Mageia alert MGASA-2019-0339 (dbus)

From:
             
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
             
 
updates-announce@ml.mageia.org 
Subject:
             
 
[updates-announce] MGASA-2019-0339: Updated dbus packages fix security vulnerability 
Date:
             
 
Sat, 30 Nov 2019 14:07:04 +0100
Message-ID:
             
 
<20191130130704.C9CAF9F6EB@duvel.mageia.org>
MGASA-2019-0339 - Updated dbus packages fix security vulnerability

Publication date: 30 Nov 2019
URL: https://advisories.mageia.org/MGASA-2019-0339.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-12749

Description:
dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as
used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less
common, uses of dbus-daemon), allows cookie spoofing because of symlink
mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the
libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication
mechanism.) A malicious client with write access to its own home directory
could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a
different uid to read and write in unintended locations. In the worst case,
this could result in the DBusServer reusing a cookie that is known to the
malicious client, and treating that cookie as evidence that a subsequent
client connection came from an attacker-chosen uid, allowing authentication
bypass (CVE-2019-12749). 

References:
- https://bugs.mageia.org/show_bug.cgi?id=24944
- https://www.openwall.com/lists/oss-security/2019/06/11/2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1...

SRPMS:
- 7/core/dbus-1.13.8-4.1.mga7