1.8.12-6.5
SUSE Linux Enterprise Desktop 12 (src):    dbus-1-1.8.12-6.1, dbus-1-x11-1.8.12-6.5
Comment 11 Johannes Segitz 2015-04-08 12:38:49 UTC 
all updates released