Commit 5b8714c8 authored by Simon McVittie's avatar Simon McVittie

Fix regression introduced in 1.6.8-1+deb7u4 (Closes: #769069)

parent bdc38fe6
dbus (1.6.8-1+deb7u5) wheezy; urgency=medium
dbus (1.6.8-1+deb7u5) wheezy-security; urgency=high
* Fix CVE-2014-7824:
- Start 'dbus-daemon --system' as root under sysvinit (it already
......@@ -6,8 +6,14 @@ dbus (1.6.8-1+deb7u5) wheezy; urgency=medium
descriptor limit
- Add patch from upstream to increase dbus-daemon's file descriptor
limit to 65536, completing the incomplete fix for CVE-2014-3636
-- Simon McVittie <smcv@debian.org> Thu, 06 Nov 2014 16:31:34 +0000
* Fix regression introduced in 1.6.8-1+deb7u4 (Closes: #769069):
- Add patch from upstream to restore auth_timeout to its previous value,
since the shorter value causes boot failures on some systems
- Add README.Debian to dbus package, documenting how sysadmins with
hostile local users, and systems where boot succeeds with the shorter
value, can get the shorter value back
-- Simon McVittie <smcv@debian.org> Mon, 24 Nov 2014 13:49:52 +0000
dbus (1.6.8-1+deb7u4) wheezy-security; urgency=high
......
Adjusting limits to mitigate denial of service
==============================================
'dbus-daemon --system' has several arbitrary limits which are a trade-off
between working correctly when not under attack, and preventing local
denial of service attacks. System administrators with particularly hostile
local users should review these limits and tune them if necessary.
In particular, the fix for CVE-2014-3639 in dbus-1.8.8 makes it difficult
for local users to prevent connections completely, but they can still
introduce a delay which increases with larger authentication timeout
(auth_timeout) values, by opening many parallel connections from
different processes and never completing the authentication handshake.
As a result, dbus 1.8.8 also reduced the auth_timeout from 30 seconds
to 5 seconds to mitigate this delay. However, this change resulted in
boot failures on some systems because systemd could not authenticate
sufficiently quickly while the system was busy, and was reverted in 1.8.12.
On fast systems with hostile local users, administrators can reduce this
delay by returning to the 5 second timeout (or any other value in
milliseconds), by saving this as /etc/dbus-1/system-local.conf or a file
matching /etc/dbus-1/system.d/*.conf:
<busconfig>
<limit name="auth_timeout">5000</limit>
</busconfig>
If applying this change, please reboot several times and check the
syslog or Journal for messages containing "Connection has not authenticated
soon enough, closing it". Seeing that message while not subject to a
denial-of-service attack indicates that the auth_timeout has been set
too short.
From 39f4b36ba546818a7dc00bfdcde9b21bb8abcaac Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Tue, 18 Nov 2014 12:01:44 +0000
Subject: [PATCH 1/2] Log to syslog when auth_timeout drops an incomplete
connection
This is a symptom of either a denial of service attack, or a
serious performance problem. Either way, sysadmins should know.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
---
bus/connection.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/bus/connection.c b/bus/connection.c
index f9cc22d..920d454 100644
--- a/bus/connection.c
+++ b/bus/connection.c
@@ -860,6 +860,14 @@ bus_connections_expire_incomplete (BusConnections *connections)
if (elapsed >= (double) auth_timeout)
{
+ /* Unfortunately, we can't identify the connection: it doesn't
+ * have a unique name yet, we don't know its uid/pid yet,
+ * and so on. */
+ bus_context_log (connections->context, DBUS_SYSTEM_LOG_INFO,
+ "Connection has not authenticated soon enough, closing it "
+ "(auth_timeout=%dms, elapsed: %.0fms)",
+ auth_timeout, elapsed);
+
_dbus_verbose ("Timing out authentication for connection %p\n", connection);
dbus_connection_close (connection);
}
--
2.1.3
From d1ab5857287430766837c63643d143ba434160b2 Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Tue, 18 Nov 2014 17:34:11 +0000
Subject: [PATCH 2/2] Revert "config: change default auth_timeout to 5 seconds"
This reverts commit 54d26df52b6a394bea175651d1d7ad2ab3f87dea.
It appears this change may cause intermittent slow or failed boot,
more commonly on slower/older machines, in at least Mageia and
possibly also Debian. This would indicate that while the system
is under load, system services are not completing authentication
within 5 seconds.
This change was not the main part of fixing CVE-2014-3639, but does
help to mitigate that attack. As such, increasing this timeout makes
the denial of service attack described by CVE-2014-3639 somewhat
more effective: a local user connecting to the system bus repeatedly
from many parallel processes can cause other users' attempts to
connect to take longer.
If your machine boots reliably with the shorter timeout, and
resilience against local denial of service attacks is important
to you, putting this in /etc/dbus-1/system-local.conf
or a file matching /etc/dbus-1/system.d/*.conf can restore
the lower limit:
<busconfig>
<limit name="auth_timeout">5000</limit>
</busconfig>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
---
bus/config-parser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bus/config-parser.c b/bus/config-parser.c
index 897667e..488cb70 100644
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@@ -427,7 +427,7 @@ bus_config_parser_new (const DBusString *basedir,
* and legitimate auth will fail. If interactive auth (ask user for
* password) is allowed, then potentially it has to be quite long.
*/
- parser->limits.auth_timeout = 5000; /* 5 seconds */
+ parser->limits.auth_timeout = 30000; /* 30 seconds */
/* Do not allow a fd to stay forever in dbus-daemon
* https://bugs.freedesktop.org/show_bug.cgi?id=80559
--
2.1.3
......@@ -15,3 +15,6 @@ If-loader-contains-two-messages-with-fds-don-t-corru.patch
0010-_dbus_read_socket_with_unix_fds-do-not-accept-extra-.patch
0001-CVE-2014-7824-set-fd-rlimit-to-64k-for-the-system-db.patch
0001-Log-to-syslog-when-auth_timeout-drops-an-incomplete-.patch
0002-Revert-config-change-default-auth_timeout-to-5-secon.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment