Date: Thu, 14 May 2015 15:38:57 +0100 From: Simon McVittie <simon.mcvittie@...labora.co.uk> To: oss-security@...ts.openwall.com CC: "dbus@...ts.freedesktop.org" <dbus@...ts.freedesktop.org> Subject: security hardening in dbus 1.8.18, 1.9.16: avoiding weak PRNG dbus <http://www.freedesktop.org/wiki/Software/dbus/> is the reference implementation of D-Bus, an asynchronous inter-process communication system, commonly used for system services or within a desktop session on Linux and other operating systems. I released dbus 1.8.18 today with a security-hardening change. We are not treating this as a security vulnerability (and so are not requesting a CVE ID) because we do not believe the failure mode can be induced by an attacker. The bug: while processing Coverity warnings, we noticed that libdbus' random number generator abstraction would silently fall back to a very weak PRNG (libc rand()) if /dev/urandom (or Windows equivalent) could not be read, or if malloc() returned NULL during random number generation. Among other things, this random number generator is used by the DBUS_COOKIE_SHA1 authentication mechanism, which reads and writes random "cookies" in the home directory as a way for peers to prove that they have access. Mitigation: in 1.8.18, we have mitigated this by changing the default session bus configuration on Unix platforms to require EXTERNAL (credentials-passing) authentication, i.e. disabling the DBUS_COOKIE_SHA1 authentication mechanism by default. http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=d9ab8931822999336b84cac0499a12e11c11e298 Fix: In the development branch (in which I'm currently doing the release smoke-testing for 1.9.16), we have removed the fallback entirely. Unfortunately this change involves adding more error-handling code paths, so we consider it to be too intrusive for 1.8.x. http://cgit.freedesktop.org/dbus/dbus/commit/?id=f180a839727981c8896056a35df17768d54eada6 http://cgit.freedesktop.org/dbus/dbus/commit/?id=49646211f3c8dcdc3728f4059c61c05ef4df857c http://cgit.freedesktop.org/dbus/dbus/commit/?id=f385324d8b03eab13f3e618ce9a0018977c9a7cb http://cgit.freedesktop.org/dbus/dbus/commit/?id=bcdead0fd4642a5e8985981c1583d40ff779299a Bug tracked as: https://bugs.freedesktop.org/show_bug.cgi?id=90414 Versions with fix: >= 1.9.16 Versions with mitigation: 1.8.x >= 1.8.18 Versions affected: all older dbus releases Credit: Ralf Habacker, Simon McVittie -- Simon McVittie, Collabora Ltd. on behalf of the D-Bus maintainers
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ