[Bug 1058343] [NEW] Regression in CVE-2012-3524 security update

Geoffrey Thomas geofft at ldpreload.com
Fri Sep 28 21:00:25 UTC 2012 

*** This bug is a security vulnerability ***

Public security bug reported:

There's a minor regression in CVE-2012-3524-dbus.patch, since dbus-
daemon-launch-helper is a setuid binary that links libdbus, and does its
own environment sanitization. Specifically, it attempts to pass through
DBUS_STARTER_ADDRESS, but that now fails, meaning a d-d-l-h-activated
program won't be able to find the system bus by asking for its starter
bus. (I believe there's no commonly-used software that depends on this,
but it's still documented as possible and d-d-l-h clearly attempts to
make it work, and my company has internal software that depended on
being able to ask for the starter bus.)

Colin Walters and I put together a patch that works around this:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5
It depends on a predecessor commit that just removes the DBUS_VERBOSE logic in the activation helper, since it's not useful.

This is in the D-Bus 1.6.8 release. Those two commits should be
trivially backportable to older releases, though.

If you think this is serious enough to warrant an update, let me know if
you want debdiffs for the current Ubuntu releases. We're working around
this locally for now.

** Affects: dbus (Ubuntu)
     Importance: Undecided
         Status: New

** This bug has been flagged as a security vulnerability

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1058343

Title:
  Regression in CVE-2012-3524 security update

Status in “dbus” package in Ubuntu:
  New

Bug description:
  There's a minor regression in CVE-2012-3524-dbus.patch, since dbus-
  daemon-launch-helper is a setuid binary that links libdbus, and does
  its own environment sanitization. Specifically, it attempts to pass
  through DBUS_STARTER_ADDRESS, but that now fails, meaning a
  d-d-l-h-activated program won't be able to find the system bus by
  asking for its starter bus. (I believe there's no commonly-used
  software that depends on this, but it's still documented as possible
  and d-d-l-h clearly attempts to make it work, and my company has
  internal software that depended on being able to ask for the starter
  bus.)

  Colin Walters and I put together a patch that works around this:
  http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5
  It depends on a predecessor commit that just removes the DBUS_VERBOSE logic in the activation helper, since it's not useful.

  This is in the D-Bus 1.6.8 release. Those two commits should be
  trivially backportable to older releases, though.

  If you think this is serious enough to warrant an update, let me know
  if you want debdiffs for the current Ubuntu releases. We're working
  around this locally for now.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1058343/+subscriptions

More information about the foundations-bugs mailing list