Your message dated Sat, 29 Sep 2012 13:47:38 +0000
with message-id <e1thxom-0006ur...@franck.debian.org>
and subject line Bug#689070: fixed in dbus 1.6.8-1
has caused the Debian Bug report #689070,
regarding Please take upstream D-Bus patches for CVE-2012-3524
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
689070: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689070
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dbus
Severity: serious
Justification: local privilege escalation
Tags: security
Hi,
CVE-2012-3524 is about setuid binaries linking libdbus being easily
trickable to do bad things via a malicious PATH (for finding dbus-launch),
or through a DBUS_* address variable using the unixexec address type.
Initially the D-Bus developers thought that this should be fixed on the
application side (hence the comment in the security-tracker), but decided
that it would be better to have a defense-in-depth approach, and change
_dbus_getenv to not succeed if the current program is setuid or similar,
since that's faster than patching every relevant program.
There's a patch in the D-Bus 1.6.6 release that implements this. Many
other distros, including RHEL/Fedora, SUSE, and Ubuntu have taken this
patch already. There are some other hardening things in the 1.6.6 release
that broke gnome-keyring, prompting a 1.6.8 release a few hours later to
revert those; you should either take 1.6.8, or just backport the four
patches that weren't reverted in 1.6.8:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=23fe78ceefb6cefcd58a49c77d1154b68478c8d2
http://cgit.freedesktop.org/dbus/dbus/commit/?id=4b351918b9f70eaedbdb3ab39208bc1f131efae0
http://cgit.freedesktop.org/dbus/dbus/commit/?id=57ae3670508bbf4ec57049de47c9cae727a64802
http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5
I think these are all easily backportable, but I'm happy to supply a
debdiff if that'd make it easier for you.
More discussion of the issue can be found at
https://bugs.freedesktop.org/show_bug.cgi?id=52202
https://bugzilla.novell.com/show_bug.cgi?id=697105
https://bugzilla.redhat.com/show_bug.cgi?id=847402
http://seclists.org/oss-sec/2012/q3/29
--
Geoffrey Thomas
gtho...@mokafive.com
--- End Message ---
--- Begin Message ---
Source: dbus
Source-Version: 1.6.8-1
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 689...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 29 Sep 2012 13:25:50 +0100
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev dbus-1-dbg
Architecture: source amd64 all
Version: 1.6.8-1
Distribution: unstable
Urgency: low
Maintainer: Utopia Maintenance Team
<pkg-utopia-maintain...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Description:
dbus - simple interprocess messaging system (daemon and utilities)
dbus-1-dbg - simple interprocess messaging system (debug symbols)
dbus-1-doc - simple interprocess messaging system (documentation)
dbus-x11 - simple interprocess messaging system (X11 deps)
libdbus-1-3 - simple interprocess messaging system (library)
libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 689070
Changes:
dbus (1.6.8-1) unstable; urgency=low
.
* Merge from experimental
* New upstream stable release 1.6.6
- CVE-2012-3524: mitigates arbitrary code execution in setuid or otherwise
privileged binaries that use libdbus without first sanitizing the
environment variables inherited from their less-privileged caller
(Closes: #689070)
* New upstream stable release 1.6.8
- Revert part of 1.6.6 (do not check filesystem capabilities, only
setuid/setgid), fixing regressions in certain configurations of
gnome-keyring
Checksums-Sha1:
234b9a8b2fa797ad84be2a9038ddead6dfaa3420 2507 dbus_1.6.8-1.dsc
d9634807d1de9b64727ae2178e3af2227fca0fca 1929630 dbus_1.6.8.orig.tar.gz
f0a3048a7be5f8863d0e58607518e1a1e6dff623 34098 dbus_1.6.8-1.debian.tar.gz
06ede6f95ef38daf4d0a028ff9c988204615ac21 398676 dbus_1.6.8-1_amd64.deb
b580d21551838927b655d7e11785ca29a388668e 59500 dbus-x11_1.6.8-1_amd64.deb
8a8f69e0503f48210e6c1b057b5b05b8b3d1dd09 172520 libdbus-1-3_1.6.8-1_amd64.deb
439f90f4b67634c156635bd276e590d0f0afb0d2 2382134 dbus-1-doc_1.6.8-1_all.deb
13567fd61f9da86c220e8c98d336c201783457e7 246330 libdbus-1-dev_1.6.8-1_amd64.deb
f70e128ec791dfdffe8c2350d4cf8e4bed9c4988 8286430 dbus-1-dbg_1.6.8-1_amd64.deb
Checksums-Sha256:
e7648d5fccbe7e247196e4bdc3aee35f2956d0aba98498033a41403e63c1745c 2507
dbus_1.6.8-1.dsc
fc1370ef38abeeb13f55c905ec002e60705fb0bfde3b8d21c8d6eb8056c11bac 1929630
dbus_1.6.8.orig.tar.gz
f78c9434b25e0ca551919dd9d9eca7bfb46f470e53aea483d690b47f80cd5835 34098
dbus_1.6.8-1.debian.tar.gz
6135c3779d7ee36ef01b4d96cf69022e1ed73670f80af6e32b72d43835d3c856 398676
dbus_1.6.8-1_amd64.deb
e3af3ae8caf8ca043261f6b72bedf5296a4d8a02024aff828aa8ce70c7137895 59500
dbus-x11_1.6.8-1_amd64.deb
d706d2bb92c67987fa54c00c54f399887c0a4734fb324c12f7e4164cf9d83322 172520
libdbus-1-3_1.6.8-1_amd64.deb
a289feb4dc0878e80575d67e11cdfe8666b8d06413f7eb318bda11fb4ea5b4da 2382134
dbus-1-doc_1.6.8-1_all.deb
085de58916cdb39cd0fa44ba3f2db9db36557b16bd2790ad76f398c18df38286 246330
libdbus-1-dev_1.6.8-1_amd64.deb
05eab24e5c9dab26495c2d7c7a31d8f777397dbce3841f732d240fff42558621 8286430
dbus-1-dbg_1.6.8-1_amd64.deb
Files:
120224505701be2e56be52bbfeaca7be 2507 admin optional dbus_1.6.8-1.dsc
3bf059c7dd5eda5f539a1b7cfe7a14a2 1929630 admin optional dbus_1.6.8.orig.tar.gz
cb066f6ee6c8ff6ad649cdfe07f2a11e 34098 admin optional
dbus_1.6.8-1.debian.tar.gz
cda80974dbc531bfc7396178e5820b99 398676 admin optional dbus_1.6.8-1_amd64.deb
693f16496139cb0730f6f1d3b9efafd7 59500 x11 optional dbus-x11_1.6.8-1_amd64.deb
db9fa3edcb358ddf0a53efda49a4bb60 172520 libs optional
libdbus-1-3_1.6.8-1_amd64.deb
28c39e833545c1011cbbd8cbc137e972 2382134 doc optional
dbus-1-doc_1.6.8-1_all.deb
19c4bcf5b9bf3b0c4e042f718466f489 246330 libdevel optional
libdbus-1-dev_1.6.8-1_amd64.deb
2c95d339a17f9f499e3637a1aaf90dfb 8286430 debug extra
dbus-1-dbg_1.6.8-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBUGb5c03o/ypjx8yQAQheEQ//SnzZHbcozOPMzDpQwTfE0PqHH811cknM
a4rePU8+ENT+CQmk+UJfibxdRbrcmd6dPxFmmuszlXyy2DMaydm6pwfLmJ5OScPy
311Mo7Q8+5Aoj1JCZJXkUUg5gMR5c+/wND4YfPkAQi+1jBzUTPhjIpTKAo9OXtIa
MHhoCHJSIIxLpongCu5nQROAPTAZfUDlPKOZu+26U0f3a3ysdE/f/6UKedKiMhmi
iUOHSZU3VJKjAiVhSVcju8kcN+xO4MBKT3CfmXlrVqHAPANjUxFEEtqf5Wyq3pOG
XQxHKxnimfZ0QfaU3xHuJHwdjLpWFpMVengTPdDo6dDayvYZoyJZdUvTwZCtGBh8
Fjlu3Z1kMvSo/rfFzvNEcm+XnIO3Vp4l1FeW3fTvIlBl6DER6Yxe232u8H2798aR
2u4P1+bc5hscmx4U6xzWlE8/I2KULRhkajcISk2kyOZbP7Oq9Z5P3nryOPx7uKcZ
TuErirqdFzYb8ItvaC3CX94n2MCGNLqU54ItXuGkNoUA1ZpEccFzp4pXZaJ6D2Yf
RwbzfOwQ7t0u9PhWMEevjugBVXEdjB3Z9GvsOaQ7lBkkwId2wMqvJFFbKil2QA8w
w/wbMA+FpH1BmbpAhIrODCWXviywthJyQT/KN4kJu8k6e/hggiRcltnAAk/ngHbZ
ExCWNOQXC+U=
=BZ7A
-----END PGP SIGNATURE-----
--- End Message ---
