Re: libdbus CVE-2012-3524 fix

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2012 08:04 AM, Sebastian Krahmer wrote:
> Hi,
>
> As the CRD is today, and list policy requires "opening" the 
> distros-list posting, here is the forward.
>
> As a quick fix, the exploit can also be mitigated by properly 
> placing the dbus-launch binary into the expected path, usually 
> "/bin/dbus-launch", e.g.
>
> # ln -s /usr/bin/dbus-launch /bin/dbus-launch
>
> since for some reason, on most dists the binary is mis-placed into
> /usr/bin. This makes an execv() fail in libdbus itself, triggering
> an execvp().
>
> Sebastian
>
> ----- Forwarded message from Sebastian Krahmer <krahmer () suse de>
> -----
>
>
> Hi,
>
> The recently discussed libdbus getenv() issue [1] turned out to be
> easily exploitable on various UNIX systems, including some Linux
> distributions. Common attack vectors are Xorg and spice-gtk via
> auto-launching [2]. Properly patching requires fixes for libdbus
> and libgio, depending on which you link your suid binaries. Would
> be nice if someone from RH could forward their patch, as they have
> some developers upstream and possibly access to the private git
> commit (they also already assigned this CVE). My CRD proposal is
> Sept. 12th. As can be seen in [1], this issue is indeed public
> since 1+ year.
>
> Sebastian
>
> [1] https://bugzilla.novell.com/show_bug.cgi?id=697105 [2]
> http://stealth.openwall.net/null/dzug.c
>
> PS: This is a re-send, the first mail to distros list was probably 
> catched by spam filter.

There is a second vulnerability as well:

spice(with naughty env variables)+glib = glib executes "dbus-launch"
from USER specific $PATH with elevated privileges.

Please use CVE-2012-4425 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUjSYAAoJEBYNRVNeJnmTk4sP+wdzE9/wHfqNVfYVcFmznaVJ
L7WpVi6uQ0cLhQJAjePXn5Pd4yTVTFFDsbyeTj5KYOjtm3SFDKkXKP5J35IOh2F5
hISU6tXeraLfBaODyjLrI92v+HaXjBRD0j9yF3NJRTvBrV8XR7zFIO/jPZbfynR0
sWQbEs+kR9HWO3gbovTKNLK5QOz7Q86l9zR7NysFD3NAP4H8oqMcZXkHoRrhsmRd
MeovVqtvrV1F1YjPg+XjX3cUx6iKsxhSlBXDCWKsNCgOE8T/8yfoy4N8ySYilp+2
fDf+0dkvieyjYgmQHZikiQqQwGPRSvMbN3SB4wT1Ft81HDWehm9szoL3GVjawTeg
nRPDqTEmXGd2FhDSH8QOtEAg/Y6Ju/rLI3CKv1Ee/uupNsX36xZsXvbFdYdTs/bv
j8yfCMqiDJwdtEkjRUJODTaiyEffo0NRfzw1v/eQgXNi3EqeO9zbEbCi7iNQpdpj
jEwKN4qTx35zV3YtSKV/GXVgzluL3v4X9BzhJmgai7vAw6DbnFaLrzKfRdww0OFK
pkaX7dSXrTWLeDKz+/9C6W5o7lubShiZP0/J/db4Dsc/sR5NonJdmqZsDlKW8qDW
75a3LvbSEcaxHqY8qPJjM9tVva8ULU7G5llgkH9w8IUzge+rv7MCC8kET8V9FUrO
XLFf6X3InO+8d17jAmZg
=4Pz0
-----END PGP SIGNATURE-----