security hardening in dbus 1.8.18, 1.9.16: avoiding weak PRNG
Simon McVittie
simon.mcvittie at collabora.co.uk
Thu May 14 07:38:57 PDT 2015
dbus <http://www.freedesktop.org/wiki/Software/dbus/> is the reference
implementation of D-Bus, an asynchronous inter-process communication
system, commonly used for system services or within a desktop session on
Linux and other operating systems.
I released dbus 1.8.18 today with a security-hardening change. We are
not treating this as a security vulnerability (and so are not requesting
a CVE ID) because we do not believe the failure mode can be induced by
an attacker.
The bug: while processing Coverity warnings, we noticed that libdbus'
random number generator abstraction would silently fall back to a very
weak PRNG (libc rand()) if /dev/urandom (or Windows equivalent) could
not be read, or if malloc() returned NULL during random number
generation. Among other things, this random number generator is used by
the DBUS_COOKIE_SHA1 authentication mechanism, which reads and writes
random "cookies" in the home directory as a way for peers to prove that
they have access.
Mitigation: in 1.8.18, we have mitigated this by changing the default
session bus configuration on Unix platforms to require EXTERNAL
(credentials-passing) authentication, i.e. disabling the
DBUS_COOKIE_SHA1 authentication mechanism by default.
http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=d9ab8931822999336b84cac0499a12e11c11e298
Fix: In the development branch (in which I'm currently doing the release
smoke-testing for 1.9.16), we have removed the fallback entirely.
Unfortunately this change involves adding more error-handling code
paths, so we consider it to be too intrusive for 1.8.x.
http://cgit.freedesktop.org/dbus/dbus/commit/?id=f180a839727981c8896056a35df17768d54eada6
http://cgit.freedesktop.org/dbus/dbus/commit/?id=49646211f3c8dcdc3728f4059c61c05ef4df857c
http://cgit.freedesktop.org/dbus/dbus/commit/?id=f385324d8b03eab13f3e618ce9a0018977c9a7cb
http://cgit.freedesktop.org/dbus/dbus/commit/?id=bcdead0fd4642a5e8985981c1583d40ff779299a
Bug tracked as: https://bugs.freedesktop.org/show_bug.cgi?id=90414
Versions with fix: >= 1.9.16
Versions with mitigation: 1.8.x >= 1.8.18
Versions affected: all older dbus releases
Credit: Ralf Habacker, Simon McVittie
--
Simon McVittie, Collabora Ltd.
on behalf of the D-Bus maintainers
More information about the dbus
mailing list