| Summary: | dbus new security issues CVE-2014-3532 and CVE-2014-3533 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | fundawang, geiger.david68210, mageia, simonnzg, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/604236/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok | ||
| Source RPM: | dbus-1.6.20-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-07-02 18:16:52 CEST
David Walser
2014-07-02 18:17:18 CEST
CC:
(none) =>
fundawang, mageia, tmb Debian has issued an advisory for this on July 2: https://www.debian.org/security/2014/dsa-2971 URL:
(none) =>
http://lwn.net/Vulnerabilities/604236/ Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated dbus packages fix security vulnerabilities: A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause a service or application to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3532). A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause an invalid file descriptor to be forwarded to a service or application, causing it to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3533). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533 http://lists.freedesktop.org/archives/dbus/2014-July/016235.html https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135226.html ======================== Updated packages in core/updates_testing: ======================== dbus-1.6.8-4.4.mga3 libdbus1_3-1.6.8-4.4.mga3 libdbus-devel-1.6.8-4.4.mga3 dbus-x11-1.6.8-4.4.mga3 dbus-doc-1.6.8-4.4.mga3 dbus-1.6.18-1.3.mga4 libdbus1_3-1.6.18-1.3.mga4 libdbus-devel-1.6.18-1.3.mga4 dbus-x11-1.6.18-1.3.mga4 dbus-doc-1.6.18-1.3.mga4 from SRPMS: dbus-1.6.8-4.4.mga3.src.rpm dbus-1.6.18-1.3.mga4.src.rpm Version:
Cauldron =>
4 Oops, forgot to assign to QA. Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated dbus packages fix security vulnerabilities: A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause a service or application to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3532). A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause an invalid file descriptor to be forwarded to a service or application, causing it to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3533). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533 http://lists.freedesktop.org/archives/dbus/2014-July/016235.html https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135226.html ======================== Updated packages in core/updates_testing: ======================== dbus-1.6.8-4.4.mga3 libdbus1_3-1.6.8-4.4.mga3 libdbus-devel-1.6.8-4.4.mga3 dbus-x11-1.6.8-4.4.mga3 dbus-doc-1.6.8-4.4.mga3 dbus-1.6.18-1.3.mga4 libdbus1_3-1.6.18-1.3.mga4 libdbus-devel-1.6.18-1.3.mga4 dbus-x11-1.6.18-1.3.mga4 dbus-doc-1.6.18-1.3.mga4 from SRPMS: dbus-1.6.8-4.4.mga3.src.rpm dbus-1.6.18-1.3.mga4.src.rpm Assignee:
bugsquad =>
qa-bugs Testing mga4 64 No PoC's that I can find, embargoed still on rhbz it seems. Just ensuring that everything is normal after a reboot, all services started etc. Testing complete mga4 64. # systemctl status dbus.service dbus.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus.service; static) Active: active (running) since Wed 2014-07-09 14:08:17 BST; 1h 40min ago No regressions noticed in use. Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure mga4-64-ok Testing MGA4x64 No obvious problems. CC:
(none) =>
gm4nzg Tested mag4_32,
Testing complete for the new dbus-1.6.8-1.3.mga4 update, Ok for me and all services seems to work properly.
$ systemctl status dbus.service
dbus.service - D-Bus System Message Bus
Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
Active: active (running) since jeu. 2014-07-10 15:08:55 CEST; 33min ago
Main PID: 751 (dbus-daemon)
CGroup: /system.slice/dbus.service
ââ751 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile ...
No regressions found.CC:
(none) =>
geiger.david68210 Tested mag3_32 & mga3_64,
Testing complete for the new dbus-1.6.8-4.4.mga3 update, Ok for me and all services seems to work properly.
$ systemctl status dbus.service
dbus.service - D-Bus System Message Bus
Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
Active: active (running) since Thu, 2014-07-10 15:17:42 CEST; 26min ago
Main PID: 1159 (dbus-daemon)
CGroup: name=systemd:/system/dbus.service
â 1159 /usr/bin/dbus-daemon --system --address=systemd: -...
â 6378 /usr/libexec/packagekitd
No regressions found here too.
I added the OK tags per David's tests. If dbus is broken it'd be fairly obvious, so this testing should suffice. This can be validated. Whiteboard:
MGA3TOO has_procedure mga4-64-ok =>
MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update Update pushed. http://advisories.mageia.org/MGASA-2014-0294.html Status:
NEW =>
RESOLVED |