Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-3524

Overview

Vulnerability Score 6.9 6.9
CVE Id CVE-2012-3524
Last Modified 05 May 2014 01:12:47
Published 18 Sep 2012 01:55:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector LOCAL
Access Complexity MEDIUM
Authentication NONE

CVE-2012-3524

Summary

libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."

Vulnerable Systems

Application

  • Freedesktop Libdbus 1.5.0

  • Freedesktop Libdbus 1.5.10

  • Freedesktop Libdbus 1.5.12

  • Freedesktop Libdbus 1.5.2

  • Freedesktop Libdbus 1.5.4

  • Freedesktop Libdbus 1.5.6

  • Freedesktop Libdbus 1.5.8


References

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=847402

MISC - https://bugzilla.novell.com/show_bug.cgi?id=697105

CONFIRM - https://bugs.freedesktop.org/show_bug.cgi?id=52202

BID - 55517

MLIST - [oss-security] 20120917 Re: libdbus CVE-2012-3524 fix

MLIST - [oss-security] 20120914 Re: libdbus CVE-2012-3524 fix

MLIST - [oss-security] 20120912 libdbus CVE-2012-3524 fix

MLIST - [oss-security] 20120726 Re: libdbus hardening

MLIST - [oss-security] 20120710 libdbus hardening

EXPLOIT-DB - 21323

MISC - http://stealth.openwall.net/null/dzug.c

SECUNIA - 50537

REDHAT - RHSA-2012:1261

SUSE - SUSE-SU-2012:1155-2

SUSE - SUSE-SU-2012:1155

UBUNTU - USN-1576-2

SUSE - openSUSE-SU-2012:1287

UBUNTU - USN-1576-1

SECUNIA - 50710

SECUNIA - 50544

MANDRIVA - MDVSA-2013:083

MANDRIVA - MDVSA-2013:070

SUSE - openSUSE-SU-2012:1418

Related Patches

Novell SUSE 2012:6733 dbus-1 security update for SLE 11 SP2 i586

Novell SUSE 2012:6733 dbus-1 security update for SLE 11 SP2 x86_64


Last Updated: 27 May 2016 10:56:37