CVE-2019-12749

dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUSCOOKIESHA1 in the libdbus library. (This only affects the DBUSCOOKIESHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.

References

Affected packages

Git / gitlab.freedesktop.org/dbus/dbus

Affected ranges

Type

GIT

Repo

https://gitlab.freedesktop.org/dbus/dbus

Events

Introduced

Fixed

983e62be144c3615bd44feb9850dc4ccd797e3b8

Introduced

98294ab81a4d7ef00b6de5149344d92278c38593

Fixed

23cc709db8fab94f11fa48772bff396b20aea8b0

Introduced

ee84f84a3fde6bc3d3c5e1c11adeab8f1af6db44

Fixed

df9dabe5212a1d4b4b652f8fcd7c2e61af4275ba

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.10.28"
        },
        {
            "introduced": "1.12.0"
        },
        {
            "fixed": "1.12.16"
        },
        {
            "introduced": "1.13.0"
        },
        {
            "fixed": "1.13.12"
        }
    ]
}

Affected versions

dbus-0.*

dbus-0.1

dbus-0.10

dbus-0.11

dbus-0.12

dbus-0.13

dbus-0.2

dbus-0.20

dbus-0.21

dbus-0.22

dbus-0.23

dbus-0.3

dbus-0.31.0

dbus-0.32.0

dbus-0.33.0

dbus-0.34.0

dbus-0.35

dbus-0.36

dbus-0.4

dbus-0.5

dbus-0.50

dbus-0.6

dbus-0.60

dbus-0.61

dbus-0.62

dbus-0.7

dbus-0.8

dbus-0.9

dbus-0.90

dbus-0.91

dbus-0.92

dbus-0.93

dbus-0.94

dbus-0.95

dbus-1.*

dbus-1.0.0

dbus-1.1.0

dbus-1.1.2

dbus-1.1.20

dbus-1.1.3

dbus-1.1.4

dbus-1.10.0

dbus-1.10.10

dbus-1.10.12

dbus-1.10.14

dbus-1.10.16

dbus-1.10.18

dbus-1.10.2

dbus-1.10.20

dbus-1.10.22

dbus-1.10.24

dbus-1.10.26

dbus-1.10.4

dbus-1.10.6

dbus-1.10.8

dbus-1.12.0

dbus-1.12.10

dbus-1.12.12

dbus-1.12.14

dbus-1.12.2

dbus-1.12.4

dbus-1.12.6

dbus-1.12.8

dbus-1.13.0

dbus-1.13.10

dbus-1.13.2

dbus-1.13.4

dbus-1.13.6

dbus-1.13.8

dbus-1.2.1

dbus-1.3.0

dbus-1.3.1

dbus-1.4.0

dbus-1.4.1

dbus-1.4.4

dbus-1.4.6

dbus-1.5.0

dbus-1.5.10

dbus-1.5.12

dbus-1.5.2

dbus-1.5.4

dbus-1.5.6

dbus-1.5.8

dbus-1.6.0

dbus-1.7.0

dbus-1.7.10

dbus-1.7.2

dbus-1.7.4

dbus-1.7.6

dbus-1.7.8

dbus-1.8.0

dbus-1.9.0

dbus-1.9.10

dbus-1.9.12

dbus-1.9.14

dbus-1.9.16

dbus-1.9.18

dbus-1.9.2

dbus-1.9.20

dbus-1.9.4

dbus-1.9.8

Other

dbus-before-object-names-merge

dbus-object-names-branchpoint

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "16.04"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "18.04"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "18.10"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "19.04"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12749.json"