Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 14 May 2015 15:38:57 +0100
From: Simon McVittie <simon.mcvittie@...labora.co.uk>
To: oss-security@...ts.openwall.com
CC: "dbus@...ts.freedesktop.org" <dbus@...ts.freedesktop.org>
Subject: security hardening in dbus 1.8.18, 1.9.16: avoiding weak PRNG

dbus <http://www.freedesktop.org/wiki/Software/dbus/> is the reference
implementation of D-Bus, an asynchronous inter-process communication
system, commonly used for system services or within a desktop session on
Linux and other operating systems.

I released dbus 1.8.18 today with a security-hardening change. We are
not treating this as a security vulnerability (and so are not requesting
a CVE ID) because we do not believe the failure mode can be induced by
an attacker.

The bug: while processing Coverity warnings, we noticed that libdbus'
random number generator abstraction would silently fall back to a very
weak PRNG (libc rand()) if /dev/urandom (or Windows equivalent) could
not be read, or if malloc() returned NULL during random number
generation. Among other things, this random number generator is used by
the DBUS_COOKIE_SHA1 authentication mechanism, which reads and writes
random "cookies" in the home directory as a way for peers to prove that
they have access.

Mitigation: in 1.8.18, we have mitigated this by changing the default
session bus configuration on Unix platforms to require EXTERNAL
(credentials-passing) authentication, i.e. disabling the
DBUS_COOKIE_SHA1 authentication mechanism by default.

http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=d9ab8931822999336b84cac0499a12e11c11e298

Fix: In the development branch (in which I'm currently doing the release
smoke-testing for 1.9.16), we have removed the fallback entirely.
Unfortunately this change involves adding more error-handling code
paths, so we consider it to be too intrusive for 1.8.x.

http://cgit.freedesktop.org/dbus/dbus/commit/?id=f180a839727981c8896056a35df17768d54eada6
http://cgit.freedesktop.org/dbus/dbus/commit/?id=49646211f3c8dcdc3728f4059c61c05ef4df857c
http://cgit.freedesktop.org/dbus/dbus/commit/?id=f385324d8b03eab13f3e618ce9a0018977c9a7cb
http://cgit.freedesktop.org/dbus/dbus/commit/?id=bcdead0fd4642a5e8985981c1583d40ff779299a

Bug tracked as: https://bugs.freedesktop.org/show_bug.cgi?id=90414
Versions with fix: >= 1.9.16
Versions with mitigation: 1.8.x >= 1.8.18
Versions affected: all older dbus releases
Credit: Ralf Habacker, Simon McVittie

-- 
Simon McVittie, Collabora Ltd.
on behalf of the D-Bus maintainers

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ