Bug#689602: pu: package dbus/1.2.24-4+squeeze2

To: Simon McVittie <smcv@debian.org>, 689602@bugs.debian.org
Subject: Bug#689602: pu: package dbus/1.2.24-4+squeeze2
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 12 Jan 2013 16:59:13 +0000
Message-id: <1358009953.32456.40.camel@jacala.jungle.funky-badger.org>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 689602@bugs.debian.org
In-reply-to: <20121004125649.GA1881@reptile.pseudorandom.co.uk>
References: <20121004125649.GA1881@reptile.pseudorandom.co.uk>

On Thu, 2012-10-04 at 13:56 +0100, Simon McVittie wrote:
> CVE-2012-3524 (#689070) is a local root privilege escalation vulnerability
> when setuid-root applications use libdbus without first sanitizing their
> caller-supplied environment via a whitelist. Applications thought to be
> exploitable include Xorg via the setuid /usr/bin/X if using libhal (so for us,
> kFreeBSD but not Linux), and perhaps su/sudo if libpam-systemd or
> libpam-ck-connector is used. I wasn't able to exploit libpam-ck-connector
> under a squeeze VM, but perhaps I'm doing it wrong.
> 
> D-Bus upstream consensus is that it is an application bug to use any
> non-trivial library in a setuid application without first clearing the
> caller-supplied environment; but having said that, hardening libdbus
> against applications with this bug seems wise.

Apologies for the delay in getting back to you about this. Judging from
the upload history, it looks like applying the patches to unstable /
testing was happily uneventful in terms of any issues arising in
applications?

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#689602: pu: package dbus/1.2.24-4+squeeze2
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Bug#697598: pu: package cups/1.4.4-7+squeeze3
Next by Date: Bug#689602: pu: package dbus/1.2.24-4+squeeze2
Previous by thread: Processed: Re: Bug#696065: pu: package openldap/2.4.23-7.3
Next by thread: Bug#689602: pu: package dbus/1.2.24-4+squeeze2
Index(es):
- Date
- Thread