Your message dated Sat, 12 Jan 2013 23:47:04 +0000
with message-id <[email protected]>
and subject line Bug#689070: fixed in dbus 1.2.24-4+squeeze2
has caused the Debian Bug report #689070,
regarding Please take upstream D-Bus patches for CVE-2012-3524
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
689070: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689070
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dbus
Severity: serious
Justification: local privilege escalation
Tags: security
Hi,
CVE-2012-3524 is about setuid binaries linking libdbus being easily
trickable to do bad things via a malicious PATH (for finding dbus-launch),
or through a DBUS_* address variable using the unixexec address type.
Initially the D-Bus developers thought that this should be fixed on the
application side (hence the comment in the security-tracker), but decided
that it would be better to have a defense-in-depth approach, and change
_dbus_getenv to not succeed if the current program is setuid or similar,
since that's faster than patching every relevant program.
There's a patch in the D-Bus 1.6.6 release that implements this. Many
other distros, including RHEL/Fedora, SUSE, and Ubuntu have taken this
patch already. There are some other hardening things in the 1.6.6 release
that broke gnome-keyring, prompting a 1.6.8 release a few hours later to
revert those; you should either take 1.6.8, or just backport the four
patches that weren't reverted in 1.6.8:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=23fe78ceefb6cefcd58a49c77d1154b68478c8d2
http://cgit.freedesktop.org/dbus/dbus/commit/?id=4b351918b9f70eaedbdb3ab39208bc1f131efae0
http://cgit.freedesktop.org/dbus/dbus/commit/?id=57ae3670508bbf4ec57049de47c9cae727a64802
http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5
I think these are all easily backportable, but I'm happy to supply a
debdiff if that'd make it easier for you.
More discussion of the issue can be found at
https://bugs.freedesktop.org/show_bug.cgi?id=52202
https://bugzilla.novell.com/show_bug.cgi?id=697105
https://bugzilla.redhat.com/show_bug.cgi?id=847402
http://seclists.org/oss-sec/2012/q3/29
--
Geoffrey Thomas
[email protected]
--- End Message ---
--- Begin Message ---
Source: dbus
Source-Version: 1.2.24-4+squeeze2
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 04 Oct 2012 08:47:10 +0100
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev dbus-1-dbg
Architecture: source all i386
Version: 1.2.24-4+squeeze2
Distribution: squeeze
Urgency: low
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Description:
dbus - simple interprocess messaging system
dbus-1-dbg - simple interprocess messaging system (debug symbols)
dbus-1-doc - simple interprocess messaging system (documentation)
dbus-x11 - simple interprocess messaging system (X11 deps)
libdbus-1-3 - simple interprocess messaging system
libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 689070
Changes:
dbus (1.2.24-4+squeeze2) stable; urgency=low
.
* CVE-2012-3524: apply patches from upstream 1.6.6 to avoid arbitrary
code execution in setuid/setgid binaries that incorrectly use libdbus
without first sanitizing the environment variables inherited from
their less-privileged caller (Closes: #689070).
- As per upstream 1.6.8, do not check filesystem capabilities for now,
only setuid/setgid, fixing regressions in certain configurations of
gnome-keyring
Checksums-Sha1:
eac32b869c61bd5d847be756a340fe7cd5a7d23e 2186 dbus_1.2.24-4+squeeze2.dsc
94ee1a0ac39aeffd1e376ef7029d35afd7a60179 37961
dbus_1.2.24-4+squeeze2.debian.tar.gz
b00fc229b77fd00cbc3fb825cc650431c69c2d73 1837900
dbus-1-doc_1.2.24-4+squeeze2_all.deb
6f4f5ea0851ace56f03acb222c19071f9599d239 213666 dbus_1.2.24-4+squeeze2_i386.deb
4e501b3ac3d77e35edbf4d6366ca6dbd05e9ae60 42564
dbus-x11_1.2.24-4+squeeze2_i386.deb
ab10693f2ec6a50fd07dc9863b07fa78d9305cc8 130512
libdbus-1-3_1.2.24-4+squeeze2_i386.deb
99c8cdfd13bce8df56770c670230f7887820d7b0 221096
libdbus-1-dev_1.2.24-4+squeeze2_i386.deb
e73b75d59d6eed63f7aa8616dd8cfdc9fca0001a 770860
dbus-1-dbg_1.2.24-4+squeeze2_i386.deb
Checksums-Sha256:
6660bed259a4bbb5e15788bf305c8b2465acb2a33dbb1d01f23d6fca2ac5cfd0 2186
dbus_1.2.24-4+squeeze2.dsc
a32dd583f3cc6a5aef6897e8b792510c21092d1b0d5655c2755b0af4be855964 37961
dbus_1.2.24-4+squeeze2.debian.tar.gz
87a4669d904f843c0037d23a9b68b0d1283aa93179b9ca06c384c3b7756bc743 1837900
dbus-1-doc_1.2.24-4+squeeze2_all.deb
2c4e9aa80db1d0eb95b55b7373975a5c4dacdccd6da056a700c14aef630aac25 213666
dbus_1.2.24-4+squeeze2_i386.deb
0563cf55a3a03904827db461f35269465ad0a8ab5c6d92889ead5cc5540e22e8 42564
dbus-x11_1.2.24-4+squeeze2_i386.deb
bb9e6cca67fcc5b6c27c4674d89d862da0e5ea8eb66b4c8833b0daacdf3138fe 130512
libdbus-1-3_1.2.24-4+squeeze2_i386.deb
7457a9d32a5ae686841f3099b2813e965b8d09e32dc7c04b5efb171ce51349ad 221096
libdbus-1-dev_1.2.24-4+squeeze2_i386.deb
82f2ea80d494f73abaf9273c10bb1bcbe0fd77ceed7213bcf550f2e31ecc72fe 770860
dbus-1-dbg_1.2.24-4+squeeze2_i386.deb
Files:
d2bb0c9a9cbbef845d579c34291c50c2 2186 devel optional dbus_1.2.24-4+squeeze2.dsc
7bb2156d28f38454813c32bf48c98557 37961 devel optional
dbus_1.2.24-4+squeeze2.debian.tar.gz
1754df1871da923df3f85ec308213901 1837900 doc optional
dbus-1-doc_1.2.24-4+squeeze2_all.deb
bfd457341ce560037613cfd493de300d 213666 devel optional
dbus_1.2.24-4+squeeze2_i386.deb
8d287c2ff8e57960fb4f2af337616789 42564 x11 optional
dbus-x11_1.2.24-4+squeeze2_i386.deb
762242a9e0f39aaf41e0b5bf66c0b99c 130512 libs optional
libdbus-1-3_1.2.24-4+squeeze2_i386.deb
230538d9a0d7c304c6a7b62720790a9c 221096 libdevel optional
libdbus-1-dev_1.2.24-4+squeeze2_i386.deb
e6d06ad29e9d581c80b4b615595c4349 770860 debug extra
dbus-1-dbg_1.2.24-4+squeeze2_i386.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBUPHKrk3o/ypjx8yQAQj6hRAAlk+smNsRE6y6j9AynXNX3eyv8B0E7f+v
Wpqyr2i2nRZ3aRpGRsJFva0zyW9yvATr10es9hNMdTCyE+k53el8KYVb4xlwF+KL
o5SZgXPjUzfnjeSlD0LM+me5axp+2nVhUQweDSF2K9/3OMdbitTJAFb8POpd0hRL
Wmm8TQUzBtfewyMS0YFHFouUcBSXO7T9tkefNEoMjmqePRNa79kkXYp8wgivdD7h
eZ3XUI9VPi1o4t6759H8ddxYHMQ5VKskfrPSPaQr5jcfLQ1aBfLVYyy0pLW1rATB
R3VZwAXQt6ohhHLHkLrRrlyK6jOSGTTPRm5vXEflsyVutM11w3TVUws8Tkyu2ajr
/vOzm8l9BN6667exRYTxcV46aow5bA/+LoXz7gjbYUzZCqY+jd1gzM+BjRAo22dG
VMUcL1jBz9sY5n0OhKeueJq3vfB7p5wmbBRutJsh9O5O2/H2XDY0I464yIwpaEdy
eDVa+Xgysh8hHy5GBItwed7N6rK2FHNKaFMctAbpGxBOfd0xadu3xzNpvrBvaUPa
3A8b1/aFSQjkifW7zCRJwerES+9Z4rbzPKv1RZTdACqcGXQWAJIEn1WnsvvFS9tM
egA/qhwvpZYkZYKPvO6nwpbXnLJv87xFmRhXzMaZyDP1uT8nTc8X+UltQYA2MHcc
9OQdGsqaoYg=
=stEJ
-----END PGP SIGNATURE-----
--- End Message ---
