Commit 9f703780 authored by Simon McVittie's avatar Simon McVittie

Imported Upstream version 1.8.14

parent 61e47df2
D-Bus 1.8.14 (2015-01-05)
==
The “40lb of roofing nails” release.
Security hardening:
• Do not allow calls to UpdateActivationEnvironment from uids other than
the uid of the dbus-daemon. If a system service installs unsafe
security policy rules that allow arbitrary method calls
(such as CVE-2014-8148) then this prevents memory consumption and
possible privilege escalation via UpdateActivationEnvironment.
We believe that in practice, privilege escalation here is avoided
by dbus-daemon-launch-helper sanitizing its environment; but
it seems better to be safe.
• Do not allow calls to UpdateActivationEnvironment or the Stats interface
on object paths other than /org/freedesktop/DBus. Some system services
install unsafe security policy rules that allow arbitrary method calls
to any destination, method and interface with a specified object path;
while less bad than allowing arbitrary method calls, these security
policies are still harmful, since dbus-daemon normally offers the
same API on all object paths and other system services might behave
similarly.
Other fixes:
• Add missing initialization so GetExtendedTcpTable doesn't crash on
Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко)
D-Bus 1.8.12 (2014-11-24) D-Bus 1.8.12 (2014-11-24)
== ==
......
...@@ -878,6 +878,44 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, ...@@ -878,6 +878,44 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
_DBUS_ASSERT_ERROR_IS_CLEAR (error); _DBUS_ASSERT_ERROR_IS_CLEAR (error);
if (!bus_driver_check_message_is_for_us (message, error))
return FALSE;
#ifdef DBUS_UNIX
{
/* UpdateActivationEnvironment is basically a recipe for privilege
* escalation so let's be extra-careful: do not allow the sysadmin
* to shoot themselves in the foot. */
unsigned long uid;
if (!dbus_connection_get_unix_user (connection, &uid))
{
bus_context_log (bus_transaction_get_context (transaction),
DBUS_SYSTEM_LOG_SECURITY,
"rejected attempt to call UpdateActivationEnvironment by "
"unknown uid");
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
"rejected attempt to call UpdateActivationEnvironment by "
"unknown uid");
return FALSE;
}
/* On the system bus, we could in principle allow uid 0 to call
* UpdateActivationEnvironment; but they should know better anyway,
* and our default system.conf has always forbidden it */
if (!_dbus_unix_user_is_process_owner (uid))
{
bus_context_log (bus_transaction_get_context (transaction),
DBUS_SYSTEM_LOG_SECURITY,
"rejected attempt to call UpdateActivationEnvironment by uid %lu",
uid);
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
"rejected attempt to call UpdateActivationEnvironment");
return FALSE;
}
}
#endif
activation = bus_connection_get_activation (connection); activation = bus_connection_get_activation (connection);
dbus_message_iter_init (message, &iter); dbus_message_iter_init (message, &iter);
...@@ -1965,6 +2003,38 @@ bus_driver_handle_introspect (DBusConnection *connection, ...@@ -1965,6 +2003,38 @@ bus_driver_handle_introspect (DBusConnection *connection,
return FALSE; return FALSE;
} }
/*
* Set @error and return FALSE if the message is not directed to the
* dbus-daemon by its canonical object path. This is hardening against
* system services with poorly-written security policy files, which
* might allow sending dangerously broad equivalence classes of messages
* such as "anything with this assumed-to-be-safe object path".
*
* dbus-daemon is unusual in that it normally ignores the object path
* of incoming messages; we need to keep that behaviour for the "read"
* read-only method calls like GetConnectionUnixUser for backwards
* compatibility, but it seems safer to be more restrictive for things
* intended to be root-only or privileged-developers-only.
*
* It is possible that there are other system services with the same
* quirk as dbus-daemon.
*/
dbus_bool_t
bus_driver_check_message_is_for_us (DBusMessage *message,
DBusError *error)
{
if (!dbus_message_has_path (message, DBUS_PATH_DBUS))
{
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
"Method '%s' is only available at the canonical object path '%s'",
dbus_message_get_member (message), DBUS_PATH_DBUS);
return FALSE;
}
return TRUE;
}
dbus_bool_t dbus_bool_t
bus_driver_handle_message (DBusConnection *connection, bus_driver_handle_message (DBusConnection *connection,
BusTransaction *transaction, BusTransaction *transaction,
......
...@@ -46,7 +46,7 @@ dbus_bool_t bus_driver_send_service_owner_changed (const char *service_name ...@@ -46,7 +46,7 @@ dbus_bool_t bus_driver_send_service_owner_changed (const char *service_name
BusTransaction *transaction, BusTransaction *transaction,
DBusError *error); DBusError *error);
dbus_bool_t bus_driver_generate_introspect_string (DBusString *xml); dbus_bool_t bus_driver_generate_introspect_string (DBusString *xml);
dbus_bool_t bus_driver_check_message_is_for_us (DBusMessage *message,
DBusError *error);
#endif /* BUS_DRIVER_H */ #endif /* BUS_DRIVER_H */
...@@ -29,6 +29,7 @@ ...@@ -29,6 +29,7 @@
#include <dbus/dbus-connection-internal.h> #include <dbus/dbus-connection-internal.h>
#include "connection.h" #include "connection.h"
#include "driver.h"
#include "services.h" #include "services.h"
#include "utils.h" #include "utils.h"
...@@ -49,6 +50,9 @@ bus_stats_handle_get_stats (DBusConnection *connection, ...@@ -49,6 +50,9 @@ bus_stats_handle_get_stats (DBusConnection *connection,
_DBUS_ASSERT_ERROR_IS_CLEAR (error); _DBUS_ASSERT_ERROR_IS_CLEAR (error);
if (!bus_driver_check_message_is_for_us (message, error))
return FALSE;
context = bus_transaction_get_context (transaction); context = bus_transaction_get_context (transaction);
connections = bus_context_get_connections (context); connections = bus_context_get_connections (context);
...@@ -131,6 +135,9 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection, ...@@ -131,6 +135,9 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
_DBUS_ASSERT_ERROR_IS_CLEAR (error); _DBUS_ASSERT_ERROR_IS_CLEAR (error);
if (!bus_driver_check_message_is_for_us (message, error))
return FALSE;
registry = bus_connection_get_registry (caller_connection); registry = bus_connection_get_registry (caller_connection);
if (! dbus_message_get_args (message, error, if (! dbus_message_get_args (message, error,
......
#! /bin/sh #! /bin/sh
# Guess values for system-dependent variables and create Makefiles. # Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for dbus 1.8.12. # Generated by GNU Autoconf 2.69 for dbus 1.8.14.
# #
# Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=dbus>. # Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=dbus>.
# #
...@@ -591,8 +591,8 @@ MAKEFLAGS= ...@@ -591,8 +591,8 @@ MAKEFLAGS=
# Identity of this package. # Identity of this package.
PACKAGE_NAME='dbus' PACKAGE_NAME='dbus'
PACKAGE_TARNAME='dbus' PACKAGE_TARNAME='dbus'
PACKAGE_VERSION='1.8.12' PACKAGE_VERSION='1.8.14'
PACKAGE_STRING='dbus 1.8.12' PACKAGE_STRING='dbus 1.8.14'
PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus' PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus'
PACKAGE_URL='' PACKAGE_URL=''
...@@ -1513,7 +1513,7 @@ if test "$ac_init_help" = "long"; then ...@@ -1513,7 +1513,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing. # Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh. # This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF cat <<_ACEOF
\`configure' configures dbus 1.8.12 to adapt to many kinds of systems. \`configure' configures dbus 1.8.14 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]... Usage: $0 [OPTION]... [VAR=VALUE]...
...@@ -1587,7 +1587,7 @@ fi ...@@ -1587,7 +1587,7 @@ fi
if test -n "$ac_init_help"; then if test -n "$ac_init_help"; then
case $ac_init_help in case $ac_init_help in
short | recursive ) echo "Configuration of dbus 1.8.12:";; short | recursive ) echo "Configuration of dbus 1.8.14:";;
esac esac
cat <<\_ACEOF cat <<\_ACEOF
...@@ -1784,7 +1784,7 @@ fi ...@@ -1784,7 +1784,7 @@ fi
test -n "$ac_init_help" && exit $ac_status test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then if $ac_init_version; then
cat <<\_ACEOF cat <<\_ACEOF
dbus configure 1.8.12 dbus configure 1.8.14
generated by GNU Autoconf 2.69 generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc. Copyright (C) 2012 Free Software Foundation, Inc.
...@@ -2503,7 +2503,7 @@ cat >config.log <<_ACEOF ...@@ -2503,7 +2503,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake. running configure, to aid debugging if configure makes a mistake.
It was created by dbus $as_me 1.8.12, which was It was created by dbus $as_me 1.8.14, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@ $ $0 $@
...@@ -3446,7 +3446,7 @@ fi ...@@ -3446,7 +3446,7 @@ fi
# Define the identity of the package. # Define the identity of the package.
PACKAGE='dbus' PACKAGE='dbus'
VERSION='1.8.12' VERSION='1.8.14'
cat >>confdefs.h <<_ACEOF cat >>confdefs.h <<_ACEOF
...@@ -3746,7 +3746,7 @@ LT_CURRENT=11 ...@@ -3746,7 +3746,7 @@ LT_CURRENT=11
## increment any time the source changes; set to ## increment any time the source changes; set to
## 0 if you increment CURRENT ## 0 if you increment CURRENT
LT_REVISION=9 LT_REVISION=10
## increment if any interfaces have been added; set to 0 ## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has ## if any interfaces have been changed or removed. removal has
...@@ -3759,8 +3759,8 @@ LT_AGE=8 ...@@ -3759,8 +3759,8 @@ LT_AGE=8
DBUS_MAJOR_VERSION=1 DBUS_MAJOR_VERSION=1
DBUS_MINOR_VERSION=8 DBUS_MINOR_VERSION=8
DBUS_MICRO_VERSION=12 DBUS_MICRO_VERSION=14
DBUS_VERSION=1.8.12 DBUS_VERSION=1.8.14
...@@ -23428,7 +23428,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ...@@ -23428,7 +23428,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their # report actual input values of CONFIG_FILES etc. instead of their
# values after options handling. # values after options handling.
ac_log=" ac_log="
This file was extended by dbus $as_me 1.8.12, which was This file was extended by dbus $as_me 1.8.14, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES CONFIG_FILES = $CONFIG_FILES
...@@ -23494,7 +23494,7 @@ _ACEOF ...@@ -23494,7 +23494,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\ ac_cs_version="\\
dbus config.status 1.8.12 dbus config.status 1.8.14
configured by $0, generated by GNU Autoconf 2.69, configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\" with options \\"\$ac_cs_config\\"
......
...@@ -3,7 +3,7 @@ AC_PREREQ([2.63]) ...@@ -3,7 +3,7 @@ AC_PREREQ([2.63])
m4_define([dbus_major_version], [1]) m4_define([dbus_major_version], [1])
m4_define([dbus_minor_version], [8]) m4_define([dbus_minor_version], [8])
m4_define([dbus_micro_version], [12]) m4_define([dbus_micro_version], [14])
m4_define([dbus_version], m4_define([dbus_version],
[dbus_major_version.dbus_minor_version.dbus_micro_version]) [dbus_major_version.dbus_minor_version.dbus_micro_version])
AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus]) AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
...@@ -37,7 +37,7 @@ LT_CURRENT=11 ...@@ -37,7 +37,7 @@ LT_CURRENT=11
## increment any time the source changes; set to ## increment any time the source changes; set to
## 0 if you increment CURRENT ## 0 if you increment CURRENT
LT_REVISION=9 LT_REVISION=10
## increment if any interfaces have been added; set to 0 ## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has ## if any interfaces have been changed or removed. removal has
......
...@@ -146,7 +146,7 @@ static dbus_pid_t ...@@ -146,7 +146,7 @@ static dbus_pid_t
get_pid_from_extended_tcp_table(int peer_port) get_pid_from_extended_tcp_table(int peer_port)
{ {
dbus_pid_t result; dbus_pid_t result;
DWORD errorCode, size, i; DWORD errorCode, size = 0, i;
MIB_TCPTABLE_OWNER_PID *tcp_table; MIB_TCPTABLE_OWNER_PID *tcp_table;
if ((errorCode = if ((errorCode =
......
...@@ -666,8 +666,8 @@ distclean-generic: ...@@ -666,8 +666,8 @@ distclean-generic:
maintainer-clean-generic: maintainer-clean-generic:
@echo "This command is intended for maintainers to use" @echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild." @echo "it deletes files that may require special tools to rebuild."
@DBUS_DOXYGEN_DOCS_ENABLED_FALSE@uninstall-local:
@DBUS_DOXYGEN_DOCS_ENABLED_FALSE@install-data-local: @DBUS_DOXYGEN_DOCS_ENABLED_FALSE@install-data-local:
@DBUS_DOXYGEN_DOCS_ENABLED_FALSE@uninstall-local:
clean: clean-am clean: clean-am
clean-am: clean-generic clean-libtool clean-local mostlyclean-am clean-am: clean-generic clean-libtool clean-local mostlyclean-am
......
...@@ -457,6 +457,91 @@ test_creds (Fixture *f, ...@@ -457,6 +457,91 @@ test_creds (Fixture *f,
#endif #endif
} }
static void
test_canonical_path_uae (Fixture *f,
gconstpointer context)
{
DBusMessage *m = dbus_message_new_method_call (DBUS_SERVICE_DBUS,
DBUS_PATH_DBUS, DBUS_INTERFACE_DBUS, "UpdateActivationEnvironment");
DBusPendingCall *pc;
DBusMessageIter args_iter;
DBusMessageIter arr_iter;
if (m == NULL)
g_error ("OOM");
dbus_message_iter_init_append (m, &args_iter);
/* Append an empty a{ss} (string => string dictionary). */
if (!dbus_message_iter_open_container (&args_iter, DBUS_TYPE_ARRAY,
"{ss}", &arr_iter) ||
!dbus_message_iter_close_container (&args_iter, &arr_iter))
g_error ("OOM");
if (!dbus_connection_send_with_reply (f->left_conn, m, &pc,
DBUS_TIMEOUT_USE_DEFAULT) ||
pc == NULL)
g_error ("OOM");
dbus_message_unref (m);
m = NULL;
if (dbus_pending_call_get_completed (pc))
pending_call_store_reply (pc, &m);
else if (!dbus_pending_call_set_notify (pc, pending_call_store_reply,
&m, NULL))
g_error ("OOM");
while (m == NULL)
test_main_context_iterate (f->ctx, TRUE);
/* it succeeds */
g_assert_cmpint (dbus_message_get_type (m), ==,
DBUS_MESSAGE_TYPE_METHOD_RETURN);
dbus_message_unref (m);
/* Now try with the wrong object path */
m = dbus_message_new_method_call (DBUS_SERVICE_DBUS,
"/com/example/Wrong", DBUS_INTERFACE_DBUS, "UpdateActivationEnvironment");
if (m == NULL)
g_error ("OOM");
dbus_message_iter_init_append (m, &args_iter);
/* Append an empty a{ss} (string => string dictionary). */
if (!dbus_message_iter_open_container (&args_iter, DBUS_TYPE_ARRAY,
"{ss}", &arr_iter) ||
!dbus_message_iter_close_container (&args_iter, &arr_iter))
g_error ("OOM");
if (!dbus_connection_send_with_reply (f->left_conn, m, &pc,
DBUS_TIMEOUT_USE_DEFAULT) ||
pc == NULL)
g_error ("OOM");
dbus_message_unref (m);
m = NULL;
if (dbus_pending_call_get_completed (pc))
pending_call_store_reply (pc, &m);
else if (!dbus_pending_call_set_notify (pc, pending_call_store_reply,
&m, NULL))
g_error ("OOM");
while (m == NULL)
test_main_context_iterate (f->ctx, TRUE);
/* it fails, yielding an error message with one string argument */
g_assert_cmpint (dbus_message_get_type (m), ==, DBUS_MESSAGE_TYPE_ERROR);
g_assert_cmpstr (dbus_message_get_error_name (m), ==,
DBUS_ERROR_ACCESS_DENIED);
g_assert_cmpstr (dbus_message_get_signature (m), ==, "s");
dbus_message_unref (m);
}
static void static void
teardown (Fixture *f, teardown (Fixture *f,
gconstpointer context G_GNUC_UNUSED) gconstpointer context G_GNUC_UNUSED)
...@@ -514,6 +599,8 @@ main (int argc, ...@@ -514,6 +599,8 @@ main (int argc,
g_test_add ("/echo/limited", Fixture, &limited_config, g_test_add ("/echo/limited", Fixture, &limited_config,
setup, test_echo, teardown); setup, test_echo, teardown);
g_test_add ("/creds", Fixture, NULL, setup, test_creds, teardown); g_test_add ("/creds", Fixture, NULL, setup, test_creds, teardown);
g_test_add ("/canonical-path/uae", Fixture, NULL,
setup, test_canonical_path_uae, teardown);
return g_test_run (); return g_test_run ();
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment