Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 14 May 2015 15:38:57 +0100
From: Simon McVittie <>
CC: "" <>
Subject: security hardening in dbus 1.8.18, 1.9.16: avoiding weak PRNG

dbus <> is the reference
implementation of D-Bus, an asynchronous inter-process communication
system, commonly used for system services or within a desktop session on
Linux and other operating systems.

I released dbus 1.8.18 today with a security-hardening change. We are
not treating this as a security vulnerability (and so are not requesting
a CVE ID) because we do not believe the failure mode can be induced by
an attacker.

The bug: while processing Coverity warnings, we noticed that libdbus'
random number generator abstraction would silently fall back to a very
weak PRNG (libc rand()) if /dev/urandom (or Windows equivalent) could
not be read, or if malloc() returned NULL during random number
generation. Among other things, this random number generator is used by
the DBUS_COOKIE_SHA1 authentication mechanism, which reads and writes
random "cookies" in the home directory as a way for peers to prove that
they have access.

Mitigation: in 1.8.18, we have mitigated this by changing the default
session bus configuration on Unix platforms to require EXTERNAL
(credentials-passing) authentication, i.e. disabling the
DBUS_COOKIE_SHA1 authentication mechanism by default.

Fix: In the development branch (in which I'm currently doing the release
smoke-testing for 1.9.16), we have removed the fallback entirely.
Unfortunately this change involves adding more error-handling code
paths, so we consider it to be too intrusive for 1.8.x.

Bug tracked as:
Versions with fix: >= 1.9.16
Versions with mitigation: 1.8.x >= 1.8.18
Versions affected: all older dbus releases
Credit: Ralf Habacker, Simon McVittie

Simon McVittie, Collabora Ltd.
on behalf of the D-Bus maintainers

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.