mailing list archives
Re: libdbus CVE-2012-3524 fix
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 13 Sep 2012 13:31:36 -0600
-----BEGIN PGP SIGNED MESSAGE-----
On 09/12/2012 08:04 AM, Sebastian Krahmer wrote:
As the CRD is today, and list policy requires "opening" the
distros-list posting, here is the forward.
As a quick fix, the exploit can also be mitigated by properly
placing the dbus-launch binary into the expected path, usually
# ln -s /usr/bin/dbus-launch /bin/dbus-launch
since for some reason, on most dists the binary is mis-placed into
/usr/bin. This makes an execv() fail in libdbus itself, triggering
----- Forwarded message from Sebastian Krahmer <krahmer () suse de>
The recently discussed libdbus getenv() issue  turned out to be
easily exploitable on various UNIX systems, including some Linux
distributions. Common attack vectors are Xorg and spice-gtk via
auto-launching . Properly patching requires fixes for libdbus
and libgio, depending on which you link your suid binaries. Would
be nice if someone from RH could forward their patch, as they have
some developers upstream and possibly access to the private git
commit (they also already assigned this CVE). My CRD proposal is
Sept. 12th. As can be seen in , this issue is indeed public
since 1+ year.
 https://bugzilla.novell.com/show_bug.cgi?id=697105 
PS: This is a re-send, the first mail to distros list was probably
catched by spam filter.
There is a second vulnerability as well:
spice(with naughty env variables)+glib = glib executes "dbus-launch"
from USER specific $PATH with elevated privileges.
Please use CVE-2012-4425 for this issue.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----