1. 14 May, 2015 1 commit
  2. 12 May, 2015 1 commit
    • Simon McVittie's avatar
      Security hardening: force EXTERNAL auth in session.conf on Unix · d9ab8931
      Simon McVittie authored
      DBUS_COOKIE_SHA1 is dependent on unguessable strings, i.e.
      indirectly dependent on high-quality pseudo-random numbers
      whereas EXTERNAL authentication (credentials-passing)
      is mediated by the kernel and cannot be faked.
      
      On Windows, EXTERNAL authentication is not available,
      so we continue to use the hard-coded default (all
      authentication mechanisms are tried).
      
      Users of tcp: or nonce-tcp: on Unix will have to comment
      this out, but they would have had to use a special
      configuration anyway (to set the listening address),
      and the tcp: and nonce-tcp: transports are inherently
      insecure unless special steps are taken to have them
      restricted to a VPN or SSH tunnelling.
      
      Users of obscure Unix platforms (those that trigger
      the warning "Socket credentials not supported on this Unix OS"
      when compiling dbus-sysdeps-unix.c) might also have to
      comment this out, or preferably provide a tested patch
      to enable credentials-passing on that OS.
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90414
      d9ab8931
  3. 08 May, 2015 2 commits
    • Ralf Habacker's avatar
      reader_init: Initialize all fields of struct DBusTypeReader (CID 54754, 54772, 54773). · 77e1b311
      Ralf Habacker authored
      This patch is based on the fix for 'Field reader.array_len_offset is
      uninitialized'
      
      Reported by Coverity: CID 54754, 54772, 54773: Uninitialized scalar
      variable (UNINIT)
      
      [smcv: also re-order how the class is set when we recurse, so that
      the sub-reader's class doesn't end up NULL]
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90021
      77e1b311
    • Simon McVittie's avatar
      Revert "reader_init: Initialize all fields of struct DBusTypeReader (CID 54754, 54772, 54773)." · 480f0182
      Simon McVittie authored
      This reverts commit 21a7873f.
      
      This appears to cause a segfault, presumably resulting from something
      assuming that reader_init() would not reinitialize all fields:
      
       #0  0x00007ffff7b74777 in _dbus_type_reader_get_current_type (reader=reader@entry=0x7fffffffda50) at .../dbus/dbus-marshal-recursive.c:791
       #1  0x00007ffff7b719d0 in _dbus_header_cache_check (header=<optimized out>)
          at .../dbus/dbus-marshal-header.c:209
       #2  0x00007ffff7b719d0 in _dbus_header_cache_check (header=header@entry=0x624658, field=field@entry=6) at .../dbus/dbus-marshal-header.c:250
       #3  0x00007ffff7b72884 in _dbus_header_get_field_basic (header=header@entry=0x624658, field=field@entry=6, type=type@entry=115, value=value@entry=0x7fffffffdbd8) at .../dbus/dbus-marshal-header.c:1365
       #4  0x00007ffff7b7d8c2 in dbus_message_get_destination (message=message@entry=0x624650) at .../dbus/dbus-message.c:3457
       #5  0x00007ffff7b67be6 in _dbus_connection_send_preallocated_unlocked_no_update (connection=connection@entry=0x6236d0, preallocated=0x0,
          preallocated@entry=0x6234c0, message=message@entry=0x624650, client_serial=client_serial@entry=0x7fffffffdcbc)
          at .../dbus/dbus-connection.c:2017
      480f0182
  4. 06 May, 2015 3 commits
  5. 05 May, 2015 3 commits
  6. 28 Apr, 2015 1 commit
  7. 15 Apr, 2015 1 commit
  8. 13 Apr, 2015 2 commits
  9. 09 Feb, 2015 1 commit
  10. 05 Feb, 2015 1 commit
  11. 04 Feb, 2015 3 commits
  12. 05 Jan, 2015 4 commits
  13. 01 Jan, 2015 5 commits
    • Simon McVittie's avatar
      Prepare release for Monday · abbbf449
      Simon McVittie authored
      abbbf449
    • Simon McVittie's avatar
      Hardening: only accept Stats function calls at the canonical object path · eec885de
      Simon McVittie authored
      These function calls are not a privilege escalation risk like
      UpdateActivationEnvironment, but they might provide sensitive
      information or be enhanced to provide sensitive information
      in future, so the default system.conf locks them down to root-only.
      Apply the same canonical-object-path hardening as for
      UpdateActivationEnvironment.
      
      We do not apply the uid check here because they are less dangerous
      than UpdateActivationEnvironment, and because the ability to unlock
      these function calls for specific uids is a documented configuration
      for developers.
      Reviewed-by: Thiago Macieira's avatarThiago Macieira <thiago@kde.org>
      [added missing #include; extended commit message -smcv]
      eec885de
    • Simon McVittie's avatar
    • Simon McVittie's avatar
      Hardening: only allow the uid of the dbus-daemon to call UpdateActivationEnvironment · a67cb9bf
      Simon McVittie authored
      As with the previous commit, this is probably not actually privilege
      escalation due to the use of an activation helper that cleans up its
      environment, but let's be extra-careful here.
      Reviewed-by: Thiago Macieira's avatarThiago Macieira <thiago@kde.org>
      [adjusted commit message -smcv]
      a67cb9bf
    • Simon McVittie's avatar
      Hardening: reject UpdateActivationEnvironment on non-canonical path · 6a3f563a
      Simon McVittie authored
      UpdateActivationEnvironment is the one dbus-daemon API call that is
      obviously dangerous (it is intended for the session bus),
      so the default system.conf does not allow anyone to call it.
      
      It has recently come to the D-Bus maintainers' attention that some
      system services incorrectly install D-Bus policy rules that allow
      arbitrary method calls to any destination as long as they have a
      "safe" object path. This is not actually safe: some system services
      that use low-level D-Bus bindings like libdbus, including dbus-daemon
      itself, provide the same API on all object paths.
      
      Unauthorized calls to UpdateActivationEnvironment are probably just
      resource consumption rather than privilege escalation, because on
      the system bus, the modified environment is only used to execute
      a setuid wrapper that avoids LD_PRELOAD etc. via normal setuid
      handling, and sanitizes its own environment before executing
      the real service. However, it's safest to assume the worst and
      treat it as a potential privilege escalation.
      
      Accordingly, as a hardening measure to avoid privilege escalation on
      systems with these faulty services, stop allowing calls to
      ("/com/example/Whatever",
      "org.freedesktop.DBus.UpdateActivationEnvironment")
      and only allow ("/org/freedesktop/DBus",
      "org.freedesktop.DBus.UpdateActivationEnvironment").
      
      We deliberately continue to provide read-only APIs like
      GetConnectionUnixUser at all object paths, for backwards compatibility.
      Reviewed-by: Thiago Macieira's avatarThiago Macieira <thiago@kde.org>
      [adjusted commit message to note that this is probably only DoS -smcv]
      6a3f563a
  14. 23 Dec, 2014 1 commit
  15. 24 Nov, 2014 2 commits
  16. 22 Nov, 2014 2 commits
    • Simon McVittie's avatar
      Revert "config: change default auth_timeout to 5 seconds" · 02e1ddf9
      Simon McVittie authored
      This reverts commit 54d26df5.
      
      It appears this change may cause intermittent slow or failed boot,
      more commonly on slower/older machines, in at least Mageia and
      possibly also Debian. This would indicate that while the system
      is under load, system services are not completing authentication
      within 5 seconds.
      
      This change was not the main part of fixing CVE-2014-3639, but does
      help to mitigate that attack. As such, increasing this timeout makes
      the denial of service attack described by CVE-2014-3639 somewhat
      more effective: a local user connecting to the system bus repeatedly
      from many parallel processes can cause other users' attempts to
      connect to take longer.
      
      If your machine boots reliably with the shorter timeout, and
      resilience against local denial of service attacks is important
      to you, putting this in /etc/dbus-1/system-local.conf
      or a file matching /etc/dbus-1/system.d/*.conf can restore
      the lower limit:
      
          <busconfig>
            <limit name="auth_timeout">5000</limit>
          </busconfig>
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
      02e1ddf9
    • Simon McVittie's avatar
      Log to syslog when auth_timeout drops an incomplete connection · 29c64424
      Simon McVittie authored
      This is a symptom of either a denial of service attack, or a
      serious performance problem. Either way, sysadmins should know.
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
      29c64424
  17. 14 Nov, 2014 3 commits
  18. 10 Nov, 2014 2 commits
  19. 06 Nov, 2014 2 commits