Advisories ยป MGASA-2015-0405

Updated dbus packages fixes security vulnerability

Publication date: 25 Oct 2015
Modification date: 25 Oct 2015
Type: security
Affected Mageia releases : 5

Description

Updated dbus packages provides security hardening and fixes some bugs

Security hardening:

On Unix platforms, change the default configuration for the session bus
to only allow EXTERNAL authentication (secure kernel-mediated
credentials-passing), as was already done for the system bus.

This avoids falling back to DBUS_COOKIE_SHA1, which relies on strongly
unpredictable pseudo-random numbers; under certain circumstances
(/dev/urandom unreadable or malloc() returns NULL), dbus could
fall back to using rand(), which does not have the desired
unpredictability. The fallback to rand() has not been changed in this
stable-branch since the necessary code changes for correct error-handling
are rather intrusive.

If you are using D-Bus over the (unencrypted!) tcp: or nonce-tcp:
transport, in conjunction with DBUS_COOKIE_SHA1 and a shared home
directory using NFS or similar, you will need to reconfigure the session
bus to accept DBUS_COOKIE_SHA1 by commenting out the  element. This
configuration is not recommended.

Other fixes:

Fix a memory leak when GetConnectionCredentials() succeeds
(fd.o #91008, Jacek Bukarewicz)

Ensure that dbus-monitor does not reply to messages intended for others
(fd.o #90952, Simon McVittie)

Add locking to DBusCounter's reference count and notify function
(fd.o #89297, Adrian Szyndela)

Ensure that DBusTransport's reference count is protected by the
corresponding DBusConnection's lock (fd.o #90312, Adrian Szyndela)

Correctly release DBusServer mutex before early-return if we run out
of memory while copying authentication mechanisms (fd.o #90021,
Ralf Habacker)

Correctly initialize all fields of DBusTypeReader (fd.o #90021;
Ralf Habacker, Simon McVittie)

Clean up some memory leaks in test code (fd.o #90021, Ralf Habacker)

References

SRPMS

5/core