Bug 13513 - dbus new security issue CVE-2014-3477
Summary: dbus new security issue CVE-2014-3477
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/602882/
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-06-10 20:05 CEST by David Walser
Modified: 2014-06-19 17:52 CEST (History)
5 users (show)

See Also:
Source RPM: dbus-1.6.18-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-06-10 20:05:58 CEST
A security issue in dbus was announced today (June 10):
http://openwall.com/lists/oss-security/2014/06/10/2

The issue is fixed upstream in 1.6.20 and the commit is linked in the message.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-10 20:06:20 CEST

CC: (none) => fundawang, mageia, tmb
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-06-10 22:05:03 CEST
Updated package uploaded for Cauldron for tmb.

Patched packages uploaded for Mageia 3 and Mageia 4 by tmb.  Thanks tmb!

Thomas, we can assign this to QA if it's ready.  I don't have advisory text yet.

Updated packages:
dbus-1.6.8-4.2.mga3
libdbus1_3-1.6.8-4.2.mga3
libdbus-devel-1.6.8-4.2.mga3
dbus-x11-1.6.8-4.2.mga3
dbus-doc-1.6.8-4.2.mga3
dbus-1.6.18-1.1.mga4
libdbus1_3-1.6.18-1.1.mga4
libdbus-devel-1.6.18-1.1.mga4
dbus-x11-1.6.18-1.1.mga4
dbus-doc-1.6.18-1.1.mga4

from SRPMS:
dbus-1.6.8-4.2.mga3.src.rpm
dbus-1.6.18-1.1.mga4.src.rpm

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 David Walser 2014-06-11 20:19:22 CEST
RedHat's bug is now public.  It'd be nice to have a more concise description:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3477
Comment 3 Manuel Hiebel 2014-06-12 00:44:54 CEST
ready for QA or not ? (btw it's ok on x86_64
Comment 4 David Walser 2014-06-12 01:03:35 CEST
I guess so.  Advisory to come later.

Assignee: bugsquad => qa-bugs

David Walser 2014-06-12 01:04:13 CEST

Severity: normal => major

Comment 5 William Kenney 2014-06-17 16:41:57 CEST
https://bugs.mageia.org/show_bug.cgi?id=10520#c5

> Dave Hodgins 2013-06-13 16:58:27 PDT
> No poc that I could find, so just testing that dbus is working.

Would this mean that after the update the system simply boots back
to a working desktop and common applications work?

CC: (none) => wilcal.int

Comment 6 David Walser 2014-06-17 17:02:26 CEST
(In reply to William Kenney from comment #5)
> https://bugs.mageia.org/show_bug.cgi?id=10520#c5
> 
> > Dave Hodgins 2013-06-13 16:58:27 PDT
> > No poc that I could find, so just testing that dbus is working.
> 
> Would this mean that after the update the system simply boots back
> to a working desktop and common applications work?

Yes.  The update appears to affect bus activation, and if that's broken, there would be noticeable artifacts when using a desktop.
Comment 7 William Kenney 2014-06-17 18:15:39 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
dbus

default install of dbus

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.8-4.1.mga3.i586 is already installed

Boots to a working desktop. I can copy text from Kwrite
to LibreOffice Writer and visa versa. Firefox & VLC work.

install dbus from updates_testing. Reboot system.

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.8-4.2.mga3.i586 is already installed

Boots to a working desktop. I can copy text from Kwrite
to LibreOffice Writer and visa versa. Firefox & VLC work.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 8 William Kenney 2014-06-17 18:37:17 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
dbus

default install of dbus

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.8-4.1.mga3.x86_64 is already installed

Boots to a working desktop. I can copy text from Kwrite
to LibreOffice Writer and visa versa. Firefox & VLC work.

install dbus from updates_testing. Reboot system.

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.8-4.2.mga3.x86_64 is already installed

Boots to a working desktop. I can copy text from Kwrite
to LibreOffice Writer and visa versa. Firefox & VLC work.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 9 William Kenney 2014-06-17 18:39:00 CEST
(In reply to William Kenney from comment #8)

> In VirtualBox, M3, KDE, 32-bit

Change to:

> In VirtualBox, M3, KDE, 64-bit
Comment 10 William Kenney 2014-06-17 18:58:43 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
dbus

default install of dbus

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.18-1.mga4.i586 is already installed

Boots to a working desktop. I can copy text from Kwrite
to LibreOffice Writer and visa versa. Firefox & VLC work.

install dbus from updates_testing. Reboot system.

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.18-1.1.mga4.i586 is already installed

Boots to a working desktop. I can copy text from Kwrite
to LibreOffice Writer and visa versa. Firefox & VLC work.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 11 William Kenney 2014-06-17 19:13:39 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
dbus

default install of dbus

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.18-1.mga4.x86_64 is already installed

Boots to a working desktop. I can copy text from Kwrite
to LibreOffice Writer and visa versa. Firefox & VLC work.

install dbus from updates_testing. Reboot system.

[root@localhost wilcal]# urpmi dbus
Package dbus-1.6.18-1.1.mga4.x86_64 is already installed

Boots to a working desktop. I can copy text from Kwrite
to LibreOffice Writer and visa versa. Firefox & VLC work.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 12 William Kenney 2014-06-17 19:15:11 CEST
For me this update works fine. It's a minor
change so I think we can push this one.
What say ye David?
Comment 13 David Walser 2014-06-17 19:25:24 CEST
(In reply to William Kenney from comment #12)
> For me this update works fine. It's a minor
> change so I think we can push this one.
> What say ye David?

Sounds good.  Go ahead and add the whiteboard markers.  We can wait a little longer until another distro issues an update for this so that we can steal a better CVE description and validate it at that time.
Comment 14 William Kenney 2014-06-17 19:31:29 CEST
Adding whiteboard markers.

Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 15 David Walser 2014-06-18 21:18:23 CEST
I've come up with an advisory based on the available sources of information for this issue.

We can validate this and release it now.  Package list in Comment 1.

Advisory:
========================

Updated dbus packages fix security vulnerability:

A denial of service vulnerability in D-Bus before 1.6.20 allows a local
attacker to cause a bus-activated service that is not currently running to
attempt to start, and fail, denying other users access to this service.
Additionally, in highly unusual environments the same flaw could lead to
a side channel between processes that should not be able to communicate
(CVE-2014-3477).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3477
http://lists.freedesktop.org/archives/dbus/2014-June/016220.html
Comment 16 Thomas Backlund 2014-06-18 21:29:17 CEST
Advisory added

Update pushed:
http://advisories.mageia.org/MGASA-2014-0266.html

Keywords: (none) => validated_update
Status: NEW => RESOLVED
Resolution: (none) => FIXED
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

David Walser 2014-06-19 17:52:01 CEST

URL: (none) => http://lwn.net/Vulnerabilities/602882/


Note You need to log in before you can comment on or make changes to this bug.