-
Simon McVittie authored
In principle this could lead to arbitrary memory overwrite via a format string attack in the message received from systemd, resulting in arbitrary code execution. This is not believed to be an exploitable security vulnerability on the system bus in practice: it can only be exploited by the owner of the org.freedesktop.systemd1 bus name, which is restricted to uid 0, so if systemd is attacker-controlled then the system is already doomed. Similarly, if a systemd system unit mentioned in the activation failure message has an attacker-controlled name, then the attacker likely already has sufficient access to execute arbitrary code as root in any case. However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for systemd's identity, unprivileged processes could forge activation failure messages which would have gone through this code path. We thought at the time that this was a denial of service vulnerability (CVE-2015-0245); this bug means that it was in fact potentially an arbitrary code execution vulnerability. Bug found using -Wsuggest-attribute=format and -Wformat-security. Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Colin Walters <walters@verbum.org> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
e473ab85