Bug 14102

Debian has issued an advisory for this on September 16:
https://www.debian.org/security/2014/dsa-3026

URL: (none) => http://lwn.net/Vulnerabilities/612237/

Cauldron updated to 1.6.24

Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Hardware: i586 => All
Version: Cauldron => 4

Advisory:
Updated dbus packages fixes the following security issues:

Alban Crequy and Simon McVittie discovered several vulnerabilities in the
D-Bus message daemon:

On 64-bit platforms, file descriptor passing could be abused by local users
to cause heap corruption in dbus-daemon, leading to a crash, or potentially
to arbitrary code execution (CVE-2014-3635).

A denial-of-service vulnerability in dbus-daemon allowed local attackers to
prevent new connections to dbus-daemon, or disconnect existing clients, by
exhausting descriptor limits (CVE-2014-3636).

Malicious local users could create D-Bus connections to dbus-daemon which
could not be terminated by killing the participating processes, resulting
in a denial-of-service vulnerability (CVE-2014-3637).

dbus-daemon suffered from a denial-of-service vulnerability in the code
which tracks which messages expect a reply, allowing local attackers to
reduce the performance of dbus-daemon (CVE-2014-3638).

dbus-daemon did not properly reject malicious connections from local users,
resulting in a denial-of-service vulnerability (CVE-2014-3639).


References:
http://openwall.com/lists/oss-security/2014/09/16/9
https://www.debian.org/security/2014/dsa-3026


Mga4:
SRPMS:
dbus-1.6.18-1.4.mga4.src.rpm

i586:
dbus-1.6.18-1.4.mga4.i586.rpm
dbus-doc-1.6.18-1.4.mga4.noarch.rpm
dbus-x11-1.6.18-1.4.mga4.i586.rpm
libdbus1_3-1.6.18-1.4.mga4.i586.rpm
libdbus-devel-1.6.18-1.4.mga4.i586.rpm

x86_64:
dbus-1.6.18-1.4.mga4.x86_64.rpm
dbus-doc-1.6.18-1.4.mga4.noarch.rpm
dbus-x11-1.6.18-1.4.mga4.x86_64.rpm
lib64dbus1_3-1.6.18-1.4.mga4.x86_64.rpm
lib64dbus-devel-1.6.18-1.4.mga4.x86_64.rpm



Mga3:
SRPMS:
dbus-1.6.8-4.5.mga3.src.rpm

i586:
dbus-1.6.8-4.5.mga3.i586.rpm
dbus-doc-1.6.8-4.5.mga3.noarch.rpm
dbus-x11-1.6.8-4.5.mga3.i586.rpm
libdbus1_3-1.6.8-4.5.mga3.i586.rpm
libdbus-devel-1.6.8-4.5.mga3.i586.rpm

x86_64:
dbus-1.6.8-4.5.mga3.x86_64.rpm
dbus-doc-1.6.8-4.5.mga3.noarch.rpm
dbus-x11-1.6.8-4.5.mga3.x86_64.rpm
lib64dbus1_3-1.6.8-4.5.mga3.x86_64.rpm
lib64dbus-devel-1.6.8-4.5.mga3.x86_64.rpm

Severity: normal => major
Assignee: tmb => qa-bugs

No specific PoC's so just testing function.

This is an inter process message bus. To test, just ensure everything still works ok with the updates installed (and possibly rebooted). Any issues should be evident in general desktop use.

You can also monitor it in action with 'dbus-monitor'

Whiteboard: MGA3TOO => MGA3TOO has_procedure

I'm not seeing the new files in mirrors.kernel.org updates_testing yet

CC: (none) => wilcal.int

(In reply to William Kenney from comment #5)
> I'm not seeing the new files in mirrors.kernel.org updates_testing yet

Yes. kernel.org is doing infra work to add more mirrors, and it seems the 2 older mirror hosts are not syncing at this time :/

You better choose another mirror for now

CC: (none) => tmb

Testing mga4 64

After reboot no errors in the journal. I'll use it for a while and see if anything untoward happens before adding an OK.

# journalctl -b -a | grep -i dbus

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
dbus

default install of dbus

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.18-1.3.mga4.i586 is already installed

boot system
Boots back to a working desktop and common apps work

[root@localhost wilcal]# systemctl status dbus.service
dbus.service - D-Bus System Message Bus
   Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
   Active: active (running) since Tue 2014-09-30 08:29:53 PDT; 7min ago
 Main PID: 662 (dbus-daemon)
   CGroup: /system.slice/dbus.service
           ââ662 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

install dbus from updates_testing

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.18-1.4.mga4.i586 is already installed

reboot system
reboots back to a working desktop and common apps work

[root@localhost wilcal]# systemctl status dbus.service
dbus.service - D-Bus System Message Bus
   Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
   Active: active (running) since Tue 2014-09-30 09:48:35 PDT; 2min 47s ago
 Main PID: 694 (dbus-daemon)
   CGroup: /system.slice/dbus.service
           ââ694 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
dbus

boot system
Boots to a working desktop and common apps work

default install of dbus

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.18-1.3.mga4.x86_64 is already installed
[root@localhost wilcal]# systemctl status dbus.service
dbus.service - D-Bus System Message Bus
   Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
   Active: active (running) since Tue 2014-09-30 09:57:40 PDT; 6min ago
 Main PID: 712 (dbus-daemon)
   CGroup: /system.slice/dbus.service
           ââ712 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

install dbus from updates_testing

reboot system
reboots back to a working desktop and common apps work

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.18-1.4.mga4.x86_64 is already installed
[root@localhost wilcal]# systemctl status dbus.service
dbus.service - D-Bus System Message Bus
   Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
   Active: active (running) since Tue 2014-09-30 10:07:37 PDT; 4min 56s ago
 Main PID: 693 (dbus-daemon)
   CGroup: /system.slice/dbus.service
           ââ693 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
dbus

default install of dbus

boot system
Boots to a working desktop and common apps work

root@localhost wilcal]# urpmi dbus
Package dbus-1.6.8-4.4.mga3.i586 is already installed
[root@localhost wilcal]# systemctl status dbus.service
dbus.service - D-Bus System Message Bus
          Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
          Active: active (running) since Tue, 2014-09-30 10:18:57 PDT; 4min 7s ago
        Main PID: 806 (dbus-daemon)
          CGroup: name=systemd:/system/dbus.service
                  â 806 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

install dbus from updates_testing

reboot system
reboots back to a working desktop and common apps work

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.8-4.5.mga3.i586 is already installed
[root@localhost wilcal]# systemctl status dbus.service
dbus.service - D-Bus System Message Bus
          Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
          Active: active (running) since Tue, 2014-09-30 10:25:45 PDT; 2min 53s ago
        Main PID: 820 (dbus-daemon)
          CGroup: name=systemd:/system/dbus.service
                  â 820 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
dbus

default install of dbus

boot system
Boots to a working desktop and common apps work

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.8-4.4.mga3.x86_64 is already installed
[root@localhost wilcal]# systemctl status dbus.service
dbus.service - D-Bus System Message Bus
          Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
          Active: active (running) since Tue, 2014-09-30 10:39:37 PDT; 3min 44s ago
        Main PID: 842 (dbus-daemon)
          CGroup: name=systemd:/system/dbus.service
                  â 842 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

install dbus from updates_testing

reboot system
reboots back to a working desktop and common apps work

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.8-4.5.mga3.x86_64 is already installed
[root@localhost wilcal]# systemctl status dbus.service
dbus.service - D-Bus System Message Bus
          Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
          Active: active (running) since Tue, 2014-09-30 10:46:32 PDT; 2min 30s ago
        Main PID: 903 (dbus-daemon)
          CGroup: name=systemd:/system/dbus.service
                  â 903 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activat...

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Testing on Mageia4-32 (real H/W)

Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz
NVIDIA GM107 [GeForce GTX 750]
RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
8 Series/C220 Series Chipset High Definition Audio Controller

With dbus 1.6.18-1.3
# journalctl -b -a | grep -i dbus
no errors

With dbus 1.6.18-1.4
# journalctl -b -a | grep -i dbus
no errors

# systemctl -l status dbus.service
dbus.service - D-Bus System Message Bus
   Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
   Active: active (running) since mar. 2014-09-30 20:04:46 CEST; 13min ago
 Main PID: 1079 (dbus-daemon)
   CGroup: /system.slice/dbus.service
           ââ1079 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

For now, everything work as usual.

CC: (none) => olchal

Testing on Mageia4-64 (real H/W)

Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz
NVIDIA GM107 [GeForce GTX 750]
RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
8 Series/C220 Series Chipset High Definition Audio Controller

With dbus 1.6.18-1.3
# journalctl -b -a | grep -i dbus

One error : 
sept. 30 21:18:53 localhost.localdomain systemd[7894]: Failed to open private bus connection: Failed to connect to socket /run/user/500/dbus/user_bus_socket: No such file or directory


With dbus 1.6.18-1.4
# journalctl -b -a | grep -i dbus

Same error :
sept. 30 21:29:42 localhost.localdomain systemd[7917]: Failed to open private bus connection: Failed to connect to socket /run/user/500/dbus/user_bus_socket: No such file or directory

# systemctl -l status dbus.service
dbus.service - D-Bus System Message Bus
   Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
   Active: active (running) since mar. 2014-09-30 21:29:27 CEST; 8min ago
 Main PID: 4826 (dbus-daemon)
   CGroup: /system.slice/dbus.service
           ââ4826 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

I don't know about the "Failed to open private bus connection", I have it with either version.

Nevertheless, everything works fine on usual desktop activity.

Testing MGA4 x64 real hardware with AMD/ATI/Radeon video

While I am writing from the latest 3.12 desktop kernel, for which this update goes unnoticed = OK, it *did* have an effect on the two 3.14 (desktop & server) kernels which I have previously had working (not without fglrx hassle), but which no longer do. It is an fglrx thing: they now complain on startup, *after* the graphical login, that they need the equivalent development kernel; and simply stop showing the basic Mageia graphical background - with no virtual consoles.

Any way I can look into this regression?

CC: (none) => lewyssmith

Testing on 64bit real hardware - Mate

3.14.19-desktop-1.mga4

[root@vega ~]# urpmi dbus
Package dbus-1.6.18-1.4.mga4.x86_64 is already installed
[root@vega ~]# urpmi lib64dbus-devel
    rsync://www.mirrorservice.org/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates_testing/lib64dbus-devel-1.6.18-1.4.mga4.x86_64.rpm
installing lib64dbus-devel-1.6.18-1.4.mga4.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
      1/1: lib64dbus-devel       #############################################

journalctl -b -a | grep -i dbus
systemd service activation messages intermingled with a few failures:

Sep 30 21:55:30 vega systemd[3702]: Failed to open private bus connection: Failed to connect to socket /run/user/500/dbus/user_bus_socket: No such file or directory
Three repeats of this:
Sep 30 21:55:33 vega dbus[1188]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.NetworkManager.service': Unit dbus-org.freedesktop.NetworkManager.service failed to load: No such file or directory.

[root@vega ~]# systemctl status dbus.service
dbus.service - D-Bus System Message Bus
   Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
   Active: active (running) since Tue 2014-09-30 21:55:18 BST; 24min ago
 Main PID: 1188 (dbus-daemon)
   CGroup: /system.slice/dbus.service
           ââ1188 /usr/bin/dbus-daemon --system --address=systemd: --nofork -...

Sep 30 21:55:33 vega dbus[1188]: [system] Activating via systemd: service n...e'
Sep 30 21:55:33 vega dbus[1188]: [system] Activation via systemd failed for...y.
Sep 30 21:55:33 vega dbus[1188]: [system] Activating via systemd: service n...e'
Sep 30 21:55:33 vega dbus[1188]: [system] Activation via systemd failed for...y.
Sep 30 21:55:33 vega dbus[1188]: [system] Activating via systemd: service n...e'
Sep 30 21:55:33 vega dbus[1188]: [system] Activation via systemd failed for...y.
Sep 30 21:55:33 vega dbus[1188]: [system] Activating via systemd: service n...e'
Sep 30 21:55:33 vega dbus[1188]: [system] Activation via systemd failed for...y.
Sep 30 21:55:33 vega dbus[1188]: [system] Activating service name='org.mate...r)
Sep 30 21:55:33 vega dbus[1188]: [system] Successfully activated service 'o...m'
Hint: Some lines were ellipsized, use -l to show in full.

The failures referred to NetworkManager.

The system rebooted smoothly and all applications tested worked fine.

Hardware:
Intel Core i7-4790K 4.0GHz
nVidia GeForce GTX 770 2GB
DRAM 16GB

CC: (none) => tarazed25

(In reply to Len Lawrence from comment #15)
> Testing on 64bit real hardware - Mate
> 

> journalctl -b -a | grep -i dbus
> systemd service activation messages intermingled with a few failures:
> 
> Three repeats of this:
> Sep 30 21:55:33 vega dbus[1188]: [system] Activation via systemd failed for
> unit 'dbus-org.freedesktop.NetworkManager.service': Unit
> dbus-org.freedesktop.NetworkManager.service failed to load: No such file or
> directory.
> 

I had the same failures on Mageia4-32 before enabling NetworkManager

(# systemctl enable NetworkManager.service)

Understood, thanks Olivier.  I did assume that the failures were not relevant.

Adding OK's for mga4 32 & 64

Several boots and some brief tests on mga3 32 and 64 seem ok too so I'll add those later if nobody objects.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0395.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Laptop with MGA4 i586 : I have a problem with this update : KDE alerts after a few minutes about powermanagement failure. Watching logs, upower service do not start anymore!

------------------
systemctl status upower.service
upower.service - Daemon for power management
   Loaded: loaded (/usr/lib/systemd/system/upower.service; enabled)
   Active: failed (Result: signal) since Qua 2014-10-08 10:52:06 CEST; 35min ago
     Docs: man:upowerd(8)
  Process: 756 ExecStart=/usr/libexec/upowerd (code=killed, signal=TRAP)
 Main PID: 756 (code=killed, signal=TRAP)
   CGroup: /system.slice/upower.service

Out 08 10:52:06 celeron.homelinuxserver.org upowerd[756]: (upowerd:756): UPower-ERROR **: failed to get pokit authority: Error init...ed out
Out 08 10:52:06 celeron.homelinuxserver.org systemd[1]: upower.service: main process exited, code=killed, status=5/TRAP
Out 08 10:52:06 celeron.homelinuxserver.org systemd[1]: Failed to start Daemon for power management.
Out 08 10:52:06 celeron.homelinuxserver.org systemd[1]: Unit upower.service entered failed state.
Hint: Some lines were ellipsized, use -l to show in full.

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED
CC: (none) => lists.jjorge

Please do not reopen a validated update, but rather create a new bug report related to this one.

CC: (none) => stormi
Resolution: (none) => FIXED
Status: REOPENED => RESOLVED

I mean, a validated update which was pushed already to the repositories (ie too late to stop it)

I created #14249, but I don't know how to relate this bug to it.