Preface: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. Furthermore, NULL pointer dereference issues can occur through a number of flaws including race conditions.
Background: D-Bus is an inter-process communication (IPC) mechanism initially designed to replace the software component communications systems used by the GNOME and KDE Linux desktop environments. The dbus-broker project is an implementation of a message bus as defined by the D-Bus specification.
Project using D-Bus
- KDE: A desktop environment based on Qt
- Gnome: A desktop environment based on gtk
- Systemd: An init system
- Network-manager: A daemon to manage network interfaces
- Bluez: A project adding Bluetooth support under Linux
dbus-broker is an implementation of the D-Bus Message Bus Specification. Each instance provides a single, unique message bus that clients can connect to, and send messages over. The broker takes care of message mediation, access control, subscriptions, and bus control, according to the D-Bus specification.
Vulnerability details: An issue was discovered in dbus-broker before 31. Multiple NULL pointer dereferences can be found when supplying a malformed XML config file.
Ref: Expat is a library, written in C, for parsing XML documents. The goal of a parser is to transform XML into a readable code. XML parser is a software library or a package that provides interface for client applications to work with XML documents. It checks for proper format of the XML document and may also validate the XML documents.
Solution: Update to the latest version – https://github.com/bus1/dbus-broker/releases/tag/v31
Proof of concept and related technical matters – refer to the link
https://sec-consult.com/vulnerability-lab/advisory/memory-corruption-vulnerabilities-dbus-broker/