Bugzilla – Bug 885241
VUL-0: CVE-2014-3533: dbus-1: local denial of service (force system services to exit)
Last modified: 2016-11-30 23:27:18 UTC
Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's support for file descriptor passing. A malicious process could force system services or user applications to be disconnected from the D-Bus system bus by sending them a message containing a file descriptor, then causing that file descriptor to exceed the kernel's maximum recursion depth (itself introduced to fix a DoS) before dbus-daemon forwards the message to the victim process. Most services and applications exit when disconnected from the system bus, leading to a denial of service. This is tracked as fd.o#80163. CVE-2014-3533 Additionally, Alban discovered that bug fd.o#79694, a bug previously reported by Alejandro MartÃnez Suárez which was not believed to be a security flaw, could be used for a similar denial of service, by causing dbus-daemon to attempt to forward invalid file descriptors to a victim process when file descriptors become associated with the wrong message. Its security implications are tracked as fd.o#80469. All versions of dbus with the file descriptor passing feature (1.3.0 and up) are believed to be vulnerable. Do we get a CVE ID for 80163 and a second CVE ID for 79694/80469, or a single CVE ID covering both issues? We intend to fix both in the same D-Bus releases (1.8.6, 1.6.22). I already prepared a patch for 79694, which Alban has confirmed fixes 80469 too; Alban has prepared a patch for 80163. Both are currently under review, so I'm not attaching them to this mail yet. I'll send them when they're ready, and suggest a release date when we have known-good patches for both issues. references: https://bugs.freedesktop.org/show_bug.cgi?id=79694 https://bugs.freedesktop.org/show_bug.cgi?id=80469 https://bugs.freedesktop.org/show_bug.cgi?id=80163
Affected packages: SLE-10-SP3-TERADATA: dbus-1 SLE-11-SP3: dbus-1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-07-15. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58147
bugbot adjusting priority
Created attachment 596981 [details] 0002-Handle-ETOOMANYREFS-when-sending-recursive-fds-SCM_R.patch second patch attached to the distros mail
i attached the second one, the first one was already there
This is an autogenerated message for OBS integration: This bug (885241) was mentioned in https://build.opensuse.org/request/show/239349 Factory / dbus-1 https://build.opensuse.org/request/show/239352 13.1 / dbus-1 https://build.opensuse.org/request/show/239353 12.3 / dbus-1
Just for the record: Two CVEs are associated with this issue: CVE-2014-3532 and CVE-2014-3533. Both are fixed in above-mentioned packages.
http://www.openwall.com/lists/oss-security/2014/07/02/4 From: Simon McVittie <simon.mcvittie@collabora.co.uk> Subject: CVE-2014-3532, -3533: two local DoS vulnerabilities in dbus-daemon Impact: denial of service (force system services to exit) Access required: local Versions affected by CVE-2014-3532: dbus >= 1.3.0 on Linux >= 2.6.37-rc4 Versions affected by CVE-2014-3533: dbus >= 1.3.0 on all Unix platforms Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's support for file descriptor passing. A malicious process could force system services or user applications to be disconnected from the D-Bus system bus by sending them a message containing a file descriptor, then causing that file descriptor to exceed the kernel's maximum recursion depth (itself introduced to fix a DoS) before dbus-daemon forwards the message to the victim process. Most services and applications exit when disconnected from the system bus, leading to a denial of service. This is tracked as fd.o#80163 and CVE-2014-3532. Additionally, Alban discovered that bug fd.o#79694, a bug previously reported by Alejandro Martínez Suárez which was not believed to be a security flaw, could be used for a similar denial of service, by causing dbus-daemon to attempt to forward invalid file descriptors to a victim process when file descriptors become associated with the wrong message. Its security implications are tracked as fd.o#80469 and CVE-2014-3533. For the 1.8.x stable branch, these vulnerabilities are fixed in version 1.8.6. For the 1.6.x old-stable branch, these vulnerabilities are fixed in version 1.6.22. All earlier versions of dbus with the file descriptor passing feature (1.3.0 and up) are believed to be vulnerable. Distributions that backport security fixes should backport git commits 07f4c12efe3b9bd45d109bc5fbaf6d9dbf69d78e and 9ca90648fc870c24d852ce6d7ce9387a9fc9a94a, attached. References: [fd.o#79694] https://bugs.freedesktop.org/show_bug.cgi?id=79694 [fd.o#80469] https://bugs.freedesktop.org/show_bug.cgi?id=80469 [fd.o#80163] https://bugs.freedesktop.org/show_bug.cgi?id=80163
as the issues are in the file descriptor passing feature of dbus, and dbus 1.2 did not appear to have it, SLE11 and older are not affected.
openSUSE-SU-2014:0921-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 885241 CVE References: Sources used: openSUSE 12.3 (src): dbus-1-1.6.8-2.22.1, dbus-1-x11-1.6.8-2.22.1
openSUSE-SU-2014:0926-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 885241 CVE References: Sources used: openSUSE 13.1 (src): dbus-1-1.7.4-4.16.1, dbus-1-x11-1.7.4-4.16.2
was already released