Merge branch '1.8-cve-2015-0245' into cve-2015-0245

Conflicts: NEWS bus/system.conf.in configure.ac
author: Simon McVittie <simon.mcvittie@collabora.co.uk> 2015-02-09 11:06:32 +0000
committer: Simon McVittie <simon.mcvittie@collabora.co.uk> 2015-02-09 11:06:32 +0000
commit: a3c1b66b7a784280b0763ee4014c258144ae7876 (patch)
tree: c505c8b1633b1f83ae953769741ba1c13b0bd7ae
parent: 239fa2081293ed26455e98b73a6c484730b00372 (diff)
parent: 03c5e161752fe1ff4925955800ca9c78d09a6e0c (diff)
download: dbus-a3c1b66b7a784280b0763ee4014c258144ae7876.tar.gz
3 files changed, 62 insertions, 12 deletions
diff --git a/NEWS b/NEWS
index 61d69c32..148d2d78 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,20 @@
 D-Bus 1.9.10 (UNRELEASED)
 ==
 
+The “sad cyborgs” release.
+
+Security fixes:
+
+• Do not allow non-uid-0 processes to send forged ActivationFailure
+  messages. On Linux systems with systemd activation, this would
+  allow a local denial of service: unprivileged processes could
+  flood the bus with these forged messages, winning the race with
+  the actual service activation and causing an error reply
+  to be sent back when service auto-activation was requested.
+  This does not prevent the real service from being started,
+  so it only works while the real service is not running.
+  (CVE-2015-0245, fd.o #88811; Simon McVittie)
+
 Enhancements:
 
 • The new Monitoring interface in the dbus-daemon lets dbus-monitor and
@@ -22,7 +36,7 @@ Enhancements:
   or libpcap-compatible framing treating each D-Bus message
   as a captured packet. (fd.o #46787, Simon)
 
-Fixes:
+Other fixes:
 
 • Fix some CMake build regressions (fd.o #88964, Ralf Habacker)
 
diff --git a/bus/driver.c b/bus/driver.c
index 30764fec..ceebb6f2 100644
--- a/bus/driver.c
+++ b/bus/driver.c
@@ -41,17 +41,32 @@
 #include <string.h>
 
 static DBusConnection *
+bus_driver_get_owner_of_name (DBusConnection *connection,
+                              const char     *name)
+{
+  BusRegistry *registry;
+  BusService *serv;
+  DBusString str;
+
+  registry = bus_connection_get_registry (connection);
+  _dbus_string_init_const (&str, name);
+  serv = bus_registry_lookup (registry, &str);
+
+  if (serv == NULL)
+    return NULL;
+
+  return bus_service_get_primary_owners_connection (serv);
+}
+
+static DBusConnection *
 bus_driver_get_conn_helper (DBusConnection  *connection,
                             DBusMessage     *message,
                             const char      *what_we_want,
                             const char     **name_p,
                             DBusError       *error)
 {
-  const char *name;
-  BusRegistry *registry;
-  BusService *serv;
-  DBusString str;
   DBusConnection *conn;
+  const char *name;
 
   if (!dbus_message_get_args (message, error,
                               DBUS_TYPE_STRING, &name,
@@ -61,11 +76,9 @@ bus_driver_get_conn_helper (DBusConnection  *connection,
   _dbus_assert (name != NULL);
   _dbus_verbose ("asked for %s of connection %s\n", what_we_want, name);
 
-  registry = bus_connection_get_registry (connection);
-  _dbus_string_init_const (&str, name);
-  serv = bus_registry_lookup (registry, &str);
+  conn = bus_driver_get_owner_of_name (connection, name);
 
-  if (serv == NULL)
+  if (conn == NULL)
     {
       dbus_set_error (error, DBUS_ERROR_NAME_HAS_NO_OWNER,
                       "Could not get %s of name '%s': no such name",
@@ -73,9 +86,6 @@ bus_driver_get_conn_helper (DBusConnection  *connection,
       return NULL;
     }
 
-  conn = bus_service_get_primary_owners_connection (serv);
-  _dbus_assert (conn != NULL);
-
   if (name_p != NULL)
     *name_p = name;
 
@@ -2238,8 +2248,26 @@ bus_driver_handle_message (DBusConnection *connection,
   if (dbus_message_is_signal (message, "org.freedesktop.systemd1.Activator", "ActivationFailure"))
     {
       BusContext *context;
+      DBusConnection *systemd;
 
       context = bus_connection_get_context (connection);
+      systemd = bus_driver_get_owner_of_name (connection,
+          "org.freedesktop.systemd1");
+
+      if (systemd != connection)
+        {
+          const char *attacker;
+
+          attacker = bus_connection_get_name (connection);
+          bus_context_log (context, DBUS_SYSTEM_LOG_SECURITY,
+                           "Ignoring forged ActivationFailure message from "
+                           "connection %s (%s)",
+                           attacker ? attacker : "(unauthenticated)",
+                           bus_connection_get_loginfo (connection));
+          /* ignore it */
+          return TRUE;
+        }
+
       return dbus_activation_systemd_failure(bus_context_get_activation(context), message);
     }
 
diff --git a/bus/system.conf.in b/bus/system.conf.in
index d292451e..ac78c734 100644
--- a/bus/system.conf.in
+++ b/bus/system.conf.in
@@ -73,6 +73,14 @@
           send_member="UpdateActivationEnvironment"/>
     <deny send_destination="org.freedesktop.DBus"
           send_interface="org.freedesktop.DBus.Debug.Stats"/>
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.systemd1.Activator"/>
+  </policy>
+
+  <!-- Only systemd, which runs as root, may report activation failures. -->
+  <policy user="root">
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.systemd1.Activator"/>
   </policy>
 
   <!-- root may monitor the system bus. -->
author	Simon McVittie <simon.mcvittie@collabora.co.uk>	2015-02-09 11:06:32 +0000
committer	Simon McVittie <simon.mcvittie@collabora.co.uk>	2015-02-09 11:06:32 +0000
commit	a3c1b66b7a784280b0763ee4014c258144ae7876 (patch)
tree	c505c8b1633b1f83ae953769741ba1c13b0bd7ae
parent	239fa2081293ed26455e98b73a6c484730b00372 (diff)
parent	03c5e161752fe1ff4925955800ca9c78d09a6e0c (diff)
download	dbus-a3c1b66b7a784280b0763ee4014c258144ae7876.tar.gz