[USN-144-1] dbus vulnerability

From: Martin Pitt (martin.pitt_at_canonical.com)
Date: 06/27/05

  • Next message: oil_karchack_at_yahoo.com: "aspnuke is vulnerable to sql injection" 
    Date: Mon, 27 Jun 2005 18:14:52 +0200
To: ubuntu-security-announce@lists.ubuntu.com

    ===========================================================
    Ubuntu Security Notice USN-144-1 June 27, 2005
    dbus vulnerability
    CAN-2005-0201
    ===========================================================

    A security issue affects the following Ubuntu releases:

    Ubuntu 4.10 (Warty Warthog)

    The following packages are affected:

    dbus-1

    The problem can be corrected by upgrading the affected package to
    version 0.22-1ubuntu2.1. You have to restart your Gnome session (i.e.
    log out and back in) after doing a standard system upgrade to effect
    the necessary changes.

    Details follow:

    Besides providing the global system-wide communication bus, dbus also
    offers per-user "session" buses which applications in an user's
    session can create and use to communicate with each other. Daniel
    Reed discovered that the default configuration of the session dbus
    allowed a local user to connect to another user's session bus if its
    address was known. The fixed packages restrict the default permissions
    to the user who owns the session dbus instance.

    Please note that a standard Ubuntu installation does not use the
    session bus for anything, so this can only be exploited if you are
    using custom software which uses it.

      Source archives:

        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.22-1ubuntu2.1.diff.gz
          Size/MD5: 15995 6f8b07a03ee133e67607985210dcaa21
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.22-1ubuntu2.1.dsc
          Size/MD5: 909 d47c88f0d2cc14da7bab054bb2923ea6
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.22.orig.tar.gz
          Size/MD5: 1248780 6b1c2476ea8b82dd9fb7f29ef857cb9f

      Architecture independent packages:

        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-doc_0.22-1ubuntu2.1_all.deb
          Size/MD5: 817462 2942d675de295f743ebdceff28edc3eb

      amd64 architecture (Athlon64, Opteron, EM64T Xeon)

        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-dev_0.22-1ubuntu2.1_amd64.deb
          Size/MD5: 233840 ddfcaa03766658123d982a891a5ae5fe
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.22-1ubuntu2.1_amd64.deb
          Size/MD5: 100612 d8defb47c253b5475ea40d005782c040
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1_0.22-1ubuntu2.1_amd64.deb
          Size/MD5: 332330 a821776783887a74227da54fb2c8cfc0
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1-dev_0.22-1ubuntu2.1_amd64.deb
          Size/MD5: 105656 817e67b68bad8cc21dbdd6d824aa8dd2
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1_0.22-1ubuntu2.1_amd64.deb
          Size/MD5: 103222 19d76a1c5b2dfdcd993d4d8b1004a84f
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.3-dbus_0.22-1ubuntu2.1_amd64.deb
          Size/MD5: 142524 5f2bc9aaa7aaa062ea4c66a45dab389a

      i386 architecture (x86 compatible Intel/AMD)

        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-dev_0.22-1ubuntu2.1_i386.deb
          Size/MD5: 207320 f9f955179ef745de5587cdb4a22e0d8c
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.22-1ubuntu2.1_i386.deb
          Size/MD5: 99146 e409ea2bf9ed72101b59e8a1616a9c5b
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1_0.22-1ubuntu2.1_i386.deb
          Size/MD5: 297298 10b6a50dc30819935b24ca337c85c31a
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1-dev_0.22-1ubuntu2.1_i386.deb
          Size/MD5: 101542 565fe12a77c4cea1ade70977d3672a62
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1_0.22-1ubuntu2.1_i386.deb
          Size/MD5: 100526 8bab20aafd035e1ed7c940225bda277c
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.3-dbus_0.22-1ubuntu2.1_i386.deb
          Size/MD5: 130754 e8676c7a4157e15a236fdaa38e080691

      powerpc architecture (Apple Macintosh G3/G4/G5)

        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-dev_0.22-1ubuntu2.1_powerpc.deb
          Size/MD5: 235306 83ae5fee85566f19262a4548575c0ec1
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.22-1ubuntu2.1_powerpc.deb
          Size/MD5: 100766 2a138c9f8fa460abc9c34cb9d21d2070
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1_0.22-1ubuntu2.1_powerpc.deb
          Size/MD5: 312850 27ea75fa2dd9a40a1dc84724def7c4e4
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1-dev_0.22-1ubuntu2.1_powerpc.deb
          Size/MD5: 107106 4b176bc6c2a42bdb0e05b2e28b40d49d
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-glib-1_0.22-1ubuntu2.1_powerpc.deb
          Size/MD5: 100502 e0316f200a0ab7829d0c5478b288e9cb
        http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.3-dbus_0.22-1ubuntu2.1_powerpc.deb
          Size/MD5: 143508 3d2a2015e906ebdd217cba8791002edc

  • Next message: oil_karchack_at_yahoo.com: "aspnuke is vulnerable to sql injection"

    Relevant Pages

    • [Full-disclosure] [USN-144-1] dbus vulnerability
      ... Ubuntu 4.10 ... You have to restart your Gnome session (i.e. ... Besides providing the global system-wide communication bus, dbus also ... The fixed packages restrict the default permissions ...
      (Full-Disclosure)
    • Re: I am using Ubuntu 6.10 and I want to change to Kubuntu 6.10
      ... I prefer Kubuntu .. ... could I change from Ubuntu to Kubuntu without ... After the packages have all been downloaded, ... end session ie 'Log Out' ...
      (Ubuntu)
    • Re: Dependency problems with GNOME 2.12 in testing
      ... which depends on dbus-1 with new version ... or you can install them from unstable ... Or you can wait untill dbus 0.60 transition ends, and all packages ...
      (Debian-User)
    • alter package compile hang
      ... We use a lot of packages in the database. ... oracle was unable to recompile invalid package ... statement of the session is: ... It seems that one session has a library cache lock and wait for library ...
      (comp.databases.oracle.misc)
    • [opensuse] KDE4 - Two Questions
      ... I've installed KDE4 from the openSUSE_10.3 packages. ... The kicker equivalent panel crashed on me. ... I've restarting the session but ...
      (SuSE)