Bug#930375: CVE-2019-12749: DBusServer DBUS_COOKIE_SHA1 authentication bypass

[Simon McVittie]

Package: libdbus-1-3
Version: 1.0.0-1
Severity: grave
Tags: security fixed-upstream patch
Forwarded: https://gitlab.freedesktop.org/dbus/dbus/issues/269

Joe Vennix of Apple Information Security discovered an implementation flaw
in the DBUS_COOKIE_SHA1 authentication mechanism. A malicious client with
write access to its own home directory could manipulate a ~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.

This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the standard
session dbus-daemon, for the same reason.

However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon instances,
standard dbus-daemon instances with non-standard configuration, and the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).

For buster this has been fixed in libdbus-1-3 1.12.16-1. I'll close this
bug when I have a bug number.

For stretch this has been fixed in upstream release 1.10.28 and I am
discussing with the security team whether it is DSA-worthy, and if so,
whether to upload 1.10.28-0+deb9u1 or a minimal backport.

For experimental this will be fixed by upstream release 1.13.12 when
I've tested it.

If the Debian LTS team want to address this vulnerability
in jessie (which has an EOL dbus branch that we no
longer support upstream), they should backport upstream commit

and optionally also the build-time test coverage found in
.

Regards,
smcv

Bug#930376: gvfsd GetConnection() missing authorization check

[Simon McVittie]

Package: gvfs-daemons
Version: 1.14.1-1
Severity: grave
Tags: security fixed-upstream patch
Forwarded: 
https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a

While looking for services that might be vulnerable to CVE-2019-12749
or a similar vulnerability, I noticed that gvfsd has a mechanism to open
a private D-Bus server socket, and does not configure an authorization
check for clients connecting to that socket. An attacker who learns the
abstract socket address from netstat(8) or similar could connect to it
and issue D-Bus method calls.

Mitigation: the attacker would have to win a race with the user owning
gvfsd, who is probably also trying to connect to the same socket. gvfsd
closes the socket after it has accepted one connection.

I have requested a CVE ID from MITRE but not received one yet.

For buster/sid this has been fixed in gvfs 1.38.1-5.

For experimental this has been fixed in gvfs 1.40.1-2.

I do not have a tested patch for stretch or jessie, but the same change
would probably work as-is.

It would probably be a good idea to also backport
https://gitlab.gnome.org/GNOME/gvfs/commit/16a275041de2e70063da8aa5cfb2804de9a2f60a
for additional hardening. This forces authentication to use the
simple, robust EXTERNAL (credentials-passing) mechanism, disabling
DBUS_COOKIE_SHA1, which is somewhat fragile and seems more likely to
contain unknown vulnerabilities.

Regards,
smcv