Bug 712676 (CVE-2011-2200)

Summary: CVE-2011-2200 dbus: Local DoS via messages with non-native byte order
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lpoetter, mclasen, rhughes, walters, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dbus 1.1.28, dbus 1.4.12, dbus 1.5.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-26 16:49:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 712678, 725311, 725312, 725313, 725314, 833886, 844273    
Bug Blocks: 712679    
Attachments:
Description Flags
dbus test
none
patch against dbus-1.4.6-4 none

Description Jan Lieskovsky 2011-06-12 12:36:10 UTC 
It was found that D-BUS message bus service / messaging facility did not
update the byte-order flag of the message properly by swapping the byte
order of incoming messages into their native endiannes. A local, authenticated
user could use this flaw to send a specially-crafted message to a system
service (like Avahi or NetworkManager), using the system bus, potentially
leading to disconnect of such a service from system bus (denial of service).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
[2] https://bugs.freedesktop.org/show_bug.cgi?id=38120

Upstream patches:
[3] http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=6519a1f77c61d753d4c97efd6e15630eb275336e
    (in upstream v1.2.28 version)

[4] http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.4&id=c3223ba6c401ba81df1305851312a47c485e6cd7
    (in upstream v1.4.12 version)
Comment 1 Jan Lieskovsky 2011-06-12 12:41:07 UTC 
This issue affect the versions of the dbus package, as shipped with
Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the dbus package, as shipped with
Fedora release of 13, 14, and 15. Please schedule an update.
Comment 2 Jan Lieskovsky 2011-06-12 12:53:56 UTC 
Created dbus tracking bugs for this issue

Affects: fedora-all [bug 712678]
Comment 3 Jan Lieskovsky 2011-06-12 13:03:01 UTC 
CVE Request:
[5] http://www.openwall.com/lists/oss-security/2011/06/12/1
Comment 4 Jan Lieskovsky 2011-06-14 10:20:57 UTC 
The CVE identifier of CVE-2011-2200 has been assigned to this:
http://www.openwall.com/lists/oss-security/2011/06/13/12
Comment 5 Jan Lieskovsky 2011-07-07 17:13:10 UTC 
*** Bug 719694 has been marked as a duplicate of this bug. ***
Comment 6 Huzaifa S. Sidhpurwala 2011-07-22 10:24:45 UTC 
Created attachment 514650 [details]
dbus test
Comment 7 Huzaifa S. Sidhpurwala 2011-07-22 10:27:01 UTC 
Comment #6 has an attached test program to check if the version of dbus is affected by the vuln.

To compile it use:
gcc -o marshal `pkg-config --cflags --libs glib-2.0 dbus-1` marshal.c

Running this on Fedora-15 with dbus-1.4.6-4.fc15.x86_64 we get:

[huzaifas@babylon test]$ ./marshal 
/demarshal/le: OK
/demarshal/be: **
ERROR:marshal.c:195:test_endian: assertion failed (get_uint32 (output, OFFSET_BODY_LENGTH, output[0]) == 8): (134217728 == 8)
Aborted (core dumped)


This shows that dbus-1.4.6 is affected.
Comment 8 Huzaifa S. Sidhpurwala 2011-07-22 10:46:24 UTC 
Created attachment 514654 [details]
patch against dbus-1.4.6-4
Comment 9 Huzaifa S. Sidhpurwala 2011-07-22 10:47:18 UTC 
After applying the patch in Comment #8:

[huzaifas@babylon test]$ ./marshal 
/demarshal/le: OK
/demarshal/be: OK
/demarshal/needed/le: OK
/demarshal/needed/be: OK
Comment 11 errata-xmlrpc 2011-08-09 17:06:26 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2011:1132 https://rhn.redhat.com/errata/RHSA-2011-1132.html