dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Dbus | Freedesktop | * | 1.10.28 (excluding) |
| Dbus | Freedesktop | 1.12.0 (including) | 1.12.16 (excluding) |
| Dbus | Freedesktop | 1.13.0 (including) | 1.13.12 (excluding) |
| Red Hat Enterprise Linux 6 | RedHat | dbus-1:1.2.24-11.el6_10 | * |
| Red Hat Enterprise Linux 6.5 Advanced Update Support | RedHat | dbus-1:1.2.24-9.el6_5 | * |
| Red Hat Enterprise Linux 6.6 Advanced Update Support | RedHat | dbus-1:1.2.24-9.el6_6 | * |
| Red Hat Enterprise Linux 7 | RedHat | dbus-1:1.10.24-15.el7 | * |
| Red Hat Enterprise Linux 8 | RedHat | dbus-1:1.12.8-9.el8 | * |
| Red Hat Enterprise Linux 8 | RedHat | dbus-1:1.12.8-9.el8 | * |
| Red Hat OpenShift Do | RedHat | openshiftdo/odo-init-image-rhel7:1.1.3-2 | * |
| Dbus | Ubuntu | bionic | * |
| Dbus | Ubuntu | cosmic | * |
| Dbus | Ubuntu | devel | * |
| Dbus | Ubuntu | disco | * |
| Dbus | Ubuntu | trusty/esm | * |
| Dbus | Ubuntu | xenial | * |