diff options
author | Andrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org> | 2019-08-13 23:25:56 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-08 22:52:28 +0100 |
commit | fe27c50545eef60837733feab5ed5a2f6b83e518 (patch) | |
tree | ca090bee7a8db8e7ee00dd07f7e1877106e2e36a /meta/recipes-core/dbus/dbus | |
parent | 1b628384281a809ea8a23904fb628fdafa52e0d2 (diff) | |
download | poky-fe27c50545eef60837733feab5ed5a2f6b83e518.tar.gz |
dbus: fix CVE-2019-12749
(From OE-Core rev: 144363decc922ed03a584eb9b29cf9808a469d08)
Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/dbus/dbus')
-rw-r--r-- | meta/recipes-core/dbus/dbus/CVE-2019-12749.patch | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch b/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch new file mode 100644 index 0000000000..393c70ca21 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch | |||
@@ -0,0 +1,127 @@ | |||
1 | From f0120c5d97a4cc1b659e86d38f2b1f646ca20ea3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon McVittie <smcv@collabora.com> | ||
3 | Date: Thu, 30 May 2019 12:53:03 +0100 | ||
4 | Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server | ||
5 | owner | ||
6 | |||
7 | The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership | ||
8 | of a shared home directory by having the server write a secret "cookie" | ||
9 | into a .dbus-keyrings subdirectory of the desired identity's home | ||
10 | directory with 0700 permissions, and having the client prove that it can | ||
11 | read the cookie. This never actually worked for non-malicious clients in | ||
12 | the case where server uid != client uid (unless the server and client | ||
13 | both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional | ||
14 | Unix uid 0) because an unprivileged server would fail to write out the | ||
15 | cookie, and an unprivileged client would be unable to read the resulting | ||
16 | file owned by the server. | ||
17 | |||
18 | Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings | ||
19 | is owned by the uid of the server (a side-effect of a check added to | ||
20 | harden our use of XDG_RUNTIME_DIR), further ruling out successful use | ||
21 | by a non-malicious client with a uid differing from the server's. | ||
22 | |||
23 | Joe Vennix of Apple Information Security discovered that the | ||
24 | implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link | ||
25 | attack: a malicious client with write access to its own home directory | ||
26 | could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to | ||
27 | read and write in unintended locations. In the worst case this could | ||
28 | result in the DBusServer reusing a cookie that is known to the | ||
29 | malicious client, and treating that cookie as evidence that a subsequent | ||
30 | client connection came from an attacker-chosen uid, allowing | ||
31 | authentication bypass. | ||
32 | |||
33 | This is mitigated by the fact that by default, the well-known system | ||
34 | dbus-daemon (since 2003) and the well-known session dbus-daemon (in | ||
35 | stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL | ||
36 | authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1 | ||
37 | at an early stage, before manipulating cookies. As a result, this | ||
38 | vulnerability only applies to: | ||
39 | |||
40 | * system or session dbus-daemons with non-standard configuration | ||
41 | * third-party dbus-daemon invocations such as at-spi2-core (although | ||
42 | in practice at-spi2-core also only accepts EXTERNAL by default) | ||
43 | * third-party uses of DBusServer such as the one in Upstart | ||
44 | |||
45 | Avoiding symlink attacks in a portable way is difficult, because APIs | ||
46 | like openat() and Linux /proc/self/fd are not universally available. | ||
47 | However, because DBUS_COOKIE_SHA1 already doesn't work in practice for | ||
48 | a non-matching uid, we can solve this vulnerability in an easier way | ||
49 | without regressions, by rejecting it early (before looking at | ||
50 | ~/.dbus-keyrings) whenever the requested identity doesn't match the | ||
51 | identity of the process hosting the DBusServer. | ||
52 | |||
53 | Signed-off-by: Simon McVittie <smcv@collabora.com> | ||
54 | Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269 | ||
55 | Closes: CVE-2019-12749 | ||
56 | |||
57 | Upstream-Status: Backport | ||
58 | [https://gitlab.freedesktop.org/dbus/dbus/commit | ||
59 | /47b1a4c41004bf494b87370987b222c934b19016] | ||
60 | |||
61 | CVE: CVE-2019-12749 | ||
62 | |||
63 | Signed-off-by: Kevin Weng <t-keweng@microsoft.com> | ||
64 | --- | ||
65 | dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++ | ||
66 | 1 file changed, 32 insertions(+) | ||
67 | |||
68 | diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c | ||
69 | index 37d8d4c9..7390a9d5 100644 | ||
70 | --- a/dbus/dbus-auth.c | ||
71 | +++ b/dbus/dbus-auth.c | ||
72 | @@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth *auth, | ||
73 | DBusString tmp2; | ||
74 | dbus_bool_t retval = FALSE; | ||
75 | DBusError error = DBUS_ERROR_INIT; | ||
76 | + DBusCredentials *myself = NULL; | ||
77 | |||
78 | _dbus_string_set_length (&auth->challenge, 0); | ||
79 | |||
80 | @@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth *auth, | ||
81 | return FALSE; | ||
82 | } | ||
83 | |||
84 | + myself = _dbus_credentials_new_from_current_process (); | ||
85 | + | ||
86 | + if (myself == NULL) | ||
87 | + goto out; | ||
88 | + | ||
89 | + if (!_dbus_credentials_same_user (myself, auth->desired_identity)) | ||
90 | + { | ||
91 | + /* | ||
92 | + * DBUS_COOKIE_SHA1 is not suitable for authenticating that the | ||
93 | + * client is anyone other than the user owning the process | ||
94 | + * containing the DBusServer: we probably aren't allowed to write | ||
95 | + * to other users' home directories. Even if we can (for example | ||
96 | + * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we | ||
97 | + * must not, because the other user controls their home directory, | ||
98 | + * and could carry out symlink attacks to make us read from or | ||
99 | + * write to unintended locations. It's difficult to avoid symlink | ||
100 | + * attacks in a portable way, so we just don't try. This isn't a | ||
101 | + * regression, because DBUS_COOKIE_SHA1 never worked for other | ||
102 | + * users anyway. | ||
103 | + */ | ||
104 | + _dbus_verbose ("%s: client tried to authenticate as \"%s\", " | ||
105 | + "but that doesn't match this process", | ||
106 | + DBUS_AUTH_NAME (auth), | ||
107 | + _dbus_string_get_const_data (data)); | ||
108 | + retval = send_rejected (auth); | ||
109 | + goto out; | ||
110 | + } | ||
111 | + | ||
112 | /* we cache the keyring for speed, so here we drop it if it's the | ||
113 | * wrong one. FIXME caching the keyring here is useless since we use | ||
114 | * a different DBusAuth for every connection. | ||
115 | @@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth *auth, | ||
116 | _dbus_string_zero (&tmp2); | ||
117 | _dbus_string_free (&tmp2); | ||
118 | |||
119 | + if (myself != NULL) | ||
120 | + _dbus_credentials_unref (myself); | ||
121 | + | ||
122 | return retval; | ||
123 | } | ||
124 | |||
125 | -- | ||
126 | 2.22.0 | ||
127 | |||