Bug 712676 (CVE-2011-2200) - CVE-2011-2200 dbus: Local DoS via messages with non-native byte order
Summary: CVE-2011-2200 dbus: Local DoS via messages with non-native byte order
Alias: CVE-2011-2200
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 719694 (view as bug list)
Depends On: 712678 725311 725312 725313 725314 833886 844273
Blocks: 712679
TreeView+ depends on / blocked
Reported: 2011-06-12 12:36 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:45 UTC (History)
5 users (show)

Fixed In Version: dbus 1.1.28, dbus 1.4.12, dbus 1.5.4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-03-26 16:49:56 UTC

Attachments (Terms of Use)
dbus test (8.56 KB, text/plain)
2011-07-22 10:24 UTC, Huzaifa S. Sidhpurwala
no flags Details
patch against dbus-1.4.6-4 (1.30 KB, patch)
2011-07-22 10:46 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1132 0 normal SHIPPED_LIVE Moderate: dbus security update 2011-08-09 17:06:16 UTC

Description Jan Lieskovsky 2011-06-12 12:36:10 UTC
It was found that D-BUS message bus service / messaging facility did not
update the byte-order flag of the message properly by swapping the byte
order of incoming messages into their native endiannes. A local, authenticated
user could use this flaw to send a specially-crafted message to a system
service (like Avahi or NetworkManager), using the system bus, potentially
leading to disconnect of such a service from system bus (denial of service).

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
[2] https://bugs.freedesktop.org/show_bug.cgi?id=38120

Upstream patches:
[3] http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=6519a1f77c61d753d4c97efd6e15630eb275336e
    (in upstream v1.2.28 version)

[4] http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.4&id=c3223ba6c401ba81df1305851312a47c485e6cd7
    (in upstream v1.4.12 version)

Comment 1 Jan Lieskovsky 2011-06-12 12:41:07 UTC
This issue affect the versions of the dbus package, as shipped with
Red Hat Enterprise Linux 5 and 6.


This issue affects the versions of the dbus package, as shipped with
Fedora release of 13, 14, and 15. Please schedule an update.

Comment 2 Jan Lieskovsky 2011-06-12 12:53:56 UTC
Created dbus tracking bugs for this issue

Affects: fedora-all [bug 712678]

Comment 3 Jan Lieskovsky 2011-06-12 13:03:01 UTC
CVE Request:
[5] http://www.openwall.com/lists/oss-security/2011/06/12/1

Comment 4 Jan Lieskovsky 2011-06-14 10:20:57 UTC
The CVE identifier of CVE-2011-2200 has been assigned to this:

Comment 5 Jan Lieskovsky 2011-07-07 17:13:10 UTC
*** Bug 719694 has been marked as a duplicate of this bug. ***

Comment 6 Huzaifa S. Sidhpurwala 2011-07-22 10:24:45 UTC
Created attachment 514650 [details]
dbus test

Comment 7 Huzaifa S. Sidhpurwala 2011-07-22 10:27:01 UTC
Comment #6 has an attached test program to check if the version of dbus is affected by the vuln.

To compile it use:
gcc -o marshal `pkg-config --cflags --libs glib-2.0 dbus-1` marshal.c

Running this on Fedora-15 with dbus-1.4.6-4.fc15.x86_64 we get:

[huzaifas@babylon test]$ ./marshal 
/demarshal/le: OK
/demarshal/be: **
ERROR:marshal.c:195:test_endian: assertion failed (get_uint32 (output, OFFSET_BODY_LENGTH, output[0]) == 8): (134217728 == 8)
Aborted (core dumped)

This shows that dbus-1.4.6 is affected.

Comment 8 Huzaifa S. Sidhpurwala 2011-07-22 10:46:24 UTC
Created attachment 514654 [details]
patch against dbus-1.4.6-4

Comment 9 Huzaifa S. Sidhpurwala 2011-07-22 10:47:18 UTC
After applying the patch in Comment #8:

[huzaifas@babylon test]$ ./marshal 
/demarshal/le: OK
/demarshal/be: OK
/demarshal/needed/le: OK
/demarshal/needed/be: OK

Comment 11 errata-xmlrpc 2011-08-09 17:06:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2011:1132 https://rhn.redhat.com/errata/RHSA-2011-1132.html

Note You need to log in before you can comment on or make changes to this bug.