Package: libdbus-1-3 Version: 1.0.0-1 Severity: grave Tags: security fixed-upstream patch Forwarded: https://gitlab.freedesktop.org/dbus/dbus/issues/269
Joe Vennix of Apple Information Security discovered an implementation flaw in the DBUS_COOKIE_SHA1 authentication mechanism. A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. This vulnerability does not normally affect the standard system dbus-daemon, which only allows the EXTERNAL authentication mechanism. In supported branches of dbus it also does not normally affect the standard session dbus-daemon, for the same reason. However, this vulnerability can affect third-party users of DBusServer (such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon instances, standard dbus-daemon instances with non-standard configuration, and the session bus in older/unsupported dbus branches (such as dbus 1.6.x in Ubuntu 14.04 LTS). For buster this has been fixed in libdbus-1-3 1.12.16-1. I'll close this bug when I have a bug number. For stretch this has been fixed in upstream release 1.10.28 and I am discussing with the security team whether it is DSA-worthy, and if so, whether to upload 1.10.28-0+deb9u1 or a minimal backport. For experimental this will be fixed by upstream release 1.13.12 when I've tested it. If the Debian LTS team want to address this vulnerability in jessie (which has an EOL dbus branch that we no longer support upstream), they should backport upstream commit <https://gitlab.freedesktop.org/dbus/dbus/commit/525c2314c56504fb232f9ec7f25cf7dda4d4a1c4> and optionally also the build-time test coverage found in <https://gitlab.freedesktop.org/dbus/dbus/commit/c251e7ea9525c1fc81360bbaf48f86ef6a0ad598>. Regards, smcv
