Fix regression introduced in 1.6.8-1+deb7u4 (Closes: #769069)debian/1.6.8-1+deb7u5

5 files changed, 131 insertions, 3 deletions

diff --git a/debian/changelog b/debian/changelog
index dceb9e4b..de42e2ba 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-dbus (1.6.8-1+deb7u5) wheezy; urgency=medium
+dbus (1.6.8-1+deb7u5) wheezy-security; urgency=high
 
   * Fix CVE-2014-7824:
     - Start 'dbus-daemon --system' as root under sysvinit (it already
@@ -6,8 +6,14 @@ dbus (1.6.8-1+deb7u5) wheezy; urgency=medium
       descriptor limit
     - Add patch from upstream to increase dbus-daemon's file descriptor
       limit to 65536, completing the incomplete fix for CVE-2014-3636
-
- -- Simon McVittie <smcv@debian.org>  Thu, 06 Nov 2014 16:31:34 +0000
+  * Fix regression introduced in 1.6.8-1+deb7u4 (Closes: #769069):
+    - Add patch from upstream to restore auth_timeout to its previous value,
+      since the shorter value causes boot failures on some systems
+    - Add README.Debian to dbus package, documenting how sysadmins with
+      hostile local users, and systems where boot succeeds with the shorter
+      value, can get the shorter value back
+
+ -- Simon McVittie <smcv@debian.org>  Mon, 24 Nov 2014 13:49:52 +0000
 
 dbus (1.6.8-1+deb7u4) wheezy-security; urgency=high
 
diff --git a/debian/dbus.README.Debian b/debian/dbus.README.Debian
new file mode 100644
index 00000000..60b7df4e
--- /dev/null
+++ b/debian/dbus.README.Debian
@@ -0,0 +1,32 @@
+Adjusting limits to mitigate denial of service
+==============================================
+
+'dbus-daemon --system' has several arbitrary limits which are a trade-off
+between working correctly when not under attack, and preventing local
+denial of service attacks. System administrators with particularly hostile
+local users should review these limits and tune them if necessary.
+
+In particular, the fix for CVE-2014-3639 in dbus-1.8.8 makes it difficult
+for local users to prevent connections completely, but they can still
+introduce a delay which increases with larger authentication timeout
+(auth_timeout) values, by opening many parallel connections from
+different processes and never completing the authentication handshake.
+As a result, dbus 1.8.8 also reduced the auth_timeout from 30 seconds
+to 5 seconds to mitigate this delay. However, this change resulted in
+boot failures on some systems because systemd could not authenticate
+sufficiently quickly while the system was busy, and was reverted in 1.8.12.
+
+On fast systems with hostile local users, administrators can reduce this
+delay by returning to the 5 second timeout (or any other value in
+milliseconds), by saving this as /etc/dbus-1/system-local.conf or a file
+matching /etc/dbus-1/system.d/*.conf:
+
+  <busconfig>
+    <limit name="auth_timeout">5000</limit>
+  </busconfig>
+
+If applying this change, please reboot several times and check the
+syslog or Journal for messages containing "Connection has not authenticated
+soon enough, closing it". Seeing that message while not subject to a
+denial-of-service attack indicates that the auth_timeout has been set
+too short.
diff --git a/debian/patches/0001-Log-to-syslog-when-auth_timeout-drops-an-incomplete-.patch b/debian/patches/0001-Log-to-syslog-when-auth_timeout-drops-an-incomplete-.patch
new file mode 100644
index 00000000..b2ae5e6e
--- /dev/null
+++ b/debian/patches/0001-Log-to-syslog-when-auth_timeout-drops-an-incomplete-.patch
@@ -0,0 +1,36 @@
+From 39f4b36ba546818a7dc00bfdcde9b21bb8abcaac Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Date: Tue, 18 Nov 2014 12:01:44 +0000
+Subject: [PATCH 1/2] Log to syslog when auth_timeout drops an incomplete
+ connection
+
+This is a symptom of either a denial of service attack, or a
+serious performance problem. Either way, sysadmins should know.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
+---
+ bus/connection.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/bus/connection.c b/bus/connection.c
+index f9cc22d..920d454 100644
+--- a/bus/connection.c
++++ b/bus/connection.c
+@@ -860,6 +860,14 @@ bus_connections_expire_incomplete (BusConnections *connections)
+ 
+           if (elapsed >= (double) auth_timeout)
+             {
++              /* Unfortunately, we can't identify the connection: it doesn't
++               * have a unique name yet, we don't know its uid/pid yet,
++               * and so on. */
++              bus_context_log (connections->context, DBUS_SYSTEM_LOG_INFO,
++                  "Connection has not authenticated soon enough, closing it "
++                  "(auth_timeout=%dms, elapsed: %.0fms)",
++                  auth_timeout, elapsed);
++
+               _dbus_verbose ("Timing out authentication for connection %p\n", connection);
+               dbus_connection_close (connection);
+             }
+-- 
+2.1.3
+
diff --git a/debian/patches/0002-Revert-config-change-default-auth_timeout-to-5-secon.patch b/debian/patches/0002-Revert-config-change-default-auth_timeout-to-5-secon.patch
new file mode 100644
index 00000000..77ffe3d3
--- /dev/null
+++ b/debian/patches/0002-Revert-config-change-default-auth_timeout-to-5-secon.patch
@@ -0,0 +1,51 @@
+From d1ab5857287430766837c63643d143ba434160b2 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Date: Tue, 18 Nov 2014 17:34:11 +0000
+Subject: [PATCH 2/2] Revert "config: change default auth_timeout to 5 seconds"
+
+This reverts commit 54d26df52b6a394bea175651d1d7ad2ab3f87dea.
+
+It appears this change may cause intermittent slow or failed boot,
+more commonly on slower/older machines, in at least Mageia and
+possibly also Debian. This would indicate that while the system
+is under load, system services are not completing authentication
+within 5 seconds.
+
+This change was not the main part of fixing CVE-2014-3639, but does
+help to mitigate that attack. As such, increasing this timeout makes
+the denial of service attack described by CVE-2014-3639 somewhat
+more effective: a local user connecting to the system bus repeatedly
+from many parallel processes can cause other users' attempts to
+connect to take longer.
+
+If your machine boots reliably with the shorter timeout, and
+resilience against local denial of service attacks is important
+to you, putting this in /etc/dbus-1/system-local.conf
+or a file matching /etc/dbus-1/system.d/*.conf can restore
+the lower limit:
+
+    <busconfig>
+      <limit name="auth_timeout">5000</limit>
+    </busconfig>
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
+---
+ bus/config-parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bus/config-parser.c b/bus/config-parser.c
+index 897667e..488cb70 100644
+--- a/bus/config-parser.c
++++ b/bus/config-parser.c
+@@ -427,7 +427,7 @@ bus_config_parser_new (const DBusString      *basedir,
+        * and legitimate auth will fail.  If interactive auth (ask user for
+        * password) is allowed, then potentially it has to be quite long.
+        */
+-      parser->limits.auth_timeout = 5000; /* 5 seconds */
++      parser->limits.auth_timeout = 30000; /* 30 seconds */
+ 
+       /* Do not allow a fd to stay forever in dbus-daemon
+        * https://bugs.freedesktop.org/show_bug.cgi?id=80559
+-- 
+2.1.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 553c25b1..187f56e2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,6 @@ If-loader-contains-two-messages-with-fds-don-t-corru.patch
 0010-_dbus_read_socket_with_unix_fds-do-not-accept-extra-.patch
 
 0001-CVE-2014-7824-set-fd-rlimit-to-64k-for-the-system-db.patch
+
+0001-Log-to-syslog-when-auth_timeout-drops-an-incomplete-.patch
+0002-Revert-config-change-default-auth_timeout-to-5-secon.patch