Date: Fri, 14 Sep 2012 10:15:42 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: libdbus CVE-2012-3524 fix On Wed, 12 Sep 2012 16:04:33 +0200 Sebastian Krahmer wrote: > The recently discussed libdbus getenv() issue  turned out > to be easily exploitable on various UNIX systems, including > some Linux distributions. Common attack vectors are Xorg and > spice-gtk via auto-launching . > Properly patching requires fixes for libdbus and libgio, > depending on which you link your suid binaries. [ ... ] >  http://stealth.openwall.net/null/dzug.c Sebastian, can you confirm that this summary completely covers all your findings? There are problems with handling of DBUS_SYSTEM_BUS_ADDRESS environment variable in both libdbus and glib/libgio when used in a privileged (setuid or setgid) application. libdbus is currently tracked via CVE-2012-3524, with two known attack variants: - unixexec:, which is only supported in recent dbus versions (1.5+ from what I can see) - autolaunch: combined with malicious PATH setting, leading to execution of the attacker's dbus-launch. This affects pre-1.5 dbus versions too. libgio got CVE-2012-4425: - autolaunch: or empty address, combined with PATH setting, similar to the second libdbus variant -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ