[manjaro-security] [ASA-201906-16] dbus: access restriction bypass

Wed Jun 19 13:39:12 CEST 2019

Arch Linux Security Advisory ASA-201906-16
==========================================

Severity: High
Date    : 2019-06-18
CVE-ID  : CVE-2019-12749
Package : dbus
Type    : access restriction bypass
Remote  : No
Link    : https://security.archlinux.org/AVG-974

Summary
=======

The package dbus before version 1.12.16-1 is vulnerable to access
restriction bypass.

Resolution
==========

Upgrade to 1.12.16-1.

# pacman -Syu "dbus>=1.12.16-1"

The problem has been fixed upstream in version 1.12.16.

Workaround
==========

None.

Description
===========

It has been discovered that dbus before 1.12.16 allows cookie spoofing
because of symlink mishandling in the reference implementation of
DBUS_COOKIE_SHA1 in the libdbus library. This issue only affects the
DBUS_COOKIE_SHA1 authentication mechanism.
A malicious client with write access to its own home directory could
manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a
different uid to read and write in unintended locations. In the worst
case, this could result in the DBusServer reusing a cookie that is
known to the malicious client, and treating that cookie as evidence
that a subsequent client connection came from an attacker-chosen uid,
allowing authentication bypass.

Impact
======

A local attacker could use this issue to bypass authentication and
escalate privileges.

References
==========

https://www.openwall.com/lists/oss-security/2019/06/11/2
https://gitlab.freedesktop.org/dbus/dbus/issues/269
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
https://security.archlinux.org/CVE-2019-12749

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20190619/3bb1f25b/attachment.sig>