Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: libdbus CVE-2012-3524 fix
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 13 Sep 2012 13:31:36 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2012 08:04 AM, Sebastian Krahmer wrote:

Hi,

As the CRD is today, and list policy requires "opening" the 
distros-list posting, here is the forward.

As a quick fix, the exploit can also be mitigated by properly 
placing the dbus-launch binary into the expected path, usually 
"/bin/dbus-launch", e.g.

# ln -s /usr/bin/dbus-launch /bin/dbus-launch

since for some reason, on most dists the binary is mis-placed into
/usr/bin. This makes an execv() fail in libdbus itself, triggering
an execvp().

Sebastian

----- Forwarded message from Sebastian Krahmer <krahmer () suse de>
-----


Hi,

The recently discussed libdbus getenv() issue [1] turned out to be
easily exploitable on various UNIX systems, including some Linux
distributions. Common attack vectors are Xorg and spice-gtk via
auto-launching [2]. Properly patching requires fixes for libdbus
and libgio, depending on which you link your suid binaries. Would
be nice if someone from RH could forward their patch, as they have
some developers upstream and possibly access to the private git
commit (they also already assigned this CVE). My CRD proposal is
Sept. 12th. As can be seen in [1], this issue is indeed public
since 1+ year.

Sebastian

[1] https://bugzilla.novell.com/show_bug.cgi?id=697105 [2]
http://stealth.openwall.net/null/dzug.c

PS: This is a re-send, the first mail to distros list was probably 
catched by spam filter.


There is a second vulnerability as well:

spice(with naughty env variables)+glib = glib executes "dbus-launch"
from USER specific $PATH with elevated privileges.

Please use CVE-2012-4425 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUjSYAAoJEBYNRVNeJnmTk4sP+wdzE9/wHfqNVfYVcFmznaVJ
L7WpVi6uQ0cLhQJAjePXn5Pd4yTVTFFDsbyeTj5KYOjtm3SFDKkXKP5J35IOh2F5
hISU6tXeraLfBaODyjLrI92v+HaXjBRD0j9yF3NJRTvBrV8XR7zFIO/jPZbfynR0
sWQbEs+kR9HWO3gbovTKNLK5QOz7Q86l9zR7NysFD3NAP4H8oqMcZXkHoRrhsmRd
MeovVqtvrV1F1YjPg+XjX3cUx6iKsxhSlBXDCWKsNCgOE8T/8yfoy4N8ySYilp+2
fDf+0dkvieyjYgmQHZikiQqQwGPRSvMbN3SB4wT1Ft81HDWehm9szoL3GVjawTeg
nRPDqTEmXGd2FhDSH8QOtEAg/Y6Ju/rLI3CKv1Ee/uupNsX36xZsXvbFdYdTs/bv
j8yfCMqiDJwdtEkjRUJODTaiyEffo0NRfzw1v/eQgXNi3EqeO9zbEbCi7iNQpdpj
jEwKN4qTx35zV3YtSKV/GXVgzluL3v4X9BzhJmgai7vAw6DbnFaLrzKfRdww0OFK
pkaX7dSXrTWLeDKz+/9C6W5o7lubShiZP0/J/db4Dsc/sR5NonJdmqZsDlKW8qDW
75a3LvbSEcaxHqY8qPJjM9tVva8ULU7G5llgkH9w8IUzge+rv7MCC8kET8V9FUrO
XLFf6X3InO+8d17jAmZg
=4Pz0
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault