Bug 9142 - CVE-2006-6107 [patch] fix a nasty bug in match_rule_equal()
CVE-2006-6107 [patch] fix a nasty bug in match_rule_equal()
Status: RESOLVED FIXED
Product: dbus
Classification: Unclassified
Component: core
unspecified
x86 (IA32) Linux (All)
: high major
Assigned To: Havoc Pennington
John (J5) Palmieri
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-23 07:39 UTC by Kimmo Hämäläinen
Modified: 2006-12-12 14:12 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:


Attachments
proposed patch (483 bytes, patch)
2006-11-23 07:40 UTC, Kimmo Hämäläinen
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Kimmo Hämäläinen 2006-11-23 07:39:17 UTC
I found a nasty bug from match_rule_equal() that can cause matches to be removed
from another connections (thanks goes to other guys for finding reproducable use
case for the bug).
Comment 1 Kimmo Hämäläinen 2006-11-23 07:40:12 UTC
Created attachment 7884 [details] [review]
proposed patch

Lightly tested patch.
Comment 2 Kimmo Hämäläinen 2006-11-27 04:46:26 UTC
I hope you relialise this is quite severe security bug... The patch has been
tested inside Nokia.
Comment 3 Havoc Pennington 2006-11-27 08:05:29 UTC
Restricting bug visibility, though I guess it's a little late.

Kimmo have you thought of exploits for this other than denial of service?
Security team will want to understand possible consequences.

Comment 4 John (J5) Palmieri 2006-11-27 09:38:39 UTC
Adding bressers to cc list for errata advice.
Comment 5 Kimmo Hämäläinen 2006-11-28 06:02:45 UTC
(In reply to comment #3)
...
> Kimmo have you thought of exploits for this other than denial of service?
> Security team will want to understand possible consequences.

No, I'm not aware of any more exploits. I guess not much serious security
technology is based on D-Bus yet...
Comment 6 Josh Bressers 2006-11-28 08:50:17 UTC
I had a chat with John,

He and I agree that we should embargo this issue until 2006-12-12 at 14:00 UTC.

I've assigned CVE-2006-6107 to this issue and plan to send the details to the
Vendor Security mailing list for peer review.  Any public announcements
regarding this flaw should mention the CVE id to help avoid confusion.
Comment 7 Josh Bressers 2006-11-28 08:51:13 UTC
Kimmo,

Do you have a simple reproducer for this flaw that can be distributed to other
vendors for QA purposes?
Comment 8 Havoc Pennington 2006-11-28 08:57:20 UTC
Do keep in mind that while this bug is marked private now, it wasn't 
originally; it is possible the bug is effectively public.
Comment 9 Havoc Pennington 2006-11-28 09:01:33 UTC
also again I think this is a local denial of service only, as far as we know 
(it doesn't allow sending disallowed messages, it just allows disabling the 
receipt of messages that another process may have been expecting; and there is 
no tcp socket, only unix domain)
Comment 10 Kimmo Hämäläinen 2006-11-29 00:20:31 UTC
(In reply to comment #7)
...
> Do you have a simple reproducer for this flaw that can be distributed to other
> vendors for QA purposes?

We don't have the software public yet, but the use case was the following. There
are three processes A, B, and C. All of them add the same match (same value). A
is started first, then B, and lastly C. Now, B and C are closed: if B is closed
before C, A's match is removed; but if C is closed before B, A's match is not
removed (no buggy behaviour). (B and C call dbus_bus_remove_match on exit.)

It should be possible to reproduce this with simple programs, but I have not
tried that.
Comment 11 David Zeuthen (not reading bugmail) 2006-12-11 13:17:12 UTC
Is D-Bus 0.22 affected by this? Thanks.
Comment 12 David Zeuthen (not reading bugmail) 2006-12-11 13:37:22 UTC
(for the record, the patch applies to the D-Bus 0.22 tarball with little fuzz)
Comment 13 John (J5) Palmieri 2006-12-11 13:56:31 UTC
this effects all versions of D-Bus but the harm depend on services running on
the bus.
Comment 14 John (J5) Palmieri 2006-12-12 14:12:55 UTC
Removing from security group as this is out of embargo