1. 16 Feb, 2017 4 commits
    • Simon McVittie's avatar
      Disable some mostly cosmetic compiler warnings · efc9ec52
      Simon McVittie authored
      We are not going to fix compiler warnings in a security-fix-only
      branch: it's too much regression risk for too little benefit. If they
      demonstrate a security bug, then we'll backport the fix for the
      security bug.
      Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      efc9ec52
    • Simon McVittie's avatar
      Update NEWS for 1.8.x · 8116f98b
      Simon McVittie authored
      Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      8116f98b
    • Simon McVittie's avatar
      activation test: Fix time-of-check/time-of-use bug waiting to happen · ca04b6b2
      Simon McVittie authored
      Creating a directory is atomic, stat'ing it to see whether to remove
      it is very much not.
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Reviewed-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>
      ca04b6b2
    • Simon McVittie's avatar
      Change _dbus_create_directory to fail for existing directories · 914233f9
      Simon McVittie authored
      If we don't trap EEXIST and its Windows equivalent, we are unable to
      detect the situation where we create an ostensibly unique
      subdirectory in a shared /tmp, but an attacker has already created it.
      This affects dbus-nonce (the nonce-tcp transport) and the activation
      reload test.
      
      Add a new _dbus_ensure_directory() for the one case where we want it to
      succeed even on EEXIST: the DBUS_COOKIE_SHA1 keyring, which we know
      we are creating in our own trusted "official" $HOME. In the new
      transient service support on Bug #99825, ensure_owned_directory()
      would need the same treatment.
      
      We are not treating this as a serious security problem, because the
      nonce-tcp transport is rarely enabled on Unix and there are multiple
      mitigations.
      
      The nonce-tcp transport creates a new unique file with O_EXCL and 0600
      (private to user) permissions, then overwrites the requested filename
      via atomic-overwrite, so the worst that could happen there is that an
      attacker could place a symbolic link matching the name of a directory
      we are going to create, causing a dbus-daemon configured for nonce-tcp
      to traverse the symlink and atomically overwrite a file named "nonce"
      in a directory of the attacker's choice, with new random contents that
      are not known to the attacker. This seems unlikely to be exploitable
      for anything worse than denial of service in practice. In mainline
      Linux since 3.6, this attack is also defeated by the
      fs.protected_symlinks sysctl, which many distributions enable by default.
      
      The activation reload test suffers from a classic symlink attack
      due to time-of-check/time-of-use errors in its implementation, but as
      part of the developer-only "embedded tests" that are only intended
      to be run on a trusted machine, it is not treated as security-sensitive.
      That code path will be fixed in a subsequent commit.
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Reviewed-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>
      914233f9
  2. 10 Oct, 2016 3 commits
  3. 21 Jul, 2015 5 commits
  4. 17 Jun, 2015 2 commits
  5. 14 May, 2015 3 commits
  6. 12 May, 2015 1 commit
    • Simon McVittie's avatar
      Security hardening: force EXTERNAL auth in session.conf on Unix · d9ab8931
      Simon McVittie authored
      DBUS_COOKIE_SHA1 is dependent on unguessable strings, i.e.
      indirectly dependent on high-quality pseudo-random numbers
      whereas EXTERNAL authentication (credentials-passing)
      is mediated by the kernel and cannot be faked.
      
      On Windows, EXTERNAL authentication is not available,
      so we continue to use the hard-coded default (all
      authentication mechanisms are tried).
      
      Users of tcp: or nonce-tcp: on Unix will have to comment
      this out, but they would have had to use a special
      configuration anyway (to set the listening address),
      and the tcp: and nonce-tcp: transports are inherently
      insecure unless special steps are taken to have them
      restricted to a VPN or SSH tunnelling.
      
      Users of obscure Unix platforms (those that trigger
      the warning "Socket credentials not supported on this Unix OS"
      when compiling dbus-sysdeps-unix.c) might also have to
      comment this out, or preferably provide a tested patch
      to enable credentials-passing on that OS.
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90414
      d9ab8931
  7. 08 May, 2015 2 commits
    • Ralf Habacker's avatar
      reader_init: Initialize all fields of struct DBusTypeReader (CID 54754, 54772, 54773). · 77e1b311
      Ralf Habacker authored
      This patch is based on the fix for 'Field reader.array_len_offset is
      uninitialized'
      
      Reported by Coverity: CID 54754, 54772, 54773: Uninitialized scalar
      variable (UNINIT)
      
      [smcv: also re-order how the class is set when we recurse, so that
      the sub-reader's class doesn't end up NULL]
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90021
      77e1b311
    • Simon McVittie's avatar
      Revert "reader_init: Initialize all fields of struct DBusTypeReader (CID 54754, 54772, 54773)." · 480f0182
      Simon McVittie authored
      This reverts commit 21a7873f.
      
      This appears to cause a segfault, presumably resulting from something
      assuming that reader_init() would not reinitialize all fields:
      
       #0  0x00007ffff7b74777 in _dbus_type_reader_get_current_type (reader=reader@entry=0x7fffffffda50) at .../dbus/dbus-marshal-recursive.c:791
       #1  0x00007ffff7b719d0 in _dbus_header_cache_check (header=<optimized out>)
          at .../dbus/dbus-marshal-header.c:209
       #2  0x00007ffff7b719d0 in _dbus_header_cache_check (header=header@entry=0x624658, field=field@entry=6) at .../dbus/dbus-marshal-header.c:250
       #3  0x00007ffff7b72884 in _dbus_header_get_field_basic (header=header@entry=0x624658, field=field@entry=6, type=type@entry=115, value=value@entry=0x7fffffffdbd8) at .../dbus/dbus-marshal-header.c:1365
       #4  0x00007ffff7b7d8c2 in dbus_message_get_destination (message=message@entry=0x624650) at .../dbus/dbus-message.c:3457
       #5  0x00007ffff7b67be6 in _dbus_connection_send_preallocated_unlocked_no_update (connection=connection@entry=0x6236d0, preallocated=0x0,
          preallocated@entry=0x6234c0, message=message@entry=0x624650, client_serial=client_serial@entry=0x7fffffffdcbc)
          at .../dbus/dbus-connection.c:2017
      480f0182
  8. 06 May, 2015 3 commits
  9. 05 May, 2015 3 commits
  10. 28 Apr, 2015 1 commit
  11. 15 Apr, 2015 1 commit
  12. 13 Apr, 2015 2 commits
  13. 09 Feb, 2015 1 commit
  14. 05 Feb, 2015 1 commit
  15. 04 Feb, 2015 3 commits
  16. 05 Jan, 2015 4 commits
  17. 01 Jan, 2015 1 commit