Commit 67a0d647 authored by Simon McVittie's avatar Simon McVittie Committed by Simon McVittie
Browse files

dbus_activation_systemd_failure: do not use non-literal format string

In principle this could lead to arbitrary memory overwrite via
a format string attack in the message received from systemd,
resulting in arbitrary code execution.

This is not believed to be an exploitable security vulnerability on the
system bus in practice: it can only be exploited by the owner of the
org.freedesktop.systemd1 bus name, which is restricted to uid 0, so
if systemd is attacker-controlled then the system is already doomed.
Similarly, if a systemd system unit mentioned in the activation failure
message has an attacker-controlled name, then the attacker likely already
has sufficient access to execute arbitrary code as root in any case.

However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for
systemd's identity, unprivileged processes could forge activation
failure messages which would have gone through this code path.
We thought at the time that this was a denial of service vulnerability
(CVE-2015-0245); this bug means that it was in fact potentially an
arbitrary code execution vulnerability.

Bug found using -Wsuggest-attribute=format and -Wformat-security.
Signed-off-by: default avatarSimon McVittie <>
Reviewed-by: Colin Walters's avatarColin Walters <>
parent f32bf2b8
......@@ -2242,7 +2242,7 @@ dbus_activation_systemd_failure (BusActivation *activation,
dbus_set_error(&error, code, str);
dbus_set_error (&error, code, "%s", str);
if (unit)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment