1. 09 Jun, 2019 1 commit
  2. 10 Oct, 2016 1 commit
    • Simon McVittie's avatar
      dbus_activation_systemd_failure: do not use non-literal format string · 67a0d647
      Simon McVittie authored
      In principle this could lead to arbitrary memory overwrite via
      a format string attack in the message received from systemd,
      resulting in arbitrary code execution.
      This is not believed to be an exploitable security vulnerability on the
      system bus in practice: it can only be exploited by the owner of the
      org.freedesktop.systemd1 bus name, which is restricted to uid 0, so
      if systemd is attacker-controlled then the system is already doomed.
      Similarly, if a systemd system unit mentioned in the activation failure
      message has an attacker-controlled name, then the attacker likely already
      has sufficient access to execute arbitrary code as root in any case.
      However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for
      systemd's identity, unprivileged processes could forge activation
      failure messages which would have gone through this code path.
      We thought at the time that this was a denial of service vulnerability
      (CVE-2015-0245); this bug means that it was in fact potentially an
      arbitrary code execution vulnerability.
      Bug found using -Wsuggest-attribute=format and -Wformat-security.
      Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Reviewed-by: Colin Walters's avatarColin Walters <walters@verbum.org>
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
  3. 09 Feb, 2015 1 commit
  4. 05 Feb, 2015 2 commits
  5. 24 Nov, 2014 2 commits
  6. 18 Nov, 2014 2 commits
    • Simon McVittie's avatar
      Revert "config: change default auth_timeout to 5 seconds" · d1ab5857
      Simon McVittie authored
      This reverts commit 54d26df5.
      It appears this change may cause intermittent slow or failed boot,
      more commonly on slower/older machines, in at least Mageia and
      possibly also Debian. This would indicate that while the system
      is under load, system services are not completing authentication
      within 5 seconds.
      This change was not the main part of fixing CVE-2014-3639, but does
      help to mitigate that attack. As such, increasing this timeout makes
      the denial of service attack described by CVE-2014-3639 somewhat
      more effective: a local user connecting to the system bus repeatedly
      from many parallel processes can cause other users' attempts to
      connect to take longer.
      If your machine boots reliably with the shorter timeout, and
      resilience against local denial of service attacks is important
      to you, putting this in /etc/dbus-1/system-local.conf
      or a file matching /etc/dbus-1/system.d/*.conf can restore
      the lower limit:
            <limit name="auth_timeout">5000</limit>
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
    • Simon McVittie's avatar
      Log to syslog when auth_timeout drops an incomplete connection · 39f4b36b
      Simon McVittie authored
      This is a symptom of either a denial of service attack, or a
      serious performance problem. Either way, sysadmins should know.
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
  7. 10 Nov, 2014 1 commit
  8. 06 Nov, 2014 2 commits
  9. 15 Sep, 2014 11 commits
  10. 02 Jul, 2014 1 commit
  11. 30 Jun, 2014 3 commits
  12. 10 Jun, 2014 1 commit
  13. 05 Jun, 2014 2 commits
    • Simon McVittie's avatar
      Prepare embargoed security release · 7100a396
      Simon McVittie authored
    • Alban Crequy's avatar
      CVE-2014-3477: deliver activation errors correctly, fixing Denial of Service · cab1c56b
      Alban Crequy authored
      How it should work:
      When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check
      whether the message can be delivered after the service has been activated. The
      service is considered activated when its well-known name is requested with
      org.freedesktop.DBus.RequestName. When the message delivery is denied, the
      service stays activated but should not receive the activating message (the
      message which triggered the activation). dbus-daemon is supposed to drop the
      activating message and reply to the sender with a D-Bus error message.
      However, it does not work as expected:
      1. The error message is delivered to the service instead of being delivered to
         the sender. As an example, the error message could be something like:
           An SELinux policy prevents this sender from sending this
           message to this recipient, [...] member="MaliciousMethod"
         If the sender and the service are malicious confederates and agree on a
         protocol to insert information in the member name, the sender can leak
         information to the service, even though the LSM attempted to block the
         communication between the sender and the service.
      2. The error message is delivered as a reply to the RequestName call from
         service. It means the activated service will believe it cannot request the
         name and might exit. The sender could activate the service frequently and
         systemd will give up activating it. Thus the denial of service.
      The following changes fix the bug:
      - bus_activation_send_pending_auto_activation_messages() only returns an error
        in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM
        (and its only caller sets the OOM error).
      - When a client is not allowed to talk to the service, a D-Bus error message
        is pre-allocated to be delivered to the client as part of the transaction.
        The error is not propagated to the caller so RequestName will not fail
        (except on OOM).
      [fixed a misleading comment -smcv]
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979
      Reviewed-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Reviewed-by: Colin Walters's avatarColin Walters <walters@verbum.org>
  14. 12 Nov, 2013 2 commits
  15. 04 Nov, 2013 2 commits
  16. 01 Nov, 2013 2 commits
  17. 23 Oct, 2013 1 commit
  18. 08 Oct, 2013 2 commits
  19. 16 Sep, 2013 1 commit