ID CVE-2012-3524
Summary libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."
References
Vulnerable Configurations
  • FreeDesktop Libdbus 1.5.12
    cpe:2.3:a:freedesktop:libdbus:1.5.12
  • FreeDesktop Libdbus 1.5.10
    cpe:2.3:a:freedesktop:libdbus:1.5.10
  • FreeDesktop Libdbus 1.5.8
    cpe:2.3:a:freedesktop:libdbus:1.5.8
  • FreeDesktop Libdbus 1.5.6
    cpe:2.3:a:freedesktop:libdbus:1.5.6
  • FreeDesktop Libdbus 1.5.4
    cpe:2.3:a:freedesktop:libdbus:1.5.4
  • FreeDesktop Libdbus 1.5.2
    cpe:2.3:a:freedesktop:libdbus:1.5.2
  • FreeDesktop Libdbus 1.5.0
    cpe:2.3:a:freedesktop:libdbus:1.5.0
CVSS
Base: 6.9 (as of 19-09-2012 - 10:22)
Impact:
Exploitability:
CWE CWE-264
CAPEC
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description libdbus - 'DBUS_SYSTEM_BUS_ADDRESS' Local Privilege Escalation. CVE-2012-3524. Local exploit for linux platform
file exploits/linux/local/21323.c
id EDB-ID:21323
last seen 2016-02-02
modified 2012-07-17
platform linux
port
published 2012-07-17
reporter Sebastian Krahmer
source https://www.exploit-db.com/download/21323/
title libdbus - 'DBUS_SYSTEM_BUS_ADDRESS' Local Privilege Escalation
type local
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1576-1.NASL
    description Sebastian Krahmer discovered that DBus incorrectly handled environment variables when running with elevated privileges. A local attacker could possibly exploit this flaw with a setuid binary and gain root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 62219
    published 2012-09-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62219
    title Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : dbus vulnerability (USN-1576-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-070.NASL
    description Updated dbus packages fix security vulnerability : It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus) (CVE-2012-3524).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 66084
    published 2013-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66084
    title Mandriva Linux Security Advisory : dbus (MDVSA-2013:070)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-750.NASL
    description 6 vulnerabilities were discovered for the dbus-1 and dbus-1-x11 packages in openSUSE versions 11.4, 12.1, and 12.2.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74795
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74795
    title openSUSE Security Update : dbus-1 / dbus-1-x11 (openSUSE-SU-2012:1418-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-670.NASL
    description This update fixed CVE-2012-3524 (getenv() vulnerability), which can be used by local attackers to escalate privileges to root.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74772
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74772
    title openSUSE Security Update : dbus-1 / dbus-1-x11 (openSUSE-SU-2012:1287-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-1261.NASL
    description From Red Hat Security Advisory 2012:1261 : Updated dbus packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus). (CVE-2012-3524) Note: With this update, libdbus ignores environment variables when used by setuid or setgid applications. The environment is not ignored when an application gains privileges via file system capabilities; however, no application shipped in Red Hat Enterprise Linux 6 gains privileges via file system capabilities. Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue. All users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using the libdbus library must be restarted, or the system rebooted.
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 68619
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68619
    title Oracle Linux 6 : dbus (ELSA-2012-1261)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_DBUS-1-120829.NASL
    description This update fixes a vulnerability in the DBUS auto-launching feature that allowed local users to execute arbitrary programs as root. CVE-2012-3524 has been assigned to this issue.
    last seen 2019-02-21
    modified 2015-01-26
    plugin id 64121
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64121
    title SuSE 11.2 Security Update : dbus-1 (SAT Patch Number 6733)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-558.NASL
    description DBUS-1 was upgraded to upstream release 1.8. This brings the version of dbus to the latest stable release from an unstable snapshot 1.7.4 that is know to have several regressions - Upstream changes since 1.7.4 : + Security fixes : - Do not accept an extra fd in the padding of a cmsg message, which could lead to a 4-byte heap buffer overrun. (CVE-2014-3635, fdo#83622; Simon McVittie) - Reduce default for maximum Unix file descriptors passed per message from 1024 to 16, preventing a uid with the default maximum number of connections from exhausting the system bus' file descriptors under Linux's default rlimit. Distributors or system administrators with a restrictive fd limit may wish to reduce these limits further. Additionally, on Linux this prevents a second denial of service in which the dbus-daemon can be made to exceed the maximum number of fds per sendmsg() and disconnect the process that would have received them. (CVE-2014-3636, fdo#82820; Alban Crequy) - Disconnect connections that still have a fd pending unmarshalling after a new configurable limit, pending_fd_timeout (defaulting to 150 seconds), removing the possibility of creating an abusive connection that cannot be disconnected by setting up a circular reference to a connection's file descriptor. (CVE-2014-3637, fdo#80559; Alban Crequy) - Reduce default for maximum pending replies per connection from 8192 to 128, mitigating an algorithmic complexity denial-of-service attack (CVE-2014-3638, fdo#81053; Alban Crequy) - Reduce default for authentication timeout on the system bus from 30 seconds to 5 seconds, avoiding denial of service by using up all unauthenticated connection slots; and when all unauthenticated connection slots are used up, make new connection attempts block instead of disconnecting them. (CVE-2014-3639, fdo#80919; Alban Crequy) - On Linux >0 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS, silently drop the message. This prevents an attack in which a malicious client can make dbus-daemon disconnect a system service, which is a local denial of service. (fdo#80163, CVE-2014-3532; Alban Crequy) - Track remaining Unix file descriptors correctly when more than one message in quick succession contains fds. This prevents another attack in which a malicious client can make dbus-daemon disconnect a system service. (fdo#79694, fdo#80469, CVE-2014-3533; Alejandro Martínez Suárez, Simon McVittie, Alban Crequy) - Alban Crequy at Collabora Ltd. discovered and fixed a denial-of-service flaw in dbus-daemon, part of the reference implementation of D-Bus. Additionally, in highly unusual environments the same flaw could lead to a side channel between processes that should not be able to communicate. (CVE-2014-3477, fdo#78979) + Other fixes and enhancements : - Check for libsystemd from systemd >= 209, falling back to the older separate libraries if not found (Umut Tezduyar Lindskog, Simon McVittie) - On Linux, use prctl() to disable core dumps from a test executable that deliberately raises SIGSEGV to test dbus-daemon's handling of that condition (fdo#83772, Simon McVittie) - Fix compilation with --enable-stats (fdo#81043, Gentoo #507232; Alban Crequy) - Improve documentation for running tests on Windows (fdo#41252, Ralf Habacker) - When dbus-launch --exit-with-session starts a dbus-daemon but then cannot attach to a session, kill the dbus-daemon as intended (fdo#74698, Роман Донченко ) - in the CMake build system, add some hints for Linux users cross-compiling Windows D-Bus binaries to be able to run tests under Wine (fdo#41252, Ralf Habacker) - add Documentation key to dbus.service (fdo#77447, Cameron Norman) - in 'dbus-uuidgen --ensure', try to copy systemd's /etc/machine-id to /var/lib/dbus/machine-id instead of generating an entirely new ID (fdo#77941, Simon McVittie) - if dbus-launch receives an X error very quickly, do not kill unrelated processes (fdo#74698, Роман Донченко ) - on Windows, allow up to 8K connections to the dbus-daemon, instead of the previous 64 (fdo#71297; Cristian Onet, Ralf Habacker) - cope with \r\n newlines in regression tests, since on Windows, dbus-daemon.exe uses text mode (fdo#75863, Руслан Ижбулато в) - Enhance the CMake build system to check for GLib and compile/run a subset of the regression tests (fdo#41252, fdo#73495; Ralf Habacker) - don't rely on va_copy(), use DBUS_VA_COPY() wrapper (fdo#72840, Ralf Habacker) - fix compilation of systemd journal support on older systemd versions where sd-journal.h doesn't include syslog.h (fdo#73455, Ralf Habacker) - fix compilation on older MSVC versions by including stdlib.h (fdo#73455, Ralf Habacker) - Allow to appear in an included configuration file (fdo#73475, Matt Hoosier) - If the tests crash with an assertion failure, they no longer default to blocking for a debugger to be attached. Set DBUS_BLOCK_ON_ABORT in the environment if you want the old behaviour. - To improve debuggability, the dbus-daemon and dbus-daemon-eavesdrop tests can be run with an external dbus-daemon by setting DBUS_TEST_DAEMON_ADDRESS in the environment. Test-cases that require an unusually-configured dbus-daemon are skipped. - don't require messages with no INTERFACE to be dispatched (fdo#68597, Simon McVittie) - document 'tcp:bind=...' and 'nonce-tcp:bind=...' (fdo#72301, Chengwei Yang) - define 'listenable' and 'connectable' addresses, and discuss the difference (fdo#61303, Simon McVittie) - support printing Unix file descriptors in dbus-send, dbus-monitor (fdo#70592, Robert Ancell) - don't install systemd units if --disable-systemd is given (fdo#71818, Chengwei Yang) - don't leak memory on out-of-memory while listing activatable or active services (fdo#71526, Radoslaw Pajak) - fix undefined behaviour in a regression test (fdo#69924, DreamNik) - escape Unix socket addresses correctly (fdo#46013, Chengwei Yang) - on SELinux systems, don't assume that SECCLASS_DBUS, DBUS__ACQUIRE_SVC and DBUS__SEND_MSG are numerically equal to their values in the reference policy (fdo#88719, osmond sun) - define PROCESS_QUERY_LIMITED_INFORMATION if missing from MinGW < 4 headers (fdo#71366, Matt Fischer) - define WIN32_LEAN_AND_MEAN to avoid conflicts between winsock.h and winsock2.h (fdo#71405, Matt Fischer) - do not return failure from _dbus_read_nonce() with no error set, preventing a potential crash (fdo#72298, Chengwei Yang) - on BSD systems, avoid some O(1)-per-process memory and fd leaks in kqueue, preventing test failures (fdo#69332, fdo#72213; Chengwei Yang) - fix warning spam on Hurd by not trying to set SO_REUSEADDR on Unix sockets, which doesn't do anything anyway on at least Linux and FreeBSD (fdo#69492, Simon McVittie) - fix use of TCP sockets on FreeBSD and Hurd by tolerating EINVAL from sendmsg() with SCM_CREDS (retrying with plain send()), and looking for credentials more correctly (fdo#69492, Simon McVittie) - ensure that tests run with a temporary XDG_RUNTIME_DIR to avoid getting mixed up in XDG/systemd 'user sessions' (fdo#61301, Simon McVittie) - refresh cached policy rules for existing connections when bus configuration changes (fdo#39463, Chengwei Yang) - If systemd support is enabled, libsystemd-journal is now required. - When activating a non-systemd service under systemd, annotate its stdout/stderr with its bus name in the Journal. Known limitation: because the socket is opened before forking, the process will still be logged as if it had dbus-daemon's process ID and user ID. (fdo#68559, Chengwei Yang) - Document more configuration elements in dbus-daemon(1) (fdo#69125, Chengwei Yang) - Don't leak string arrays or fds if dbus_message_iter_get_args_valist() unpacks them and then encounters an error (fdo#21259, Chengwei Yang) - If compiled with libaudit, retain CAP_AUDIT_WRITE so we can write disallowed method calls to the audit log, fixing a regression in 1.7.6 (fdo#49062, Colin Walters) - path_namespace='/' in match rules incorrectly matched nothing; it now matches everything. (fdo#70799, Simon McVittie) - Directory change notification via dnotify on Linux is no longer supported; it hadn't compiled successfully since 2010 in any case. If you don't have inotify (Linux) or kqueue (*BSD), you will need to send SIGHUP to the dbus-daemon when its configuration changes. (fdo#33001, Chengwei Yang) - Compiling with --disable-userdb-cache is no longer supported; it didn't work since at least 2008, and would lead to an extremely slow dbus-daemon even it worked. (fdo#15589, fdo#17133, fdo#66947; Chengwei Yang) - The DBUS_DISABLE_ASSERTS CMake option didn't actually disable most assertions. It has been renamed to DBUS_DISABLE_ASSERT to be consistent with the Autotools build system. (fdo#66142, Chengwei Yang) - --with-valgrind=auto enables Valgrind instrumentation if and only if valgrind headers are available. The default is still --with-valgrind=no. (fdo#56925, Simon McVittie) - Platforms with no 64-bit integer type are no longer supported. (fdo#65429, Simon McVittie) - GNU make is now (documented to be) required. (fdo#48277, Simon McVittie) - Full test coverage no longer requires dbus-glib, although the tests do not exercise the shared library (only a static copy) if dbus-glib is missing. (fdo#68852, Simon McVittie) - D-Bus Specification 0.22 - Document GetAdtAuditSessionData() and GetConnectionSELinuxSecurityContext() (fdo#54445, Simon) - Fix example .service file (fdo#66481, Chengwei Yang) - Don't claim D-Bus is 'low-latency' (lower than what?), just give factual statements about it supporting async use (fdo#65141, Justin Lee) - Document the contents of .service files, and the fact that system services' filenames are constrained (fdo#66608; Simon McVittie, Chengwei Yang) - Be thread-safe by default on all platforms, even if dbus_threads_init_default() has not been called. For compatibility with older libdbus, library users should continue to call dbus_threads_init_default(): it is harmless to do so. (fdo#54972, Simon McVittie) - Add GetConnectionCredentials() method (fdo#54445, Simon) - New API: dbus_setenv(), a simple wrapper around setenv(). Note that this is not thread-safe. (fdo#39196, Simon) - Add dbus-send --peer=ADDRESS (connect to a given peer-to-peer connection, like --address=ADDRESS in previous versions) and dbus-send --bus=ADDRESS (connect to a given bus, like dbus-monitor --address=ADDRESS). dbus-send --address still exists for backwards compatibility, but is no longer documented. (fdo#48816, Andrey Mazo) - 'dbus-daemon --nofork' is allowed on Windows again. (fdo#68852, Simon McVittie) - Avoid an infinite busy-loop if a signal interrupts waitpid() (fdo#68945, Simon McVittie) - Clean up memory for parent nodes when objects are unexported (fdo#60176, Thomas Fitzsimmons) - Make dbus_connection_set_route_peer_messages(x, FALSE) behave as documented. Previously, it assumed its second parameter was TRUE. (fdo#69165, Chengwei Yang) - Escape addresses containing non-ASCII characters correctly (fdo#53499, Chengwei Yang) - Document search order correctly (fdo#66994, Chengwei Yang) - Don't crash on 'dbus-send --session / x.y.z' which regressed in 1.7.4. (fdo#65923, Chengwei Yang) - If malloc() returns NULL in _dbus_string_init() or similar, don't free an invalid pointer if the string is later freed (fdo#65959, Chengwei Yang) - If malloc() returns NULL in dbus_set_error(), don't va_end() a va_list that was never va_start()ed (fdo#66300, Chengwei Yang) - fix build failure with --enable-stats (fdo#66004, Chengwei Yang) - fix a regression test on platforms with strict alignment (fdo#67279, Colin Walters) - Avoid calling function parameters 'interface' since certain Windows headers have a namespace-polluting macro of that name (fdo#66493, Ivan Romanov) - Assorted Doxygen fixes (fdo#65755, Chengwei Yang) - Various thread-safety improvements to static variables (fdo#68610, Simon McVittie) - Make 'make -j check' work (fdo#68852, Simon McVittie) - Fix a NULL pointer dereference on an unlikely error path (fdo#69327, Sviatoslav Chagaev) - Improve valgrind memory pool tracking (fdo#69326, Sviatoslav Chagaev) - Don't over-allocate memory in dbus-monitor (fdo#69329, Sviatoslav Chagaev) - dbus-monitor can monitor dbus-daemon < 1.5.6 again (fdo#66107, Chengwei Yang) - If accept4() fails with EINVAL, as it can on older Linux kernels with newer glibc, try accept() instead of going into a busy-loop. (fdo#69026, Chengwei Yang) - If socket() or socketpair() fails with EINVAL or EPROTOTYPE, for instance on Hurd or older Linux with a new glibc, try without SOCK_CLOEXEC. (fdo#69073; Pino Toscano, Chengwei Yang) - Fix a file descriptor leak on an error code path. (fdo#69182, Sviatoslav Chagaev) - dbus-run-session: clear some unwanted environment variables (fdo#39196, Simon) - dbus-run-session: compile on FreeBSD (fdo#66197, Chengwei Yang) - Don't fail the autolaunch test if there is no DISPLAY (fdo#40352, Simon) - Use dbus-launch from the builddir for testing, not the installed copy (fdo#37849, Chengwei Yang) - Fix compilation if writev() is unavailable (fdo#69409, Vasiliy Balyasnyy) - Remove broken support for LOCAL_CREDS credentials passing, and document where each credential-passing scheme is used (fdo#60340, Simon McVittie) - Make autogen.sh work on *BSD by not assuming GNU coreutils functionality fdo#35881, fdo#69787; Chengwei Yang) - dbus-monitor: be portable to NetBSD (fdo#69842, Chengwei Yang) - dbus-launch: stop using non-portable asprintf (fdo#37849, Simon) - Improve error reporting from the setuid activation helper (fdo#66728, Chengwei Yang) - Remove unavailable command-line options from 'dbus-daemon --help' (fdo#42441, Ralf Habacker) - Add support for looking up local TCPv4 clients' credentials on Windows XP via the undocumented AllocateAndGetTcpExTableFromStack function (fdo#66060, Ralf Habacker) - Fix insufficient dependency-tracking (fdo#68505, Simon McVittie) - Don't include wspiapi.h, fixing a compiler warning (fdo#68852, Simon McVittie) - add DBUS_ENABLE_ASSERT, DBUS_ENABLE_CHECKS for less confusing conditionals (fdo#66142, Chengwei Yang) - improve verbose-mode output (fdo#63047, Colin Walters) - consolidate Autotools and CMake build (fdo#64875, Ralf Habacker) - fix various unused variables, unusual build configurations etc. (fdo#65712, fdo#65990, fdo#66005, fdo#66257, fdo#69165, fdo#69410, fdo#70218; Chengwei Yang, Vasiliy Balyasnyy) - dbus-cve-2014-3533.patch: Add patch for CVE-2014-3533 to fix (fdo#63127) • CVE-2012-3524: Don't access environment variables (fdo#52202) (fdo#51521, Dave Reisner) • Remove an incorrect assertion from DBusTransport (fdo#51657, (fdo#51406, Simon McVittie) (fdo#51032, Simon McVittie) (fdo#34671, Simon McVittie) · Check for libpthread under CMake on Unix (fdo#47237, Simon McVittie) spec-compliance (fdo#48580, David Zeuthen) non-root when using OpenBSD install(1) (fdo#48217, Antoine Jacoutot) (fdo#45896, Simon McVittie) (fdo#39549, Simon McVittie) invent their own 'union of everything' type (fdo#11191, Simon find(1) (fdo#33840, Simon McVittie) (fdo#46273, Alban Crequy) again on Win32, but not on WinCE (fdo#46049, Simon (fdo#47321, Andoni Morales Alastruey) (fdo#39231, fdo#41012; Simon McVittie) - Add a regression test for fdo#38005 (fdo#39836, Simon McVittie) a service file entry for activation (fdo#39230, Simon McVittie) (fdo#24317, #34870; Will Thompson, David Zeuthen, Simon McVittie) and document it better (fdo#31818, Will Thompson) • Let the bus daemon implement more than one interface (fdo#33757, • Optimize _dbus_string_replace_len to reduce waste (fdo#21261, (fdo#35114, Simon McVittie) • Add dbus_type_is_valid as public API (fdo#20496, Simon McVittie) to unknown interfaces in the bus daemon (fdo#34527, Lennart Poettering) (fdo#32245; Javier Jardón, Simon McVittie) • Correctly give XDG_DATA_HOME priority over XDG_DATA_DIRS (fdo#34496, in embedded environments (fdo#19997, NB#219964; Simon McVittie) • Install the documentation, and an index for Devhelp (fdo#13495, booleans when sending them (fdo#16338, NB#223152; Simon McVittie) errors to dbus-shared.h (fdo#34527, Lennart Poettering) data (fdo#10887, Simon McVittie) .service files (fdo#19159, Sven Herzberg) (fdo#35750, Colin Walters) (fdo#32805, Mark Brand) which could result in a busy-loop (fdo#32992, NB#200248; possibly • Fix failure to detect abstract socket support (fdo#29895) (fdo#32262, NB#180486) • Improve some error code paths (fdo#29981, fdo#32264, fdo#32262, fdo#33128, fdo#33277, fdo#33126, NB#180486) • Avoid possible symlink attacks in /tmp during compilation (fdo#32854) • Tidy up dead code (fdo#25306, fdo#33128, fdo#34292, NB#180486) • Improve gcc malloc annotations (fdo#32710) • Documentation improvements (fdo#11190) • Avoid readdir_r, which is difficult to use correctly (fdo#8284, fdo#15922, LP#241619) • Cope with invalid files in session.d, system.d (fdo#19186, • Don't distribute generated files that embed our builddir (fdo#30285, fdo#34292) (fdo#33474, LP#381063) with lcov HTML reports and --enable-compiler-coverage (fdo#10887) · support credentials-passing (fdo#32542) · opt-in to thread safety (fdo#33464)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 77845
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77845
    title openSUSE Security Update : dbus-1 (openSUSE-SU-2014:1228-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-50.NASL
    description This update fixes the following security issues : - CVE-2014-8148 : - Do not allow calls to UpdateActivationEnvironment from uids other than the uid of the dbus-daemon. If a system service installs unsafe security policy rules that allow arbitrary method calls (such as CVE-2014-8148) then this prevents memory consumption and possible privilege escalation via UpdateActivationEnvironment. - CVE-2012-3524: Don't access environment variables (bnc#912016)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 80985
    published 2015-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80985
    title openSUSE Security Update : dbus-1 (openSUSE-SU-2015:0111-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-083.NASL
    description Updated glib2.0 packages fix security vulnerability : It was discovered that the version of glib shipped with MBS 1 does not sanitise certain DBUS related environment variables. When used in combination with a setuid application which utilises dbus via glib, a local user could gain escalated privileges with a specially crafted environment. This is related to a similar issue with dbus (CVE-2012-3524). This updated version of glib adds appropriate protection against such scenarios and also adds additional hardening when used in a setuid environment.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 66097
    published 2013-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66097
    title Mandriva Linux Security Advisory : glib2.0 (MDVSA-2013:083)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201406-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201406-01 (D-Bus, GLib: Privilege escalation) When libdbus is used in a setuid program, a user can gain escalated privileges by leveraging the DBUS_SYSTEM_BUS_ADDRESS variable. GLib can be used in a setuid context with D-Bus, and so can trigger this vulnerability. Please review the CVE identifier below for more details. Impact : A local attacker could gain escalated privileges and execute arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2015-04-13
    plugin id 74258
    published 2014-06-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74258
    title GLSA-201406-01 : D-Bus, GLib: Privilege escalation
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2012-128.NASL
    description It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus). (CVE-2012-3524)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 69618
    published 2013-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69618
    title Amazon Linux AMI : dbus (ALAS-2012-128)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-14157.NASL
    description Resolves https://bugzilla.redhat.com/show_bug.cgi?id=857226 and https://bugzilla.redhat.com/show_bug.cgi?id=857227 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 62334
    published 2012-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62334
    title Fedora 17 : dbus-1.4.10-5.fc17 / glib2-2.32.4-2.fc17 (2012-14157)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-14126.NASL
    description Resolves https://bugzilla.redhat.com/show_bug.cgi?id=857226 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 62789
    published 2012-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62789
    title Fedora 16 : dbus-1.4.10-4.fc16 (2012-14126)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1576-2.NASL
    description USN-1576-1 fixed vulnerabilities in DBus. The update caused a regression for certain services launched from the activation helper, and caused an unclean shutdown on upgrade. This update fixes the problem. We apologize for the inconvenience. Sebastian Krahmer discovered that DBus incorrectly handled environment variables when running with elevated privileges. A local attacker could possibly exploit this flaw with a setuid binary and gain root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 62434
    published 2012-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62434
    title Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : dbus regressions (USN-1576-2)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-1261.NASL
    description Updated dbus packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus). (CVE-2012-3524) Note: With this update, libdbus ignores environment variables when used by setuid or setgid applications. The environment is not ignored when an application gains privileges via file system capabilities; however, no application shipped in Red Hat Enterprise Linux 6 gains privileges via file system capabilities. Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue. All users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using the libdbus library must be restarted, or the system rebooted.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 62087
    published 2012-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62087
    title RHEL 6 : dbus (RHSA-2012:1261)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20120913_DBUS_ON_SL6_X.NASL
    description It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus). (CVE-2012-3524) Note: With this update, libdbus ignores environment variables when used by setuid or setgid applications. The environment is not ignored when an application gains privileges via file system capabilities; however, no application shipped in Red Hat Enterprise Linux 6 gains privileges via file system capabilities. We would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using the libdbus library must be restarted, or the system rebooted.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 62106
    published 2012-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62106
    title Scientific Linux Security Update : dbus on SL6.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2012-1261.NASL
    description Updated dbus packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus). (CVE-2012-3524) Note: With this update, libdbus ignores environment variables when used by setuid or setgid applications. The environment is not ignored when an application gains privileges via file system capabilities; however, no application shipped in Red Hat Enterprise Linux 6 gains privileges via file system capabilities. Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue. All users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using the libdbus library must be restarted, or the system rebooted.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 62082
    published 2012-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62082
    title CentOS 6 : dbus (CESA-2012:1261)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_LIBDBUS_20121016.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: 'we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus.' (CVE-2012-3524)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80665
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80665
    title Oracle Solaris Third-Party Patch Update : libdbus (cve_2012_3524_permissions_privileges)
redhat via4
advisories
bugzilla
id 847402
title CVE-2012-3524 dbus: privilege escalation when libdbus is used in setuid/setgid application
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhsa:tst:20100842001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhsa:tst:20100842002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20100842003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20100842004
  • OR
    • AND
      • comment dbus is earlier than 1:1.2.24-7.el6_3
        oval oval:com.redhat.rhsa:tst:20121261005
      • comment dbus is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110376015
    • AND
      • comment dbus-devel is earlier than 1:1.2.24-7.el6_3
        oval oval:com.redhat.rhsa:tst:20121261009
      • comment dbus-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110376017
    • AND
      • comment dbus-doc is earlier than 1:1.2.24-7.el6_3
        oval oval:com.redhat.rhsa:tst:20121261011
      • comment dbus-doc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110376019
    • AND
      • comment dbus-libs is earlier than 1:1.2.24-7.el6_3
        oval oval:com.redhat.rhsa:tst:20121261013
      • comment dbus-libs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110376021
    • AND
      • comment dbus-x11 is earlier than 1:1.2.24-7.el6_3
        oval oval:com.redhat.rhsa:tst:20121261007
      • comment dbus-x11 is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110376023
rhsa
id RHSA-2012:1261
released 2012-09-13
severity Moderate
title RHSA-2012:1261: dbus security update (Moderate)
rpms
  • dbus-1:1.2.24-7.el6_3
  • dbus-devel-1:1.2.24-7.el6_3
  • dbus-doc-1:1.2.24-7.el6_3
  • dbus-libs-1:1.2.24-7.el6_3
  • dbus-x11-1:1.2.24-7.el6_3
refmap via4
bid 55517
confirm https://bugs.freedesktop.org/show_bug.cgi?id=52202
exploit-db 21323
mandriva
  • MDVSA-2013:070
  • MDVSA-2013:083
misc
mlist
  • [oss-security] 20120710 libdbus hardening
  • [oss-security] 20120726 Re: libdbus hardening
  • [oss-security] 20120912 libdbus CVE-2012-3524 fix
  • [oss-security] 20120914 Re: libdbus CVE-2012-3524 fix
  • [oss-security] 20120917 Re: libdbus CVE-2012-3524 fix
secunia
  • 50537
  • 50544
  • 50710
suse
  • SUSE-SU-2012:1155
  • SUSE-SU-2012:1155-2
  • openSUSE-SU-2012:1287
  • openSUSE-SU-2012:1418
ubuntu
  • USN-1576-1
  • USN-1576-2
Last major update 05-05-2014 - 01:12
Published 18-09-2012 - 13:55
Back to Top