Announcing dbus 1.12.16 security update
smcv at collabora.com
Tue Jun 11 15:04:25 UTC 2019
dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.
This is a stable-branch security fix release. Upgrading is recommended,
unless you are following the older security-fix-only stable branch 1.10.x.
git tag: dbus-1.12.16
The “tree cat” release.
• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
authentication for identities that differ from the user running the
DBusServer. Previously, a local attacker could manipulate symbolic
links in their own home directory to bypass authentication and connect
to a DBusServer with elevated privileges. The standard system and
session dbus-daemons in their default configuration were immune to this
attack because they did not allow DBUS_COOKIE_SHA1, but third-party
users of DBusServer such as Upstart could be vulnerable.
Thanks to Joe Vennix of Apple Information Security.
(dbus#269, Simon McVittie)
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers
More information about the dbus