dbus: fix CVE-2019-12749

(From OE-Core rev: 144363decc922ed03a584eb9b29cf9808a469d08) Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org> 2019-08-13 23:25:56 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-08 22:52:28 +0100
commit: fe27c50545eef60837733feab5ed5a2f6b83e518 (patch)
tree: ca090bee7a8db8e7ee00dd07f7e1877106e2e36a /meta
parent: 1b628384281a809ea8a23904fb628fdafa52e0d2 (diff)
download: poky-fe27c50545eef60837733feab5ed5a2f6b83e518.tar.gz
2 files changed, 128 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch b/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch
new file mode 100644
index 0000000000..393c70ca21
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch
@@ -0,0 +1,127 @@
+From f0120c5d97a4cc1b659e86d38f2b1f646ca20ea3 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Thu, 30 May 2019 12:53:03 +0100
+Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
+ owner
+The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
+of a shared home directory by having the server write a secret "cookie"
+into a .dbus-keyrings subdirectory of the desired identity's home
+directory with 0700 permissions, and having the client prove that it can
+read the cookie. This never actually worked for non-malicious clients in
+the case where server uid != client uid (unless the server and client
+both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
+Unix uid 0) because an unprivileged server would fail to write out the
+cookie, and an unprivileged client would be unable to read the resulting
+file owned by the server.
+Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
+is owned by the uid of the server (a side-effect of a check added to
+harden our use of XDG_RUNTIME_DIR), further ruling out successful use
+by a non-malicious client with a uid differing from the server's.
+Joe Vennix of Apple Information Security discovered that the
+implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
+attack: a malicious client with write access to its own home directory
+could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
+read and write in unintended locations. In the worst case this could
+result in the DBusServer reusing a cookie that is known to the
+malicious client, and treating that cookie as evidence that a subsequent
+client connection came from an attacker-chosen uid, allowing
+authentication bypass.
+This is mitigated by the fact that by default, the well-known system
+dbus-daemon (since 2003) and the well-known session dbus-daemon (in
+stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
+authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
+at an early stage, before manipulating cookies. As a result, this
+vulnerability only applies to:
+* system or session dbus-daemons with non-standard configuration
+* third-party dbus-daemon invocations such as at-spi2-core (although
+  in practice at-spi2-core also only accepts EXTERNAL by default)
+* third-party uses of DBusServer such as the one in Upstart
+Avoiding symlink attacks in a portable way is difficult, because APIs
+like openat() and Linux /proc/self/fd are not universally available.
+However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
+a non-matching uid, we can solve this vulnerability in an easier way
+without regressions, by rejecting it early (before looking at
+~/.dbus-keyrings) whenever the requested identity doesn't match the
+identity of the process hosting the DBusServer.
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
+Closes: CVE-2019-12749
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/dbus/dbus/commit
+/47b1a4c41004bf494b87370987b222c934b19016]
+CVE: CVE-2019-12749
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
+index 37d8d4c9..7390a9d5 100644
+--- a/dbus/dbus-auth.c
+++ b/dbus/dbus-auth.c
+@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth         *auth,
+   DBusString tmp2;
+   dbus_bool_t retval = FALSE;
+   DBusError error = DBUS_ERROR_INIT;
+  DBusCredentials *myself = NULL;
+ 
+   _dbus_string_set_length (&auth->challenge, 0);
+   
+@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth         *auth,
+       return FALSE;
+     }
+ 
+  myself = _dbus_credentials_new_from_current_process ();
+
+  if (myself == NULL)
+    goto out;
+
+  if (!_dbus_credentials_same_user (myself, auth->desired_identity))
+    {
+      /*
+       * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
+       * client is anyone other than the user owning the process
+       * containing the DBusServer: we probably aren't allowed to write
+       * to other users' home directories. Even if we can (for example
+       * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
+       * must not, because the other user controls their home directory,
+       * and could carry out symlink attacks to make us read from or
+       * write to unintended locations. It's difficult to avoid symlink
+       * attacks in a portable way, so we just don't try. This isn't a
+       * regression, because DBUS_COOKIE_SHA1 never worked for other
+       * users anyway.
+       */
+      _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
+                     "but that doesn't match this process",
+                     DBUS_AUTH_NAME (auth),
+                     _dbus_string_get_const_data (data));
+      retval = send_rejected (auth);
+      goto out;
+    }
+
+   /* we cache the keyring for speed, so here we drop it if it's the
+    * wrong one. FIXME caching the keyring here is useless since we use
+    * a different DBusAuth for every connection.
+@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth         *auth,
+   _dbus_string_zero (&tmp2);
+   _dbus_string_free (&tmp2);
+ 
+  if (myself != NULL)
+    _dbus_credentials_unref (myself);
+
+   return retval;
+ }
+ 
+-- 
+2.22.0
diff --git a/meta/recipes-core/dbus/dbus_1.12.10.bb b/meta/recipes-core/dbus/dbus_1.12.10.bb
index d71f7f7042..d7ad1d8be4 100644
--- a/meta/recipes-core/dbus/dbus_1.12.10.bb
+++ b/meta/recipes-core/dbus/dbus_1.12.10.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
           file://tmpdir.patch \
           file://dbus-1.init \
           file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+                   file://CVE-2019-12749.patch \
 "
 SRC_URI[md5sum] = "c3e12b4206e2a7da39d7cc42567790ef"
author	Andrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org>	2019-08-13 23:25:56 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +0100
commit	fe27c50545eef60837733feab5ed5a2f6b83e518 (patch)
tree	ca090bee7a8db8e7ee00dd07f7e1877106e2e36a /meta
parent	1b628384281a809ea8a23904fb628fdafa52e0d2 (diff)
download	poky-fe27c50545eef60837733feab5ed5a2f6b83e518.tar.gz

diff --git a/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch b/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch new file mode 100644 index 0000000000..393c70ca21 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch
@@ -0,0 +1,127 @@
		1	From f0120c5d97a4cc1b659e86d38f2b1f646ca20ea3 Mon Sep 17 00:00:00 2001
		2	From: Simon McVittie <smcv@collabora.com>
		3	Date: Thu, 30 May 2019 12:53:03 +0100
		4	Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
		5	owner
		6
		7	The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
		8	of a shared home directory by having the server write a secret "cookie"
		9	into a .dbus-keyrings subdirectory of the desired identity's home
		10	directory with 0700 permissions, and having the client prove that it can
		11	read the cookie. This never actually worked for non-malicious clients in
		12	the case where server uid != client uid (unless the server and client
		13	both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
		14	Unix uid 0) because an unprivileged server would fail to write out the
		15	cookie, and an unprivileged client would be unable to read the resulting
		16	file owned by the server.
		17
		18	Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
		19	is owned by the uid of the server (a side-effect of a check added to
		20	harden our use of XDG_RUNTIME_DIR), further ruling out successful use
		21	by a non-malicious client with a uid differing from the server's.
		22
		23	Joe Vennix of Apple Information Security discovered that the
		24	implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
		25	attack: a malicious client with write access to its own home directory
		26	could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
		27	read and write in unintended locations. In the worst case this could
		28	result in the DBusServer reusing a cookie that is known to the
		29	malicious client, and treating that cookie as evidence that a subsequent
		30	client connection came from an attacker-chosen uid, allowing
		31	authentication bypass.
		32
		33	This is mitigated by the fact that by default, the well-known system
		34	dbus-daemon (since 2003) and the well-known session dbus-daemon (in
		35	stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
		36	authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
		37	at an early stage, before manipulating cookies. As a result, this
		38	vulnerability only applies to:
		39
		40	* system or session dbus-daemons with non-standard configuration
		41	* third-party dbus-daemon invocations such as at-spi2-core (although
		42	in practice at-spi2-core also only accepts EXTERNAL by default)
		43	* third-party uses of DBusServer such as the one in Upstart
		44
		45	Avoiding symlink attacks in a portable way is difficult, because APIs
		46	like openat() and Linux /proc/self/fd are not universally available.
		47	However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
		48	a non-matching uid, we can solve this vulnerability in an easier way
		49	without regressions, by rejecting it early (before looking at
		50	~/.dbus-keyrings) whenever the requested identity doesn't match the
		51	identity of the process hosting the DBusServer.
		52
		53	Signed-off-by: Simon McVittie <smcv@collabora.com>
		54	Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
		55	Closes: CVE-2019-12749
		56
		57	Upstream-Status: Backport
		58	[https://gitlab.freedesktop.org/dbus/dbus/commit
		59	/47b1a4c41004bf494b87370987b222c934b19016]
		60
		61	CVE: CVE-2019-12749
		62
		63	Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
		64	---
		65	dbus/dbus-auth.c \| 32 ++++++++++++++++++++++++++++++++
		66	1 file changed, 32 insertions(+)
		67
		68	diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
		69	index 37d8d4c9..7390a9d5 100644
		70	--- a/dbus/dbus-auth.c
		71	+++ b/dbus/dbus-auth.c
		72	@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth *auth,
		73	DBusString tmp2;
		74	dbus_bool_t retval = FALSE;
		75	DBusError error = DBUS_ERROR_INIT;
		76	+ DBusCredentials *myself = NULL;
		77
		78	_dbus_string_set_length (&auth->challenge, 0);
		79
		80	@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth *auth,
		81	return FALSE;
		82	}
		83
		84	+ myself = _dbus_credentials_new_from_current_process ();
		85	+
		86	+ if (myself == NULL)
		87	+ goto out;
		88	+
		89	+ if (!_dbus_credentials_same_user (myself, auth->desired_identity))
		90	+ {
		91	+ /*
		92	+ * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
		93	+ * client is anyone other than the user owning the process
		94	+ * containing the DBusServer: we probably aren't allowed to write
		95	+ * to other users' home directories. Even if we can (for example
		96	+ * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
		97	+ * must not, because the other user controls their home directory,
		98	+ * and could carry out symlink attacks to make us read from or
		99	+ * write to unintended locations. It's difficult to avoid symlink
		100	+ * attacks in a portable way, so we just don't try. This isn't a
		101	+ * regression, because DBUS_COOKIE_SHA1 never worked for other
		102	+ * users anyway.
		103	+ */
		104	+ _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
		105	+ "but that doesn't match this process",
		106	+ DBUS_AUTH_NAME (auth),
		107	+ _dbus_string_get_const_data (data));
		108	+ retval = send_rejected (auth);
		109	+ goto out;
		110	+ }
		111	+
		112	/* we cache the keyring for speed, so here we drop it if it's the
		113	* wrong one. FIXME caching the keyring here is useless since we use
		114	* a different DBusAuth for every connection.
		115	@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth *auth,
		116	_dbus_string_zero (&tmp2);
		117	_dbus_string_free (&tmp2);
		118
		119	+ if (myself != NULL)
		120	+ _dbus_credentials_unref (myself);
		121	+
		122	return retval;
		123	}
		124
		125	--
		126	2.22.0
		127


diff --git a/meta/recipes-core/dbus/dbus_1.12.10.bb b/meta/recipes-core/dbus/dbus_1.12.10.bb index d71f7f7042..d7ad1d8be4 100644 --- a/meta/recipes-core/dbus/dbus_1.12.10.bb +++ b/meta/recipes-core/dbus/dbus_1.12.10.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
16	file://tmpdir.patch \	16	file://tmpdir.patch \
17	file://dbus-1.init \	17	file://dbus-1.init \
18	file://clear-guid_from_server-if-send_negotiate_unix_f.patch \	18	file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
		19	file://CVE-2019-12749.patch \
19	"	20	"
20		21
21	SRC_URI[md5sum] = "c3e12b4206e2a7da39d7cc42567790ef"	22	SRC_URI[md5sum] = "c3e12b4206e2a7da39d7cc42567790ef"