Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 13 Sep 2012 13:31:36 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Sebastian Krahmer <krahmer@...e.de>, Tomas Hoger <thoger@...hat.com>
Subject: Re: libdbus CVE-2012-3524 fix

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2012 08:04 AM, Sebastian Krahmer wrote:
> 
> Hi,
> 
> As the CRD is today, and list policy requires "opening" the 
> distros-list posting, here is the forward.
> 
> As a quick fix, the exploit can also be mitigated by properly 
> placing the dbus-launch binary into the expected path, usually 
> "/bin/dbus-launch", e.g.
> 
> # ln -s /usr/bin/dbus-launch /bin/dbus-launch
> 
> since for some reason, on most dists the binary is mis-placed into
> /usr/bin. This makes an execv() fail in libdbus itself, triggering
> an execvp().
> 
> Sebastian
> 
> ----- Forwarded message from Sebastian Krahmer <krahmer@...e.de>
> -----
> 
> 
> Hi,
> 
> The recently discussed libdbus getenv() issue [1] turned out to be
> easily exploitable on various UNIX systems, including some Linux
> distributions. Common attack vectors are Xorg and spice-gtk via
> auto-launching [2]. Properly patching requires fixes for libdbus
> and libgio, depending on which you link your suid binaries. Would
> be nice if someone from RH could forward their patch, as they have
> some developers upstream and possibly access to the private git
> commit (they also already assigned this CVE). My CRD proposal is
> Sept. 12th. As can be seen in [1], this issue is indeed public
> since 1+ year.
> 
> Sebastian
> 
> [1] https://bugzilla.novell.com/show_bug.cgi?id=697105 [2]
> http://stealth.openwall.net/null/dzug.c
> 
> PS: This is a re-send, the first mail to distros list was probably 
> catched by spam filter.
> 

There is a second vulnerability as well:

spice(with naughty env variables)+glib = glib executes "dbus-launch"
from USER specific $PATH with elevated privileges.

Please use CVE-2012-4425 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUjSYAAoJEBYNRVNeJnmTk4sP+wdzE9/wHfqNVfYVcFmznaVJ
L7WpVi6uQ0cLhQJAjePXn5Pd4yTVTFFDsbyeTj5KYOjtm3SFDKkXKP5J35IOh2F5
hISU6tXeraLfBaODyjLrI92v+HaXjBRD0j9yF3NJRTvBrV8XR7zFIO/jPZbfynR0
sWQbEs+kR9HWO3gbovTKNLK5QOz7Q86l9zR7NysFD3NAP4H8oqMcZXkHoRrhsmRd
MeovVqtvrV1F1YjPg+XjX3cUx6iKsxhSlBXDCWKsNCgOE8T/8yfoy4N8ySYilp+2
fDf+0dkvieyjYgmQHZikiQqQwGPRSvMbN3SB4wT1Ft81HDWehm9szoL3GVjawTeg
nRPDqTEmXGd2FhDSH8QOtEAg/Y6Ju/rLI3CKv1Ee/uupNsX36xZsXvbFdYdTs/bv
j8yfCMqiDJwdtEkjRUJODTaiyEffo0NRfzw1v/eQgXNi3EqeO9zbEbCi7iNQpdpj
jEwKN4qTx35zV3YtSKV/GXVgzluL3v4X9BzhJmgai7vAw6DbnFaLrzKfRdww0OFK
pkaX7dSXrTWLeDKz+/9C6W5o7lubShiZP0/J/db4Dsc/sR5NonJdmqZsDlKW8qDW
75a3LvbSEcaxHqY8qPJjM9tVva8ULU7G5llgkH9w8IUzge+rv7MCC8kET8V9FUrO
XLFf6X3InO+8d17jAmZg
=4Pz0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.