1. 16 Feb, 2017 5 commits
    • Simon McVittie's avatar
      Start 1.10.18 · cb538cc2
      Simon McVittie authored
      Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
    • Simon McVittie's avatar
      Prepare 1.10.16 · 8b582cb1
      Simon McVittie authored
    • Simon McVittie's avatar
      activation test: Fix time-of-check/time-of-use bug waiting to happen · 1488f02d
      Simon McVittie authored
      Creating a directory is atomic, stat'ing it to see whether to remove
      it is very much not.
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828
      Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Reviewed-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>
    • Simon McVittie's avatar
      Change _dbus_create_directory to fail for existing directories · be51bfe9
      Simon McVittie authored
      If we don't trap EEXIST and its Windows equivalent, we are unable to
      detect the situation where we create an ostensibly unique
      subdirectory in a shared /tmp, but an attacker has already created it.
      This affects dbus-nonce (the nonce-tcp transport) and the activation
      reload test.
      Add a new _dbus_ensure_directory() for the one case where we want it to
      succeed even on EEXIST: the DBUS_COOKIE_SHA1 keyring, which we know
      we are creating in our own trusted "official" $HOME. In the new
      transient service support on Bug #99825, ensure_owned_directory()
      would need the same treatment.
      We are not treating this as a serious security problem, because the
      nonce-tcp transport is rarely enabled on Unix and there are multiple
      The nonce-tcp transport creates a new unique file with O_EXCL and 0600
      (private to user) permissions, then overwrites the requested filename
      via atomic-overwrite, so the worst that could happen there is that an
      attacker could place a symbolic link matching the name of a directory
      we are going to create, causing a dbus-daemon configured for nonce-tcp
      to traverse the symlink and atomically overwrite a file named "nonce"
      in a directory of the attacker's choice, with new random contents that
      are not known to the attacker. This seems unlikely to be exploitable
      for anything worse than denial of service in practice. In mainline
      Linux since 3.6, this attack is also defeated by the
      fs.protected_symlinks sysctl, which many distributions enable by default.
      The activation reload test suffers from a classic symlink attack
      due to time-of-check/time-of-use errors in its implementation, but as
      part of the developer-only "embedded tests" that are only intended
      to be run on a trusted machine, it is not treated as security-sensitive.
      That code path will be fixed in a subsequent commit.
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828
      Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Reviewed-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>
    • Simon McVittie's avatar
      Travis-CI: Get new autoconf-archive from Ubuntu · bca5a846
      Simon McVittie authored
      Hopefully this has better uptime than snapshot.debian.org, which is
      really an archival service rather than a production component.
      This particular autoconf-archive version was in Ubuntu 16.10, so it
      should stay around for a while.
      Signed-off-by: default avatarSimon McVittie <smcv@debian.org>
      (cherry picked from commit 9935a5b7)
  2. 01 Feb, 2017 1 commit
  3. 29 Nov, 2016 14 commits
  4. 28 Nov, 2016 5 commits
  5. 22 Nov, 2016 4 commits
  6. 10 Oct, 2016 5 commits
  7. 04 Oct, 2016 2 commits
    • Simon McVittie's avatar
      NEWS · 9cb71ebd
      Simon McVittie authored
    • Marc Mutz's avatar
      DBusMessage: Fix UB (misaligned access) in call to _dbus_header_set_field_basic() · 178872ea
      Marc Mutz authored
      The const void* 'value' pointer that is passed the address of a
      uint32_t here eventually ends up in _dbus_marshal_write_basic(), which
      casts it to a DBusBasicValue, a union type that has an alignment of
      eight on 64-bit platforms and is therefore more-aligned than the
      The read of a value of a more-aligned type through a pointer to a less
      -aligned type is undefined behaviour.
      Fix by storing the uint32 in a DBusBasicValue and passing that instead.
      Found by UBSan:
        dbus/dbus/dbus-marshal-basic.c:832:14: runtime error: member access within misaligned address 0x7fdb8dac3a04 for type 'const union DBusBasicValue', which requires 8 byte alignment
        0x7fdb8dac3a04: note: pointer points here
          4a 87 b5 71 01 00 00 00  40 7d 01 00 00 61 00 00  10 3b ac 8d db 7f 00 00  2c 2a 3e 94 db 7f 00 00
          #0 0x7fdb9444a2c3 in _dbus_marshal_write_basic dbus/dbus/dbus-marshal-basic.c:832
          #1 0x7fdb943d22fb in _dbus_type_writer_write_basic_no_typecode dbus/dbus/dbus-marshal-recursive.c:1605
          #2 0x7fdb943d64e9 in _dbus_type_writer_write_basic dbus/dbus/dbus-marshal-recursive.c:2327
          #3 0x7fdb943c52a6 in write_basic_field dbus/dbus/dbus-marshal-header.c:318
          #4 0x7fdb943c919e in _dbus_header_set_field_basic dbus/dbus/dbus-marshal-header.c:1321
       0x7fdb943e1349 in dbus_message_set_reply_serial dbus/dbus/dbus-message.c:1173
      Signed-off-by: default avatarMarc Mutz <marc@kdab.net>
      Reviewed-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98035
  8. 03 Oct, 2016 2 commits
  9. 15 Aug, 2016 2 commits