|Summary:||CVE-2006-6107 [patch] fix a nasty bug in match_rule_equal()|
|Product:||dbus||Reporter:||Kimmo Hämäläinen <kimmo.hamalainen>|
|Component:||core||Assignee:||Havoc Pennington <hp>|
|Status:||RESOLVED FIXED||QA Contact:||John (J5) Palmieri <johnp>|
|i915 platform:||i915 features:|
Description Kimmo Hämäläinen 2006-11-23 07:39:17 UTC
I found a nasty bug from match_rule_equal() that can cause matches to be removed from another connections (thanks goes to other guys for finding reproducable use case for the bug).
Comment 1 Kimmo Hämäläinen 2006-11-23 07:40:12 UTC
Created attachment 7884 [details] [review] proposed patch Lightly tested patch.
Comment 2 Kimmo Hämäläinen 2006-11-27 04:46:26 UTC
I hope you relialise this is quite severe security bug... The patch has been tested inside Nokia.
Comment 3 Havoc Pennington 2006-11-27 08:05:29 UTC
Restricting bug visibility, though I guess it's a little late. Kimmo have you thought of exploits for this other than denial of service? Security team will want to understand possible consequences.
Comment 4 John (J5) Palmieri 2006-11-27 09:38:39 UTC
Adding bressers to cc list for errata advice.
Comment 5 Kimmo Hämäläinen 2006-11-28 06:02:45 UTC
(In reply to comment #3) ... > Kimmo have you thought of exploits for this other than denial of service? > Security team will want to understand possible consequences. No, I'm not aware of any more exploits. I guess not much serious security technology is based on D-Bus yet...
Comment 6 Josh Bressers 2006-11-28 08:50:17 UTC
I had a chat with John, He and I agree that we should embargo this issue until 2006-12-12 at 14:00 UTC. I've assigned CVE-2006-6107 to this issue and plan to send the details to the Vendor Security mailing list for peer review. Any public announcements regarding this flaw should mention the CVE id to help avoid confusion.
Comment 7 Josh Bressers 2006-11-28 08:51:13 UTC
Kimmo, Do you have a simple reproducer for this flaw that can be distributed to other vendors for QA purposes?
Comment 8 Havoc Pennington 2006-11-28 08:57:20 UTC
Do keep in mind that while this bug is marked private now, it wasn't originally; it is possible the bug is effectively public.
Comment 9 Havoc Pennington 2006-11-28 09:01:33 UTC
also again I think this is a local denial of service only, as far as we know (it doesn't allow sending disallowed messages, it just allows disabling the receipt of messages that another process may have been expecting; and there is no tcp socket, only unix domain)
Comment 10 Kimmo Hämäläinen 2006-11-29 00:20:31 UTC
(In reply to comment #7) ... > Do you have a simple reproducer for this flaw that can be distributed to other > vendors for QA purposes? We don't have the software public yet, but the use case was the following. There are three processes A, B, and C. All of them add the same match (same value). A is started first, then B, and lastly C. Now, B and C are closed: if B is closed before C, A's match is removed; but if C is closed before B, A's match is not removed (no buggy behaviour). (B and C call dbus_bus_remove_match on exit.) It should be possible to reproduce this with simple programs, but I have not tried that.
Comment 11 David Zeuthen (not reading bugmail) 2006-12-11 13:17:12 UTC
Is D-Bus 0.22 affected by this? Thanks.
Comment 12 David Zeuthen (not reading bugmail) 2006-12-11 13:37:22 UTC
(for the record, the patch applies to the D-Bus 0.22 tarball with little fuzz)
Comment 13 John (J5) Palmieri 2006-12-11 13:56:31 UTC
this effects all versions of D-Bus but the harm depend on services running on the bus.
Comment 14 John (J5) Palmieri 2006-12-12 14:12:55 UTC
Removing from security group as this is out of embargo