Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 14 Sep 2012 10:15:42 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: libdbus CVE-2012-3524 fix

On Wed, 12 Sep 2012 16:04:33 +0200 Sebastian Krahmer wrote:

> The recently discussed libdbus getenv() issue [1] turned out
> to be easily exploitable on various UNIX systems, including
> some Linux distributions. Common attack vectors are Xorg and
> spice-gtk via auto-launching [2].
> Properly patching requires fixes for libdbus and libgio,
> depending on which you link your suid binaries.

[ ... ]

> [2] http://stealth.openwall.net/null/dzug.c

Sebastian, can you confirm that this summary completely covers all your
findings?

There are problems with handling of DBUS_SYSTEM_BUS_ADDRESS environment
variable in both libdbus and glib/libgio when used in a privileged
(setuid or setgid) application.

libdbus is currently tracked via CVE-2012-3524, with two known attack
variants:
- unixexec:, which is only supported in recent dbus versions (1.5+ from
  what I can see)
- autolaunch: combined with malicious PATH setting, leading to
  execution of the attacker's dbus-launch.  This affects pre-1.5 dbus
  versions too.

libgio got CVE-2012-4425:
- autolaunch: or empty address, combined with PATH setting, similar to
  the second libdbus variant

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ