On Sat, Sep 29, 2012 at 04:58:55PM +0100, Simon McVittie wrote:
> On 28/09/12 22:30, Geoffrey Thomas wrote:
> > CVE-2012-3524 is about setuid binaries linking libdbus being easily
> > trickable to do bad things via a malicious PATH (for finding
> > dbus-launch), or through a DBUS_* address variable using the unixexec
> > address type.
>
> Potentially-vulnerable binaries are anything that is setuid and links
> either libdbus-1.so.3 (CVE-2012-3524), directly or via e.g.
> libpam-systemd or libhal, or libgio-2.0.so.0 >= 2.26 (CVE-2012-4425).
> squeeze's libgio-2.0 is too old to be vulnerable to this anyway (it
> doesn't have a D-Bus implementation).
>
> I consider patching the libraries to be defence-in-depth, rather than a
> real solution: the real solution is for setuid binaries to clear their
> caller-supplied environments before they call into non-trivial
> libraries. Nevertheless, patching libdbus is the most expedient way to
> become less exploitable.
>
> Security team: do you want to handle this for squeeze as a security
> update, or a normal stable update? I attach a proposed debdiff;
> s/stable/stable-security/ if desired.
Thanks for the verbose description of the situation. I had already
started to investigated this issue and your assessments agrees with
my findings so far.
The fix for stable can go in via stable-proposed-updates.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
