Two security issues in dbus were announced today (July 2): http://openwall.com/lists/oss-security/2014/07/02/4 The issues are fixed in 1.6.22. Patches and details are in the message above. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => fundawang, mageia, tmbWhiteboard: (none) => MGA4TOO, MGA3TOO
Debian has issued an advisory for this on July 2: https://www.debian.org/security/2014/dsa-2971
URL: (none) => http://lwn.net/Vulnerabilities/604236/
Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated dbus packages fix security vulnerabilities: A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause a service or application to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3532). A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause an invalid file descriptor to be forwarded to a service or application, causing it to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3533). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533 http://lists.freedesktop.org/archives/dbus/2014-July/016235.html https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135226.html ======================== Updated packages in core/updates_testing: ======================== dbus-1.6.8-4.4.mga3 libdbus1_3-1.6.8-4.4.mga3 libdbus-devel-1.6.8-4.4.mga3 dbus-x11-1.6.8-4.4.mga3 dbus-doc-1.6.8-4.4.mga3 dbus-1.6.18-1.3.mga4 libdbus1_3-1.6.18-1.3.mga4 libdbus-devel-1.6.18-1.3.mga4 dbus-x11-1.6.18-1.3.mga4 dbus-doc-1.6.18-1.3.mga4 from SRPMS: dbus-1.6.8-4.4.mga3.src.rpm dbus-1.6.18-1.3.mga4.src.rpm
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOOSeverity: normal => major
Oops, forgot to assign to QA. Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated dbus packages fix security vulnerabilities: A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause a service or application to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3532). A flaw was reported in D-Bus's file descriptor passing feature. A local attacker could use this flaw to cause an invalid file descriptor to be forwarded to a service or application, causing it to disconnect from the bus, typically resulting in that service or application exiting (CVE-2014-3533). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533 http://lists.freedesktop.org/archives/dbus/2014-July/016235.html https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135226.html ======================== Updated packages in core/updates_testing: ======================== dbus-1.6.8-4.4.mga3 libdbus1_3-1.6.8-4.4.mga3 libdbus-devel-1.6.8-4.4.mga3 dbus-x11-1.6.8-4.4.mga3 dbus-doc-1.6.8-4.4.mga3 dbus-1.6.18-1.3.mga4 libdbus1_3-1.6.18-1.3.mga4 libdbus-devel-1.6.18-1.3.mga4 dbus-x11-1.6.18-1.3.mga4 dbus-doc-1.6.18-1.3.mga4 from SRPMS: dbus-1.6.8-4.4.mga3.src.rpm dbus-1.6.18-1.3.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Testing mga4 64 No PoC's that I can find, embargoed still on rhbz it seems. Just ensuring that everything is normal after a reboot, all services started etc.
Testing complete mga4 64. # systemctl status dbus.service dbus.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus.service; static) Active: active (running) since Wed 2014-07-09 14:08:17 BST; 1h 40min ago No regressions noticed in use.
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing MGA4x64 No obvious problems.
CC: (none) => gm4nzg
Tested mag4_32, Testing complete for the new dbus-1.6.8-1.3.mga4 update, Ok for me and all services seems to work properly. $ systemctl status dbus.service dbus.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus.service; static) Active: active (running) since jeu. 2014-07-10 15:08:55 CEST; 33min ago Main PID: 751 (dbus-daemon) CGroup: /system.slice/dbus.service ââ751 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile ... No regressions found.
CC: (none) => geiger.david68210
Tested mag3_32 & mga3_64, Testing complete for the new dbus-1.6.8-4.4.mga3 update, Ok for me and all services seems to work properly. $ systemctl status dbus.service dbus.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus.service; static) Active: active (running) since Thu, 2014-07-10 15:17:42 CEST; 26min ago Main PID: 1159 (dbus-daemon) CGroup: name=systemd:/system/dbus.service â 1159 /usr/bin/dbus-daemon --system --address=systemd: -... â 6378 /usr/libexec/packagekitd No regressions found here too.
I added the OK tags per David's tests. If dbus is broken it'd be fairly obvious, so this testing should suffice. This can be validated.
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok => MGA3TOO has_procedure advisory mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed. http://advisories.mageia.org/MGASA-2014-0294.html
Status: NEW => RESOLVEDResolution: (none) => FIXED