oss-sec mailing list archives
Re: libdbus CVE-2012-3524 fix
From: Tomas Hoger <thoger () redhat com>
Date: Fri, 14 Sep 2012 10:15:42 +0200
On Wed, 12 Sep 2012 16:04:33 +0200 Sebastian Krahmer wrote:
The recently discussed libdbus getenv() issue [1] turned out to be easily exploitable on various UNIX systems, including some Linux distributions. Common attack vectors are Xorg and spice-gtk via auto-launching [2]. Properly patching requires fixes for libdbus and libgio, depending on which you link your suid binaries.
[ ... ]
[2] http://stealth.openwall.net/null/dzug.c
Sebastian, can you confirm that this summary completely covers all your findings? There are problems with handling of DBUS_SYSTEM_BUS_ADDRESS environment variable in both libdbus and glib/libgio when used in a privileged (setuid or setgid) application. libdbus is currently tracked via CVE-2012-3524, with two known attack variants: - unixexec:, which is only supported in recent dbus versions (1.5+ from what I can see) - autolaunch: combined with malicious PATH setting, leading to execution of the attacker's dbus-launch. This affects pre-1.5 dbus versions too. libgio got CVE-2012-4425: - autolaunch: or empty address, combined with PATH setting, similar to the second libdbus variant -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- libdbus CVE-2012-3524 fix Sebastian Krahmer (Sep 12)
- Re: libdbus CVE-2012-3524 fix Kurt Seifried (Sep 13)
- Re: libdbus CVE-2012-3524 fix Tomas Hoger (Sep 14)
- Re: libdbus CVE-2012-3524 fix Sebastian Krahmer (Sep 17)