A security issue in dbus was announced today (June 10): http://openwall.com/lists/oss-security/2014/06/10/2 The issue is fixed upstream in 1.6.20 and the commit is linked in the message. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => fundawang, mageia, tmbWhiteboard: (none) => MGA4TOO, MGA3TOO
Updated package uploaded for Cauldron for tmb. Patched packages uploaded for Mageia 3 and Mageia 4 by tmb. Thanks tmb! Thomas, we can assign this to QA if it's ready. I don't have advisory text yet. Updated packages: dbus-1.6.8-4.2.mga3 libdbus1_3-1.6.8-4.2.mga3 libdbus-devel-1.6.8-4.2.mga3 dbus-x11-1.6.8-4.2.mga3 dbus-doc-1.6.8-4.2.mga3 dbus-1.6.18-1.1.mga4 libdbus1_3-1.6.18-1.1.mga4 libdbus-devel-1.6.18-1.1.mga4 dbus-x11-1.6.18-1.1.mga4 dbus-doc-1.6.18-1.1.mga4 from SRPMS: dbus-1.6.8-4.2.mga3.src.rpm dbus-1.6.18-1.1.mga4.src.rpm
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
RedHat's bug is now public. It'd be nice to have a more concise description: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3477
ready for QA or not ? (btw it's ok on x86_64
I guess so. Advisory to come later.
Assignee: bugsquad => qa-bugs
Severity: normal => major
https://bugs.mageia.org/show_bug.cgi?id=10520#c5 > Dave Hodgins 2013-06-13 16:58:27 PDT > No poc that I could find, so just testing that dbus is working. Would this mean that after the update the system simply boots back to a working desktop and common applications work?
CC: (none) => wilcal.int
(In reply to William Kenney from comment #5) > https://bugs.mageia.org/show_bug.cgi?id=10520#c5 > > > Dave Hodgins 2013-06-13 16:58:27 PDT > > No poc that I could find, so just testing that dbus is working. > > Would this mean that after the update the system simply boots back > to a working desktop and common applications work? Yes. The update appears to affect bus activation, and if that's broken, there would be noticeable artifacts when using a desktop.
In VirtualBox, M3, KDE, 32-bit Package(s) under test: dbus default install of dbus [root@localhost wilcal]# urpmi dbus Package dbus-1.6.8-4.1.mga3.i586 is already installed Boots to a working desktop. I can copy text from Kwrite to LibreOffice Writer and visa versa. Firefox & VLC work. install dbus from updates_testing. Reboot system. [root@localhost wilcal]# urpmi dbus Package dbus-1.6.8-4.2.mga3.i586 is already installed Boots to a working desktop. I can copy text from Kwrite to LibreOffice Writer and visa versa. Firefox & VLC work. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M3, KDE, 32-bit Package(s) under test: dbus default install of dbus [root@localhost wilcal]# urpmi dbus Package dbus-1.6.8-4.1.mga3.x86_64 is already installed Boots to a working desktop. I can copy text from Kwrite to LibreOffice Writer and visa versa. Firefox & VLC work. install dbus from updates_testing. Reboot system. [root@localhost wilcal]# urpmi dbus Package dbus-1.6.8-4.2.mga3.x86_64 is already installed Boots to a working desktop. I can copy text from Kwrite to LibreOffice Writer and visa versa. Firefox & VLC work. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
(In reply to William Kenney from comment #8) > In VirtualBox, M3, KDE, 32-bit Change to: > In VirtualBox, M3, KDE, 64-bit
In VirtualBox, M4, KDE, 32-bit Package(s) under test: dbus default install of dbus [root@localhost wilcal]# urpmi dbus Package dbus-1.6.18-1.mga4.i586 is already installed Boots to a working desktop. I can copy text from Kwrite to LibreOffice Writer and visa versa. Firefox & VLC work. install dbus from updates_testing. Reboot system. [root@localhost wilcal]# urpmi dbus Package dbus-1.6.18-1.1.mga4.i586 is already installed Boots to a working desktop. I can copy text from Kwrite to LibreOffice Writer and visa versa. Firefox & VLC work. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 64-bit Package(s) under test: dbus default install of dbus [root@localhost wilcal]# urpmi dbus Package dbus-1.6.18-1.mga4.x86_64 is already installed Boots to a working desktop. I can copy text from Kwrite to LibreOffice Writer and visa versa. Firefox & VLC work. install dbus from updates_testing. Reboot system. [root@localhost wilcal]# urpmi dbus Package dbus-1.6.18-1.1.mga4.x86_64 is already installed Boots to a working desktop. I can copy text from Kwrite to LibreOffice Writer and visa versa. Firefox & VLC work. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
For me this update works fine. It's a minor change so I think we can push this one. What say ye David?
(In reply to William Kenney from comment #12) > For me this update works fine. It's a minor > change so I think we can push this one. > What say ye David? Sounds good. Go ahead and add the whiteboard markers. We can wait a little longer until another distro issues an update for this so that we can steal a better CVE description and validate it at that time.
Adding whiteboard markers.
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
I've come up with an advisory based on the available sources of information for this issue. We can validate this and release it now. Package list in Comment 1. Advisory: ======================== Updated dbus packages fix security vulnerability: A denial of service vulnerability in D-Bus before 1.6.20 allows a local attacker to cause a bus-activated service that is not currently running to attempt to start, and fail, denying other users access to this service. Additionally, in highly unusual environments the same flaw could lead to a side channel between processes that should not be able to communicate (CVE-2014-3477). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3477 http://lists.freedesktop.org/archives/dbus/2014-June/016220.html
Advisory added Update pushed: http://advisories.mageia.org/MGASA-2014-0266.html
Keywords: (none) => validated_updateStatus: NEW => RESOLVEDResolution: (none) => FIXEDWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisoryCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/602882/