Commit 7370b66b authored by jcnelson's avatar jcnelson

Merge branch 'master' of git://anonscm.debian.org/pkg-utopia/dbus into debian-upstream

Conflicts:
	Makefile.in
	NEWS
	bus/driver.c
	bus/driver.h
	bus/stats.c
	bus/system.conf.in
	cmake/config.h.cmake
	cmake/test/CMakeLists.txt
	config.sub
	configure
	configure.ac
	dbus/dbus-sysdeps-win.c
	debian/changelog
	debian/dbus.triggers
	doc/Makefile.in
	test/dbus-daemon.c
parents 8630ad6a c1c801dc
......@@ -123,8 +123,8 @@ DIST_COMMON = $(srcdir)/tools/lcov.am INSTALL NEWS README AUTHORS \
$(top_srcdir)/test/data/invalid-service-files-system/org.freedesktop.DBus.TestSuiteNoExec.service.in \
$(top_srcdir)/test/data/invalid-service-files-system/org.freedesktop.DBus.TestSuiteNoUser.service.in \
$(top_srcdir)/test/data/invalid-service-files-system/org.freedesktop.DBus.TestSuiteNoService.service.in \
COPYING compile config.guess config.sub depcomp install-sh \
missing ltmain.sh
COPYING compile config.guess config.sub install-sh missing \
ltmain.sh
subdir = .
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/as-ac-expand.m4 \
......
D-Bus 1.8.16 (2015-02-09)
==
The “poorly concealed wrestlers” release.
Security fixes:
• Do not allow non-uid-0 processes to send forged ActivationFailure
messages. On Linux systems with systemd activation, this would
allow a local denial of service: unprivileged processes could
flood the bus with these forged messages, winning the race with
the actual service activation and causing an error reply
to be sent back when service auto-activation was requested.
This does not prevent the real service from being started,
so it only works while the real service is not running.
(CVE-2015-0245, fd.o #88811; Simon McVittie)
Other fixes:
• fix a Windows build failure (fd.o #88009, Ralf Habacker)
• on Windows, allow up to 8K connections to the dbus-daemon instead of the
previous 64, completing a previous fix which only worked under
Autotools (fd.o #71297, Ralf Habacker)
D-Bus 1.8.14 (2015-01-05)
==
The “40lb of roofing nails” release.
Security hardening:
• Do not allow calls to UpdateActivationEnvironment from uids other than
the uid of the dbus-daemon. If a system service installs unsafe
security policy rules that allow arbitrary method calls
(such as CVE-2014-8148) then this prevents memory consumption and
possible privilege escalation via UpdateActivationEnvironment.
We believe that in practice, privilege escalation here is avoided
by dbus-daemon-launch-helper sanitizing its environment; but
it seems better to be safe.
• Do not allow calls to UpdateActivationEnvironment or the Stats interface
on object paths other than /org/freedesktop/DBus. Some system services
install unsafe security policy rules that allow arbitrary method calls
to any destination, method and interface with a specified object path;
while less bad than allowing arbitrary method calls, these security
policies are still harmful, since dbus-daemon normally offers the
same API on all object paths and other system services might behave
similarly.
Other fixes:
• Add missing initialization so GetExtendedTcpTable doesn't crash on
Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко)
D-Bus 1.8.12 (2014-11-24)
==
......
......@@ -878,6 +878,44 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
if (!bus_driver_check_message_is_for_us (message, error))
return FALSE;
#ifdef DBUS_UNIX
{
/* UpdateActivationEnvironment is basically a recipe for privilege
* escalation so let's be extra-careful: do not allow the sysadmin
* to shoot themselves in the foot. */
unsigned long uid;
if (!dbus_connection_get_unix_user (connection, &uid))
{
bus_context_log (bus_transaction_get_context (transaction),
DBUS_SYSTEM_LOG_SECURITY,
"rejected attempt to call UpdateActivationEnvironment by "
"unknown uid");
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
"rejected attempt to call UpdateActivationEnvironment by "
"unknown uid");
return FALSE;
}
/* On the system bus, we could in principle allow uid 0 to call
* UpdateActivationEnvironment; but they should know better anyway,
* and our default system.conf has always forbidden it */
if (!_dbus_unix_user_is_process_owner (uid))
{
bus_context_log (bus_transaction_get_context (transaction),
DBUS_SYSTEM_LOG_SECURITY,
"rejected attempt to call UpdateActivationEnvironment by uid %lu",
uid);
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
"rejected attempt to call UpdateActivationEnvironment");
return FALSE;
}
}
#endif
activation = bus_connection_get_activation (connection);
dbus_message_iter_init (message, &iter);
......@@ -1965,6 +2003,38 @@ bus_driver_handle_introspect (DBusConnection *connection,
return FALSE;
}
/*
* Set @error and return FALSE if the message is not directed to the
* dbus-daemon by its canonical object path. This is hardening against
* system services with poorly-written security policy files, which
* might allow sending dangerously broad equivalence classes of messages
* such as "anything with this assumed-to-be-safe object path".
*
* dbus-daemon is unusual in that it normally ignores the object path
* of incoming messages; we need to keep that behaviour for the "read"
* read-only method calls like GetConnectionUnixUser for backwards
* compatibility, but it seems safer to be more restrictive for things
* intended to be root-only or privileged-developers-only.
*
* It is possible that there are other system services with the same
* quirk as dbus-daemon.
*/
dbus_bool_t
bus_driver_check_message_is_for_us (DBusMessage *message,
DBusError *error)
{
if (!dbus_message_has_path (message, DBUS_PATH_DBUS))
{
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
"Method '%s' is only available at the canonical object path '%s'",
dbus_message_get_member (message), DBUS_PATH_DBUS);
return FALSE;
}
return TRUE;
}
dbus_bool_t
bus_driver_handle_message (DBusConnection *connection,
BusTransaction *transaction,
......
......@@ -47,6 +47,7 @@ dbus_bool_t bus_driver_send_service_owner_changed (const char *service_name
DBusError *error);
dbus_bool_t bus_driver_generate_introspect_string (DBusString *xml);
dbus_bool_t bus_driver_check_message_is_for_us (DBusMessage *message,
DBusError *error);
#endif /* BUS_DRIVER_H */
......@@ -29,6 +29,10 @@
#include <dbus/dbus-connection-internal.h>
#include "connection.h"
<<<<<<< HEAD
=======
#include "driver.h"
>>>>>>> c1c801dcb5e6470e9327195c89ee2da6e505127b
#include "services.h"
#include "utils.h"
......@@ -49,6 +53,12 @@ bus_stats_handle_get_stats (DBusConnection *connection,
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
<<<<<<< HEAD
=======
if (!bus_driver_check_message_is_for_us (message, error))
return FALSE;
>>>>>>> c1c801dcb5e6470e9327195c89ee2da6e505127b
context = bus_transaction_get_context (transaction);
connections = bus_context_get_connections (context);
......@@ -131,6 +141,12 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
<<<<<<< HEAD
=======
if (!bus_driver_check_message_is_for_us (message, error))
return FALSE;
>>>>>>> c1c801dcb5e6470e9327195c89ee2da6e505127b
registry = bus_connection_get_registry (caller_connection);
if (! dbus_message_get_args (message, error,
......
......@@ -68,6 +68,14 @@
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus"
send_member="UpdateActivationEnvironment"/>
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.systemd1.Activator"/>
</policy>
<!-- Only systemd, which runs as root, may report activation failures. -->
<policy user="root">
<allow send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.systemd1.Activator"/>
</policy>
<!-- Config files are placed here that among other things, punch
......
......@@ -248,4 +248,8 @@
#define inline __inline
#endif
#ifdef DBUS_WIN
#define FD_SETSIZE @FD_SETSIZE@
#endif
#endif // _DBUS_CONFIG_H
include_directories(${CMAKE_SOURCE_DIR}/../test)
add_definitions(${DBUS_INTERNAL_CLIENT_DEFINITIONS})
......@@ -66,7 +67,6 @@ if(DBUS_WITH_GLIB)
include_directories(
${GLIB2_INCLUDE_DIR}
${GOBJECT_INCLUDE_DIR}
${CMAKE_SOURCE_DIR}/../test
)
set(TEST_LIBRARIES ${DBUS_INTERNAL_LIBRARIES} dbus-testutils ${GLIB2_LIBRARIES} ${GOBJECT_LIBRARIES})
......
......@@ -2,7 +2,7 @@
# Configuration validation subroutine script.
# Copyright 1992-2014 Free Software Foundation, Inc.
timestamp='2014-05-01'
timestamp='2014-09-11'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
......@@ -302,6 +302,7 @@ case $basic_machine in
| pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle \
| pyramid \
| riscv32 | riscv64 \
| rl78 | rx \
| score \
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
......@@ -828,6 +829,10 @@ case $basic_machine in
basic_machine=powerpc-unknown
os=-morphos
;;
moxiebox)
basic_machine=moxie-unknown
os=-moxiebox
;;
msdos)
basic_machine=i386-pc
os=-msdos
......@@ -1373,7 +1378,7 @@ case $os in
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
| -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* \
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for dbus 1.8.12.
#
# Generated by GNU Autoconf 2.69 for dbus 1.8.16.
#
# Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=dbus>.
#
......@@ -591,8 +592,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='dbus'
PACKAGE_TARNAME='dbus'
PACKAGE_VERSION='1.8.12'
PACKAGE_STRING='dbus 1.8.12'
PACKAGE_VERSION='1.8.16'
PACKAGE_STRING='dbus 1.8.16'
PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus'
PACKAGE_URL=''
......@@ -1513,7 +1514,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures dbus 1.8.12 to adapt to many kinds of systems.
\`configure' configures dbus 1.8.16 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1587,7 +1588,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of dbus 1.8.12:";;
short | recursive ) echo "Configuration of dbus 1.8.16:";;
esac
cat <<\_ACEOF
......@@ -1784,7 +1785,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
dbus configure 1.8.12
dbus configure 1.8.16
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -2503,7 +2504,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by dbus $as_me 1.8.12, which was
It was created by dbus $as_me 1.8.16, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -3446,7 +3447,7 @@ fi
# Define the identity of the package.
PACKAGE='dbus'
VERSION='1.8.12'
VERSION='1.8.16'
cat >>confdefs.h <<_ACEOF
......@@ -3746,7 +3747,7 @@ LT_CURRENT=11
## increment any time the source changes; set to
## 0 if you increment CURRENT
LT_REVISION=9
LT_REVISION=11
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
......@@ -3759,8 +3760,8 @@ LT_AGE=8
DBUS_MAJOR_VERSION=1
DBUS_MINOR_VERSION=8
DBUS_MICRO_VERSION=12
DBUS_VERSION=1.8.12
DBUS_MICRO_VERSION=16
DBUS_VERSION=1.8.16
......@@ -23428,7 +23429,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by dbus $as_me 1.8.12, which was
This file was extended by dbus $as_me 1.8.16, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -23494,7 +23495,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
dbus config.status 1.8.12
dbus config.status 1.8.16
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......
......@@ -3,7 +3,7 @@ AC_PREREQ([2.63])
m4_define([dbus_major_version], [1])
m4_define([dbus_minor_version], [8])
m4_define([dbus_micro_version], [12])
m4_define([dbus_micro_version], [16])
m4_define([dbus_version],
[dbus_major_version.dbus_minor_version.dbus_micro_version])
AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
......@@ -37,7 +37,7 @@ LT_CURRENT=11
## increment any time the source changes; set to
## 0 if you increment CURRENT
LT_REVISION=9
LT_REVISION=11
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
......
......@@ -146,7 +146,7 @@ static dbus_pid_t
get_pid_from_extended_tcp_table(int peer_port)
{
dbus_pid_t result;
DWORD errorCode, size, i;
DWORD errorCode, size = 0, i;
MIB_TCPTABLE_OWNER_PID *tcp_table;
if ((errorCode =
......
dbus (1.8.16-1) unstable; urgency=high
* New upstream release fixes a local denial of service
when using systemd activation (CVE-2015-0245)
-- Simon McVittie <smcv@debian.org> Wed, 04 Feb 2015 20:14:46 +0000
dbus (1.8.14-2) unstable; urgency=high
* Relax the triggers from interest to interest-noawait (Closes: #771989;
mitigates: #776063; partially reopens: #740139).
This is not strictly correct, because the purpose of the triggers
is to set up the .conf, .service files for system services before those
services satisfy dependencies. However, it mitigates #776063
(apt getting into a stuck state during upgrades), and should in
principle be redundant anyway, because dbus-daemon is meant to use
inotify to keep up with configuration changes. See #771989, #776063
for details.
-- Simon McVittie <smcv@debian.org> Tue, 03 Feb 2015 17:28:12 +0000
dbus (1.8.14-1) unstable; urgency=medium
* New upstream release to harden dbus-daemon against packages that install
unsafe security policy configurations.
-- Simon McVittie <smcv@debian.org> Thu, 01 Jan 2015 13:07:23 +0000
dbus (1.8.12-3) unstable; urgency=medium
* preinst: partially revert change from 1.8.12-2. It seems that the
......
interest /etc/dbus-1/system.d
interest /usr/share/dbus-1/system-services
interest-noawait /etc/dbus-1/system.d
interest-noawait /usr/share/dbus-1/system-services
......@@ -666,8 +666,8 @@ distclean-generic:
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
@DBUS_DOXYGEN_DOCS_ENABLED_FALSE@uninstall-local:
@DBUS_DOXYGEN_DOCS_ENABLED_FALSE@install-data-local:
@DBUS_DOXYGEN_DOCS_ENABLED_FALSE@uninstall-local:
clean: clean-am
clean-am: clean-generic clean-libtool clean-local mostlyclean-am
......
......@@ -457,6 +457,91 @@ test_creds (Fixture *f,
#endif
}
static void
test_canonical_path_uae (Fixture *f,
gconstpointer context)
{
DBusMessage *m = dbus_message_new_method_call (DBUS_SERVICE_DBUS,
DBUS_PATH_DBUS, DBUS_INTERFACE_DBUS, "UpdateActivationEnvironment");
DBusPendingCall *pc;
DBusMessageIter args_iter;
DBusMessageIter arr_iter;
if (m == NULL)
g_error ("OOM");
dbus_message_iter_init_append (m, &args_iter);
/* Append an empty a{ss} (string => string dictionary). */
if (!dbus_message_iter_open_container (&args_iter, DBUS_TYPE_ARRAY,
"{ss}", &arr_iter) ||
!dbus_message_iter_close_container (&args_iter, &arr_iter))
g_error ("OOM");
if (!dbus_connection_send_with_reply (f->left_conn, m, &pc,
DBUS_TIMEOUT_USE_DEFAULT) ||
pc == NULL)
g_error ("OOM");
dbus_message_unref (m);
m = NULL;
if (dbus_pending_call_get_completed (pc))
pending_call_store_reply (pc, &m);
else if (!dbus_pending_call_set_notify (pc, pending_call_store_reply,
&m, NULL))
g_error ("OOM");
while (m == NULL)
test_main_context_iterate (f->ctx, TRUE);
/* it succeeds */
g_assert_cmpint (dbus_message_get_type (m), ==,
DBUS_MESSAGE_TYPE_METHOD_RETURN);
dbus_message_unref (m);
/* Now try with the wrong object path */
m = dbus_message_new_method_call (DBUS_SERVICE_DBUS,
"/com/example/Wrong", DBUS_INTERFACE_DBUS, "UpdateActivationEnvironment");
if (m == NULL)
g_error ("OOM");
dbus_message_iter_init_append (m, &args_iter);
/* Append an empty a{ss} (string => string dictionary). */
if (!dbus_message_iter_open_container (&args_iter, DBUS_TYPE_ARRAY,
"{ss}", &arr_iter) ||
!dbus_message_iter_close_container (&args_iter, &arr_iter))
g_error ("OOM");
if (!dbus_connection_send_with_reply (f->left_conn, m, &pc,
DBUS_TIMEOUT_USE_DEFAULT) ||
pc == NULL)
g_error ("OOM");
dbus_message_unref (m);
m = NULL;
if (dbus_pending_call_get_completed (pc))
pending_call_store_reply (pc, &m);
else if (!dbus_pending_call_set_notify (pc, pending_call_store_reply,
&m, NULL))
g_error ("OOM");
while (m == NULL)
test_main_context_iterate (f->ctx, TRUE);
/* it fails, yielding an error message with one string argument */
g_assert_cmpint (dbus_message_get_type (m), ==, DBUS_MESSAGE_TYPE_ERROR);
g_assert_cmpstr (dbus_message_get_error_name (m), ==,
DBUS_ERROR_ACCESS_DENIED);
g_assert_cmpstr (dbus_message_get_signature (m), ==, "s");
dbus_message_unref (m);
}
static void
teardown (Fixture *f,
gconstpointer context G_GNUC_UNUSED)
......@@ -514,6 +599,8 @@ main (int argc,
g_test_add ("/echo/limited", Fixture, &limited_config,
setup, test_echo, teardown);
g_test_add ("/creds", Fixture, NULL, setup, test_creds, teardown);
g_test_add ("/canonical-path/uae", Fixture, NULL,
setup, test_canonical_path_uae, teardown);
return g_test_run ();
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment