Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 14 May 2015 15:38:57 +0100
From: Simon McVittie <>
CC: "" <>
Subject: security hardening in dbus 1.8.18, 1.9.16: avoiding weak PRNG

dbus <> is the reference
implementation of D-Bus, an asynchronous inter-process communication
system, commonly used for system services or within a desktop session on
Linux and other operating systems.

I released dbus 1.8.18 today with a security-hardening change. We are
not treating this as a security vulnerability (and so are not requesting
a CVE ID) because we do not believe the failure mode can be induced by
an attacker.

The bug: while processing Coverity warnings, we noticed that libdbus'
random number generator abstraction would silently fall back to a very
weak PRNG (libc rand()) if /dev/urandom (or Windows equivalent) could
not be read, or if malloc() returned NULL during random number
generation. Among other things, this random number generator is used by
the DBUS_COOKIE_SHA1 authentication mechanism, which reads and writes
random "cookies" in the home directory as a way for peers to prove that
they have access.

Mitigation: in 1.8.18, we have mitigated this by changing the default
session bus configuration on Unix platforms to require EXTERNAL
(credentials-passing) authentication, i.e. disabling the
DBUS_COOKIE_SHA1 authentication mechanism by default.

Fix: In the development branch (in which I'm currently doing the release
smoke-testing for 1.9.16), we have removed the fallback entirely.
Unfortunately this change involves adding more error-handling code
paths, so we consider it to be too intrusive for 1.8.x.

Bug tracked as:
Versions with fix: >= 1.9.16
Versions with mitigation: 1.8.x >= 1.8.18
Versions affected: all older dbus releases
Credit: Ralf Habacker, Simon McVittie

Simon McVittie, Collabora Ltd.
on behalf of the D-Bus maintainers

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ