CVE-2019-12749

dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUSCOOKIESHA1 in the libdbus library. (This only affects the DBUSCOOKIESHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.

Database specific

{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*"
            ],
            "vendor_product": "canonical:ubuntu_linux",
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "last_affected": "16.04"
                },
                {
                    "last_affected": "18.04"
                },
                {
                    "last_affected": "18.10"
                },
                {
                    "last_affected": "19.04"
                }
            ]
        }
    ]
}

References

Affected packages

Git / gitlab.freedesktop.org/dbus/dbus

Affected ranges

Type

GIT

Repo

https://gitlab.freedesktop.org/dbus/dbus

Events

Introduced

Fixed

983e62be144c3615bd44feb9850dc4ccd797e3b8

Introduced

98294ab81a4d7ef00b6de5149344d92278c38593

Fixed

23cc709db8fab94f11fa48772bff396b20aea8b0

Introduced

ee84f84a3fde6bc3d3c5e1c11adeab8f1af6db44

Fixed

df9dabe5212a1d4b4b652f8fcd7c2e61af4275ba

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.10.28"
        },
        {
            "introduced": "1.12.0"
        },
        {
            "fixed": "1.12.16"
        },
        {
            "introduced": "1.13.0"
        },
        {
            "fixed": "1.13.12"
        }
    ],
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:freedesktop:dbus:*:*:*:*:*:*:*:*"
}

Affected versions

dbus-0.*

dbus-0.1

dbus-0.10

dbus-0.11

dbus-0.12

dbus-0.13

dbus-0.2

dbus-0.20

dbus-0.21

dbus-0.22

dbus-0.23

dbus-0.3

dbus-0.31.0

dbus-0.32.0

dbus-0.33.0

dbus-0.34.0

dbus-0.35

dbus-0.36

dbus-0.4

dbus-0.5

dbus-0.50

dbus-0.6

dbus-0.60

dbus-0.61

dbus-0.62

dbus-0.7

dbus-0.8

dbus-0.9

dbus-0.90

dbus-0.91

dbus-0.92

dbus-0.93

dbus-0.94

dbus-0.95

dbus-1.*

dbus-1.0.0

dbus-1.1.0

dbus-1.1.2

dbus-1.1.20

dbus-1.1.3

dbus-1.1.4

dbus-1.10.0

dbus-1.10.10

dbus-1.10.12

dbus-1.10.14

dbus-1.10.16

dbus-1.10.18

dbus-1.10.2

dbus-1.10.20

dbus-1.10.22

dbus-1.10.24

dbus-1.10.26

dbus-1.10.4

dbus-1.10.6

dbus-1.10.8

dbus-1.12.0

dbus-1.12.10

dbus-1.12.12

dbus-1.12.14

dbus-1.12.2

dbus-1.12.4

dbus-1.12.6

dbus-1.12.8

dbus-1.13.0

dbus-1.13.10

dbus-1.13.2

dbus-1.13.4

dbus-1.13.6

dbus-1.13.8

dbus-1.2.1

dbus-1.3.0

dbus-1.3.1

dbus-1.4.0

dbus-1.4.1

dbus-1.4.4

dbus-1.4.6

dbus-1.5.0

dbus-1.5.10

dbus-1.5.12

dbus-1.5.2

dbus-1.5.4

dbus-1.5.6

dbus-1.5.8

dbus-1.6.0

dbus-1.7.0

dbus-1.7.10

dbus-1.7.2

dbus-1.7.4

dbus-1.7.6

dbus-1.7.8

dbus-1.8.0

dbus-1.9.0

dbus-1.9.10

dbus-1.9.12

dbus-1.9.14

dbus-1.9.16

dbus-1.9.18

dbus-1.9.2

dbus-1.9.20

dbus-1.9.4

dbus-1.9.8

Other

dbus-before-object-names-merge

dbus-object-names-branchpoint

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12749.json"