Re: [SECURITY] [DSA 1599-1] New dbus packages fix privilege escalation
On Thu, Jun 26, 2008 at 11:06:06PM +0200, Moritz Muehlenhoff wrote:
> Package : dbus
> Vulnerability : programming error
> Problem type : local
> Debian-specific: no
> CVE Id(s) : CVE-2008-0595
>
> Havoc Pennington discovered that DBus, a simple interprocess messaging
> system, performs insufficient validation of security policies, which
> might allow local privilege escalation.
>
> We recommend that you upgrade your dbus packages.
As far as I can see, this update does not restart dbus daemon, so
vulnerable dbus process will run until reboot (or until manual restart
of dbus). Have I missed anything?
----------
bash# aptitude upgrade
Reading package lists... Done
Building dependency tree... Done
Reading extended state information
Initializing package states... Done
Building tag database... Done
The following packages will be upgraded:
dbus libdbus-1-3
2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 620kB of archives. After unpacking 8192B will be used.
Do you want to continue? [Y/n/?]
Get:1 http://localhost etch/updates/main libdbus-1-3 1.0.2-1+etch1 [269kB]
Get:2 http://localhost etch/updates/main dbus 1.0.2-1+etch1 [351kB]
Fetched 620kB in 0s (2261kB/s)
(Reading database ... 141860 files and directories currently installed.)
Preparing to replace libdbus-1-3 1.0.2-1 (using .../libdbus-1-3_1.0.2-1+etch1_i386.deb) ...
Unpacking replacement libdbus-1-3 ...
Preparing to replace dbus 1.0.2-1 (using .../dbus_1.0.2-1+etch1_i386.deb) ...
Unpacking replacement dbus ...
Setting up libdbus-1-3 (1.0.2-1+etch1) ...
Setting up dbus (1.0.2-1+etch1) ...
Reloading system message bus config...done.
----------
Reloading != Restarting
Thank you for your work,
Alexandra.
PS: CC me, I'm not subscribed to debian-security@
--
Alexandra N. Kossovsky
OKTET Labs (http://www.oktetlabs.ru/)
Phones: +7(921)956-42-86(mobile) +7(812)783-21-91(office)
e-mail: sasha@oktetlabs.ru
Reply to: