It was found that D-BUS message bus service / messaging facility did not update the byte-order flag of the message properly by swapping the byte order of incoming messages into their native endiannes. A local, authenticated user could use this flaw to send a specially-crafted message to a system service (like Avahi or NetworkManager), using the system bus, potentially leading to disconnect of such a service from system bus (denial of service). References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938 [2] https://bugs.freedesktop.org/show_bug.cgi?id=38120 Upstream patches: [3] http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.2&id=6519a1f77c61d753d4c97efd6e15630eb275336e (in upstream v1.2.28 version) [4] http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.4&id=c3223ba6c401ba81df1305851312a47c485e6cd7 (in upstream v1.4.12 version)
This issue affect the versions of the dbus package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the dbus package, as shipped with Fedora release of 13, 14, and 15. Please schedule an update.
Created dbus tracking bugs for this issue Affects: fedora-all [bug 712678]
CVE Request: [5] http://www.openwall.com/lists/oss-security/2011/06/12/1
The CVE identifier of CVE-2011-2200 has been assigned to this: http://www.openwall.com/lists/oss-security/2011/06/13/12
*** Bug 719694 has been marked as a duplicate of this bug. ***
Created attachment 514650 [details] dbus test
Comment #6 has an attached test program to check if the version of dbus is affected by the vuln. To compile it use: gcc -o marshal `pkg-config --cflags --libs glib-2.0 dbus-1` marshal.c Running this on Fedora-15 with dbus-1.4.6-4.fc15.x86_64 we get: [huzaifas@babylon test]$ ./marshal /demarshal/le: OK /demarshal/be: ** ERROR:marshal.c:195:test_endian: assertion failed (get_uint32 (output, OFFSET_BODY_LENGTH, output[0]) == 8): (134217728 == 8) Aborted (core dumped) This shows that dbus-1.4.6 is affected.
Created attachment 514654 [details] patch against dbus-1.4.6-4
After applying the patch in Comment #8: [huzaifas@babylon test]$ ./marshal /demarshal/le: OK /demarshal/be: OK /demarshal/needed/le: OK /demarshal/needed/be: OK
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2011:1132 https://rhn.redhat.com/errata/RHSA-2011-1132.html