| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20140702174819.6a365ae8@rainbow.cbg.collabora.co.uk>
Date: Wed, 2 Jul 2014 17:48:19 +0100
From: Alban Crequy <alban.crequy@...labora.co.uk>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: netdev <netdev@...r.kernel.org>,
Simon McVittie <simon.mcvittie@...labora.co.uk>
Subject: Fw: CVE-2014-3532, -3533: two local DoS vulnerabilities in
dbus-daemon
Hi,
A security issue was discovered and fixed in dbus-daemon:
CVE-2014-3532 https://bugs.freedesktop.org/show_bug.cgi?id=80163
I am notifying you because the issue is related to the Linux commit:
> commit 25888e30319f8896fc656fc68643e6a078263060
> Author: Eric Dumazet <eric.dumazet@...il.com>
> Date: Thu Nov 25 04:11:39 2010 +0000
>
> af_unix: limit recursion level
and I wonder if you know any other software forwarding untrusted fds
from one unix socket to another. If so, they might be affected in a
similar way. I am not aware of any other software doing that, but if
they exist, it would be nice to tell them.
Best regards,
Alban
=====
Begin forwarded message:
Date: Wed, 02 Jul 2014 17:04:16 +0100
From: Simon McVittie <simon.mcvittie@...labora.co.uk>
To: oss-security@...ts.openwall.com, "dbus@...ts.freedesktop.org"
<dbus@...ts.freedesktop.org>
Cc: Alban Créquy <alban.crequy@...labora.co.uk>, Colin Walters
<walters@...bum.org>, Thiago Macieira <thiago@....org>
Subject: CVE-2014-3532, -3533: two local DoS vulnerabilities in
dbus-daemon
Impact: denial of service (force system services to exit)
Access required: local
Versions affected by CVE-2014-3532: dbus >= 1.3.0 on Linux >= 2.6.37-rc4
Versions affected by CVE-2014-3533: dbus >= 1.3.0 on all Unix platforms
Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's support
for file descriptor passing. A malicious process could force system
services or user applications to be disconnected from the D-Bus system
bus by sending them a message containing a file descriptor, then causing
that file descriptor to exceed the kernel's maximum recursion depth
(itself introduced to fix a DoS) before dbus-daemon forwards the message
to the victim process. Most services and applications exit when
disconnected from the system bus, leading to a denial of service. This
is tracked as fd.o#80163 and CVE-2014-3532.
Additionally, Alban discovered that bug fd.o#79694, a bug previously
reported by Alejandro Martínez Suárez which was not believed to be a
security flaw, could be used for a similar denial of service, by causing
dbus-daemon to attempt to forward invalid file descriptors to a victim
process when file descriptors become associated with the wrong message.
Its security implications are tracked as fd.o#80469 and CVE-2014-3533.
For the 1.8.x stable branch, these vulnerabilities are fixed in version
1.8.6. For the 1.6.x old-stable branch, these vulnerabilities are fixed
in version 1.6.22.
All earlier versions of dbus with the file descriptor passing feature
(1.3.0 and up) are believed to be vulnerable. Distributions that
backport security fixes should backport git commits
07f4c12efe3b9bd45d109bc5fbaf6d9dbf69d78e and
9ca90648fc870c24d852ce6d7ce9387a9fc9a94a, attached.
References:
[fd.o#79694] https://bugs.freedesktop.org/show_bug.cgi?id=79694
[fd.o#80469] https://bugs.freedesktop.org/show_bug.cgi?id=80469
[fd.o#80163] https://bugs.freedesktop.org/show_bug.cgi?id=80163
Regards,
S
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists