diff options
author | Simon McVittie <smcv@debian.org> | 2015-02-05 16:00:29 +0000 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2015-02-05 16:00:29 +0000 |
commit | 5fef4c8cfef683e1905e05325f5127a54bc0cad0 (patch) | |
tree | dd0e09b19bcd125fb00a4da63f67d11c78a45dc0 | |
parent | 5b8714c837fd227da4cd89f6a0cf0e2ffad38169 (diff) | |
download | dbus-debian/1.6.8-1+deb7u6.tar.gz |
Add patch for system.conf to fix a local denial of service when using systemd activation (CVE-2015-0245)debian/1.6.8-1+deb7u6
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/patches/0001-CVE-2015-0245-prevent-forged-ActivationFailure-from-.patch | 43 | ||||
-rw-r--r-- | debian/patches/series | 2 |
3 files changed, 52 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index de42e2ba..6ee2009d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +dbus (1.6.8-1+deb7u6) wheezy-security; urgency=high + + * Add patch for system.conf to fix a local denial of service when + using systemd activation (CVE-2015-0245) + + -- Simon McVittie <smcv@debian.org> Thu, 05 Feb 2015 15:58:36 +0000 + dbus (1.6.8-1+deb7u5) wheezy-security; urgency=high * Fix CVE-2014-7824: diff --git a/debian/patches/0001-CVE-2015-0245-prevent-forged-ActivationFailure-from-.patch b/debian/patches/0001-CVE-2015-0245-prevent-forged-ActivationFailure-from-.patch new file mode 100644 index 00000000..062d1438 --- /dev/null +++ b/debian/patches/0001-CVE-2015-0245-prevent-forged-ActivationFailure-from-.patch @@ -0,0 +1,43 @@ +From f9697e04f1c9871cb54a99f087e97e4bb9e41e06 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <simon.mcvittie@collabora.co.uk> +Date: Mon, 26 Jan 2015 20:09:56 +0000 +Subject: [PATCH] CVE-2015-0245: prevent forged ActivationFailure from non-root + processes + +Without either this rule or better checking in dbus-daemon, non-systemd +processes can make dbus-daemon think systemd failed to activate a system +service, resulting in an error reply back to the requester. + +This is redundant with the fix in the C code (which I consider to be +the real solution), but is likely to be easier to backport. + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88811 +Reviewed-by: Alban Crequy +Reviewed-by: David King +Reviewed-by: Philip Withnall +--- + bus/system.conf.in | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bus/system.conf.in b/bus/system.conf.in +index 92f4cc4..851b9e6 100644 +--- a/bus/system.conf.in ++++ b/bus/system.conf.in +@@ -68,6 +68,14 @@ + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" + send_member="UpdateActivationEnvironment"/> ++ <deny send_destination="org.freedesktop.DBus" ++ send_interface="org.freedesktop.systemd1.Activator"/> ++ </policy> ++ ++ <!-- Only systemd, which runs as root, may report activation failures. --> ++ <policy user="root"> ++ <allow send_destination="org.freedesktop.DBus" ++ send_interface="org.freedesktop.systemd1.Activator"/> + </policy> + + <!-- Config files are placed here that among other things, punch +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 187f56e2..bb19ddd4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -18,3 +18,5 @@ If-loader-contains-two-messages-with-fds-don-t-corru.patch 0001-Log-to-syslog-when-auth_timeout-drops-an-incomplete-.patch 0002-Revert-config-change-default-auth_timeout-to-5-secon.patch + +0001-CVE-2015-0245-prevent-forged-ActivationFailure-from-.patch |