[Bug 1058343] Re: Regression in CVE-2012-3524 security update

Launchpad Bug Tracker 1058343 at bugs.launchpad.net
Thu Oct 4 11:47:25 UTC 2012 

This bug was fixed in the package dbus - 1.2.16-2ubuntu4.7

---------------
dbus (1.2.16-2ubuntu4.7) lucid-security; urgency=low

  * REGRESSION FIX: some applications launched with the activation helper
    may need DBUS_STARTER_ADDRESS. (LP: #1058343)
    - debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
      starter address to the default system bus address.
  * REGRESSION FIX: unclean shutdown after dbus upgrade (LP: #740390)
    - debian/libdbus-1-3.postinst: trigger an upstart re-exec before
      shutdown or reboot so that it can safely unmount the root
      filesystem.
 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>   Wed, 03 Oct 2012 07:05:52 -0400

** Changed in: dbus (Ubuntu Natty)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1058343

Title:
  Regression in CVE-2012-3524 security update

Status in “dbus” package in Ubuntu:
  Fix Released
Status in “dbus” source package in Lucid:
  Fix Released
Status in “dbus” source package in Natty:
  Fix Released
Status in “dbus” source package in Oneiric:
  Fix Released
Status in “dbus” source package in Precise:
  Fix Released
Status in “dbus” source package in Quantal:
  Fix Released
Status in “dbus” source package in Hardy:
  Fix Released

Bug description:
  There's a minor regression in CVE-2012-3524-dbus.patch, since dbus-
  daemon-launch-helper is a setuid binary that links libdbus, and does
  its own environment sanitization. Specifically, it attempts to pass
  through DBUS_STARTER_ADDRESS, but that now fails, meaning a
  d-d-l-h-activated program won't be able to find the system bus by
  asking for its starter bus. (I believe there's no commonly-used
  software that depends on this, but it's still documented as possible
  and d-d-l-h clearly attempts to make it work, and my company has
  internal software that depended on being able to ask for the starter
  bus.)

  Colin Walters and I put together a patch that works around this:
  http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5
  It depends on a predecessor commit that just removes the DBUS_VERBOSE logic in the activation helper, since it's not useful.

  This is in the D-Bus 1.6.8 release. Those two commits should be
  trivially backportable to older releases, though.

  If you think this is serious enough to warrant an update, let me know
  if you want debdiffs for the current Ubuntu releases. We're working
  around this locally for now.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1058343/+subscriptions

More information about the foundations-bugs mailing list