From: Joshua Lock <joshua.lock@collabora.co.uk>
To: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure
Date: Fri, 26 Jun 2015 15:30:11 +0100 [thread overview]
Message-ID: <1435329011.3376.6.camel@collabora.co.uk> (raw)
In-Reply-To: <0c6156d62bf9efb1b6982987a67049ce25410ee0.1435174534.git.jussi.kukkonen@intel.com>
On Wed, 2015-06-24 at 23:06 +0300, Jussi Kukkonen wrote:
> Fix CVE-2015-0245 by preventing non-root and non-systemd processes
> from fooling the dbus daemon into thinking systemd service activation
> failed.
Thanks Jussi,
This is queued in my fido-next branch[1].
Regards,
Joshua
1. http://cgit.openembedded.org/openembedded-core
-contrib/log/?h=joshuagl/fido-next
> Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
> ---
> meta/recipes-core/dbus/dbus.inc | 1 +
> ...015-0245-prevent-forged-ActivationFailure.patch | 48
> ++++++++++++++++++++++
> 2 files changed, 49 insertions(+)
> create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent
> -forged-ActivationFailure.patch
>
> diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes
> -core/dbus/dbus.inc
> index fb5d017..f1744c8 100644
> --- a/meta/recipes-core/dbus/dbus.inc
> +++ b/meta/recipes-core/dbus/dbus.inc
> @@ -17,6 +17,7 @@ SRC_URI = "
> http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
> file://dbus-1.init \
> file://os-test.patch \
> file://clear-guid_from_server-if
> -send_negotiate_unix_f.patch \
> + file://CVE-2015-0245-prevent-forged
> -ActivationFailure.patch \
> "
>
> inherit useradd autotools pkgconfig gettext update-rc.d
> diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged
> -ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245
> -prevent-forged-ActivationFailure.patch
> new file mode 100644
> index 0000000..59363b3
> --- /dev/null
> +++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged
> -ActivationFailure.patch
> @@ -0,0 +1,48 @@
> +CVE-2015-0245: prevent forged ActivationFailure from non-root
> processes
> +
> +Upstream has fixed this in code but suggests using this as a easily
> +backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811
> +
> +Upstream-Status: Inappropriate
> +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
> +
> +
> +
> +From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00
> 2001
> +From: Simon McVittie <simon.mcvittie@collabora.co.uk>
> +Date: Mon, 26 Jan 2015 20:09:56 +0000
> +Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure
> from
> + non-root processes
> +
> +Without either this rule or better checking in dbus-daemon, non
> -systemd
> +processes can make dbus-daemon think systemd failed to activate a
> system
> +service, resulting in an error reply back to the requester.
> +
> +This is redundant with the fix in the C code (which I consider to be
> +the real solution), but is likely to be easier to backport.
> +---
> + bus/system.conf.in | 8 ++++++++
> + 1 file changed, 8 insertions(+)
> +
> +diff --git a/bus/system.conf.in b/bus/system.conf.in
> +index 92f4cc4..851b9e6 100644
> +--- a/bus/system.conf.in
> ++++ b/bus/system.conf.in
> +@@ -68,6 +68,14 @@
> + <deny send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.DBus"
> + send_member="UpdateActivationEnvironment"/>
> ++ <deny send_destination="org.freedesktop.DBus"
> ++ send_interface="org.freedesktop.systemd1.Activator"/>
> ++ </policy>
> ++
> ++ <!-- Only systemd, which runs as root, may report activation
> failures. -->
> ++ <policy user="root">
> ++ <allow send_destination="org.freedesktop.DBus"
> ++ send_interface="org.freedesktop.systemd1.Activator"/>
> + </policy>
> +
> + <!-- Config files are placed here that among other things, punch
> +--
> +2.1.4
> +
next prev parent reply other threads:[~2015-06-26 14:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-24 20:04 [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 Jussi Kukkonen
2015-06-24 20:06 ` [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure Jussi Kukkonen
2015-06-26 14:30 ` Joshua Lock [this message]
2015-06-28 13:24 ` [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 akuster808
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1435329011.3376.6.camel@collabora.co.uk \
--to=joshua.lock@collabora.co.uk \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox