Commit a3c1b66b authored by Simon McVittie's avatar Simon McVittie

Merge branch '1.8-cve-2015-0245' into cve-2015-0245

Conflicts:
	NEWS
	bus/system.conf.in
	configure.ac
parents 239fa208 03c5e161
D-Bus 1.9.10 (UNRELEASED)
==
The “sad cyborgs” release.
Security fixes:
• Do not allow non-uid-0 processes to send forged ActivationFailure
messages. On Linux systems with systemd activation, this would
allow a local denial of service: unprivileged processes could
flood the bus with these forged messages, winning the race with
the actual service activation and causing an error reply
to be sent back when service auto-activation was requested.
This does not prevent the real service from being started,
so it only works while the real service is not running.
(CVE-2015-0245, fd.o #88811; Simon McVittie)
Enhancements:
• The new Monitoring interface in the dbus-daemon lets dbus-monitor and
......@@ -22,7 +36,7 @@ Enhancements:
or libpcap-compatible framing treating each D-Bus message
as a captured packet. (fd.o #46787, Simon)
Fixes:
Other fixes:
• Fix some CMake build regressions (fd.o #88964, Ralf Habacker)
......
......@@ -40,6 +40,24 @@
#include <dbus/dbus-marshal-recursive.h>
#include <string.h>
static DBusConnection *
bus_driver_get_owner_of_name (DBusConnection *connection,
const char *name)
{
BusRegistry *registry;
BusService *serv;
DBusString str;
registry = bus_connection_get_registry (connection);
_dbus_string_init_const (&str, name);
serv = bus_registry_lookup (registry, &str);
if (serv == NULL)
return NULL;
return bus_service_get_primary_owners_connection (serv);
}
static DBusConnection *
bus_driver_get_conn_helper (DBusConnection *connection,
DBusMessage *message,
......@@ -47,11 +65,8 @@ bus_driver_get_conn_helper (DBusConnection *connection,
const char **name_p,
DBusError *error)
{
const char *name;
BusRegistry *registry;
BusService *serv;
DBusString str;
DBusConnection *conn;
const char *name;
if (!dbus_message_get_args (message, error,
DBUS_TYPE_STRING, &name,
......@@ -61,11 +76,9 @@ bus_driver_get_conn_helper (DBusConnection *connection,
_dbus_assert (name != NULL);
_dbus_verbose ("asked for %s of connection %s\n", what_we_want, name);
registry = bus_connection_get_registry (connection);
_dbus_string_init_const (&str, name);
serv = bus_registry_lookup (registry, &str);
conn = bus_driver_get_owner_of_name (connection, name);
if (serv == NULL)
if (conn == NULL)
{
dbus_set_error (error, DBUS_ERROR_NAME_HAS_NO_OWNER,
"Could not get %s of name '%s': no such name",
......@@ -73,9 +86,6 @@ bus_driver_get_conn_helper (DBusConnection *connection,
return NULL;
}
conn = bus_service_get_primary_owners_connection (serv);
_dbus_assert (conn != NULL);
if (name_p != NULL)
*name_p = name;
......@@ -2238,8 +2248,26 @@ bus_driver_handle_message (DBusConnection *connection,
if (dbus_message_is_signal (message, "org.freedesktop.systemd1.Activator", "ActivationFailure"))
{
BusContext *context;
DBusConnection *systemd;
context = bus_connection_get_context (connection);
systemd = bus_driver_get_owner_of_name (connection,
"org.freedesktop.systemd1");
if (systemd != connection)
{
const char *attacker;
attacker = bus_connection_get_name (connection);
bus_context_log (context, DBUS_SYSTEM_LOG_SECURITY,
"Ignoring forged ActivationFailure message from "
"connection %s (%s)",
attacker ? attacker : "(unauthenticated)",
bus_connection_get_loginfo (connection));
/* ignore it */
return TRUE;
}
return dbus_activation_systemd_failure(bus_context_get_activation(context), message);
}
......
......@@ -73,6 +73,14 @@
send_member="UpdateActivationEnvironment"/>
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus.Debug.Stats"/>
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.systemd1.Activator"/>
</policy>
<!-- Only systemd, which runs as root, may report activation failures. -->
<policy user="root">
<allow send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.systemd1.Activator"/>
</policy>
<!-- root may monitor the system bus. -->
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment