Hi all, A security issue has been reported to oss-security [1] regarding D-Bus < 1.8.4, allowing denial of service or, under certain conditions, side-channel communication between processes that should not be able to communicate. Please see the original post to oss-security below for additional information. This vulnerability has been assigned CVE-2014-3477. The D-Bus package in Arch Linux is currently in version 1.8.2 and therefore seems to be vulnerable. It has already been flagged as out-of-date but does not appear to have been updated yet. [1] http://marc.info/?l=oss-security&m=140242136131355&w=2 Regards, Remi
D-Bus http://www.freedesktop.org/wiki/Software/dbus/ is an asynchronous inter-process communication system, commonly used for system services or within a desktop session on Linux and other operating systems.
Alban Crequy at Collabora Ltd. discovered and fixed a denial-of-service flaw in dbus-daemon, part of the reference implementation of D-Bus. Additionally, in highly unusual environments the same flaw could lead to a side channel between processes that should not be able to communicate.
On the stable branch, this is fixed in version 1.8.4: http://dbus.freedesktop.org/releases/dbus/dbus-1.8.4.tar.gz http://dbus.freedesktop.org/releases/dbus/dbus-1.8.4.tar.gz.asc
On the previous stable branch, this is fixed in version 1.6.20: http://dbus.freedesktop.org/releases/dbus/dbus-1.6.20.tar.gz http://dbus.freedesktop.org/releases/dbus/dbus-1.6.20.tar.gz.asc
Distributions supporting other versions should base their changes on this commit: http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=24c590703ca47eb71ddef453de43126b90954567
Summary:
If a client C1 is prohibited from sending a message to a service S1, and S1 is not currently running, then C1 can attempt to send a message to S1's well-known bus name, causing dbus-daemon to start S1 [1]. When S1 has started and obtained its well-known bus name, the dbus-daemon evaluates its security policy, decides that it will not deliver the message to S1, and constructs an AccessDenied error. However, instead of sending that AccessDenied error reply to C1 as a reply to the denied message, dbus-daemon incorrectly sends it to S1 as a reply to the request to obtain its well-known bus name.
Impact A: denial of service. S1 will fail to initialize, and exit, denying service to legitimate clients of S1.
Impact B: side channel. In environments where C1 and S1 are untrusted and are administratively prohibited from communicating, S1 could also use these incorrectly-directed error messages as a side channel to receive information from C1.
Mitigations:
Impact A: if a legitimate client was actively using S1, S1 would already have been started, so C1 can only deny service to a legitimate client that only recently became active.
Impact B: in practice processes sharing a system bus can typically communicate in other ways (non-D-Bus IPC mechanisms, files in /tmp, etc.), so impact B is not relevant on normal systems. It might be relevant on systems when an LSM such as SELinux is used in a highly restrictive configuration.