Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#4665 closed task (fixed)

dbus-1.12.18

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 10.0
Component: Book Version: SVN
Severity: normal Keywords:
Cc:

Description

New point release with security fixes

dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.

This is a stable-branch release, including a local denial of service fix.
Upgrading is recommended, unless you are following the older stable
branch 1.10.x.

<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.18.tar.gz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.18.tar.gz.asc>
git tag: dbus-1.12.18

The “telepathic vines” release.

Denial of service fixes:

• CVE-2020-12049: If a message contains more file descriptors than can
  be sent, close those that did get through before reporting error.
  Previously, a local attacker could cause the system dbus-daemon (or
  another system service with its own DBusServer) to run out of file
  descriptors, by repeatedly connecting to the server and sending fds that
  would get leaked.
  Thanks to Kevin Backhouse of GitHub Security Lab.
  (dbus#294, GHSL-2020-057; Simon McVittie)

Other fixes:

• Fix a crash when the dbus-daemon is terminated while one or more
  monitors are active (dbus#291, dbus!140; Simon McVittie)

• The dbus-send(1) man page now documents --bus and --peer instead of
  the old --address synonym for --peer, which has been deprecated since
  the introduction of --bus and --peer in 1.7.6
  (fd.o #48816, dbus!115; Chris Morin)

• Fix a wrong environment variable name in dbus-daemon(1)
  (dbus#275, dbus!122; Mubin, Philip Withnall)

• Fix formatting of dbus_message_append_args example
  (dbus!126, Felipe Franciosi)

• Avoid a test failure on Linux when built in a container as uid 0, but
  without the necessary privileges to increase resource limits
  (dbus!58, Debian #908092; Simon McVittie)

• When building with CMake, cope with libX11 in a non-standard location
  (dbus!129, Tuomo Rinne)

"Upgrading is recommended"

Change History (4)

comment:1 by Douglas R. Reno, 5 years ago

Owner: changed from lfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r11895

comment:3 by Douglas R. Reno, 5 years ago

Some more information on the security flaw:

References: CVE-2020-12049, GHSL-2020-057, dbus#294.

dbus is the reference implementation of D-Bus, a user-space IPC mechanism
originating from freedesktop.org and commonly used on Linux and other
Unix systems.

Kevin Backhouse of the GitHub Security Lab discovered a denial of service
vulnerability[0] in dbus >= 1.3.0. An unprivileged local attacker can cause
the system dbus-daemon (dbus-daemon --system) to leak file descriptors
(fds) by sending messages with a number of fds that exceeds the allowed
number, resulting in truncation. The attacker's connection is (correctly)
disconnected, but the fds that were attached to the truncated message
are (incorrectly) not closed. By repeating this process, the attacker
can make the dbus-daemon reach its RLIMIT_NOFILE limit. When this limit
is reached, new connections will fail, and existing connections will be
unable to send messages with fds attached, causing denial of service.

The same attack is also possible in the uncommon situation where processes
of different privilege levels communicate directly using a private D-Bus
socket (DBusServer) without going via a dbus-daemon.

In the development branch, this has been fixed[1] in version 1.13.16.
Older releases are vulnerable, except where noted below.

In the stable branch 1.12.x, this has been fixed in version 1.12.18.
This is the recommended version of dbus for production use and for
long-term-stable operating systems.

In the old stable branch 1.10.x, this has been fixed in version 1.10.30.
This branch is maintained for the benefit of older long-term-stable
operating systems such as Debian 9, and will reach end-of-life soon[2].

Older stable branches such as 1.8.x have reached end-of-life and will
not receive upstream releases to fix this. Upgrading is recommended.
However, the patch used in supported versions[1] is believed to be
suitable for third-party backports to older releases.

We have received a report[3] that in at least OmniOS (a
Solaris/OpenSolaris/illumos derivative), the solution that was committed
causes a regression due to differences in the behaviour of SCM_RIGHTS
between Linux and OmniOS. This is under investigation. On non-Linux
operating systems such as BSD and Solaris, before deploying a fixed
version, package maintainers should try running the 'test-fdpass'
test case to confirm whether their OS kernel has the Linux-like or
OmniOS-like behaviour. This test-case requires building dbus with the
--enable-modular-tests configure option, with GLib development files
available; GLib is only used for the automated tests, and is not a
dependency of the parts of dbus used in production.

[0] https://gitlab.freedesktop.org/dbus/dbus/-/issues/294
[1] https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63
[2] https://lists.freedesktop.org/archives/dbus/2020-June/017873.html
[3] https://gitlab.freedesktop.org/dbus/dbus/-/issues/304

-- 
Simon McVittie, Collabora Ltd. / Debian
dbus security contact:
https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/CONTRIBUTING.md#reporting-security-vulnerabilities

comment:4 by Bruce Dubbs, 4 years ago

Milestone: 9.210.0

Milestone renamed

Note: See TracTickets for help on using tickets.