oss-sec mailing list archives

Re: libdbus CVE-2012-3524 fix

From: Tomas Hoger <thoger () redhat com>
Date: Fri, 14 Sep 2012 10:15:42 +0200

On Wed, 12 Sep 2012 16:04:33 +0200 Sebastian Krahmer wrote:

The recently discussed libdbus getenv() issue [1] turned out
to be easily exploitable on various UNIX systems, including
some Linux distributions. Common attack vectors are Xorg and
spice-gtk via auto-launching [2].
Properly patching requires fixes for libdbus and libgio,
depending on which you link your suid binaries.


[ ... ]

[2] http://stealth.openwall.net/null/dzug.c


Sebastian, can you confirm that this summary completely covers all your
findings?

There are problems with handling of DBUS_SYSTEM_BUS_ADDRESS environment
variable in both libdbus and glib/libgio when used in a privileged
(setuid or setgid) application.

libdbus is currently tracked via CVE-2012-3524, with two known attack
variants:
- unixexec:, which is only supported in recent dbus versions (1.5+ from
  what I can see)
- autolaunch: combined with malicious PATH setting, leading to
  execution of the attacker's dbus-launch.  This affects pre-1.5 dbus
  versions too.

libgio got CVE-2012-4425:
- autolaunch: or empty address, combined with PATH setting, similar to
  the second libdbus variant

-- 
Tomas Hoger / Red Hat Security Response Team

Current thread:

libdbus CVE-2012-3524 fix Sebastian Krahmer (Sep 12)
- Re: libdbus CVE-2012-3524 fix Kurt Seifried (Sep 13)
- Re: libdbus CVE-2012-3524 fix Tomas Hoger (Sep 14)
  - Re: libdbus CVE-2012-3524 fix Sebastian Krahmer (Sep 17)