[Bug 1058343] Re: Regression in CVE-2012-3524 security update
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Oct 3 10:02:29 UTC 2012
** Also affects: dbus (Ubuntu Hardy)
Importance: Undecided
Status: New
** Also affects: dbus (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: dbus (Ubuntu Natty)
Importance: Undecided
Status: New
** Also affects: dbus (Ubuntu Oneiric)
Importance: Undecided
Status: New
** Also affects: dbus (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: dbus (Ubuntu Quantal)
Importance: Undecided
Status: New
** Changed in: dbus (Ubuntu Hardy)
Status: New => Confirmed
** Changed in: dbus (Ubuntu Hardy)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: dbus (Ubuntu Hardy)
Importance: Undecided => Low
** Changed in: dbus (Ubuntu Lucid)
Status: New => Confirmed
** Changed in: dbus (Ubuntu Natty)
Status: New => Confirmed
** Changed in: dbus (Ubuntu Oneiric)
Status: New => Confirmed
** Changed in: dbus (Ubuntu Quantal)
Status: New => Confirmed
** Changed in: dbus (Ubuntu Lucid)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: dbus (Ubuntu Precise)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: dbus (Ubuntu Oneiric)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: dbus (Ubuntu Natty)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: dbus (Ubuntu Quantal)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: dbus (Ubuntu Precise)
Status: New => Confirmed
** Changed in: dbus (Ubuntu Quantal)
Importance: Undecided => Low
** Changed in: dbus (Ubuntu Precise)
Importance: Undecided => Low
** Changed in: dbus (Ubuntu Oneiric)
Importance: Undecided => Low
** Changed in: dbus (Ubuntu Natty)
Importance: Undecided => Low
** Changed in: dbus (Ubuntu Lucid)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1058343
Title:
Regression in CVE-2012-3524 security update
Status in “dbus” package in Ubuntu:
Confirmed
Status in “dbus” source package in Lucid:
Confirmed
Status in “dbus” source package in Natty:
Confirmed
Status in “dbus” source package in Oneiric:
Confirmed
Status in “dbus” source package in Precise:
Confirmed
Status in “dbus” source package in Quantal:
Confirmed
Status in “dbus” source package in Hardy:
Confirmed
Bug description:
There's a minor regression in CVE-2012-3524-dbus.patch, since dbus-
daemon-launch-helper is a setuid binary that links libdbus, and does
its own environment sanitization. Specifically, it attempts to pass
through DBUS_STARTER_ADDRESS, but that now fails, meaning a
d-d-l-h-activated program won't be able to find the system bus by
asking for its starter bus. (I believe there's no commonly-used
software that depends on this, but it's still documented as possible
and d-d-l-h clearly attempts to make it work, and my company has
internal software that depended on being able to ask for the starter
bus.)
Colin Walters and I put together a patch that works around this:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=f68dbdc3e6f895012ce33939fb524accf31bcca5
It depends on a predecessor commit that just removes the DBUS_VERBOSE logic in the activation helper, since it's not useful.
This is in the D-Bus 1.6.8 release. Those two commits should be
trivially backportable to older releases, though.
If you think this is serious enough to warrant an update, let me know
if you want debdiffs for the current Ubuntu releases. We're working
around this locally for now.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1058343/+subscriptions
More information about the foundations-bugs
mailing list