Fedora Account System
Red Hat Associate
Red Hat Customer
The GLib D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism does not validate the cookie_context parameter received from the server. The D-Bus specification explicitly states that cookie context names must not contain the characters /, \, . (period), spaces, or ASCII control characters. However, GLib's client-side code accepts this value verbatim and uses it to construct a filesystem path via g_build_filename(). A malicious D-Bus server can supply a cookie_context containing path traversal sequences such as ../.target_file, causing the client to read an arbitrary file outside the ~/.dbus-keyrings/ directory. The file contents (specifically the third space-separated token of the first matching line) are then incorporated into a SHA1 hash computation and sent back to the server as part of the authentication response. The server can verify guessed file contents against this SHA1 hash, enabling data exfiltration.