From patchwork Sat Jun 15 11:57:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marius Bakke X-Patchwork-Id: 14328 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A3E15170B8; Sat, 15 Jun 2019 13:14:11 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 93510170A5 for ; Sat, 15 Jun 2019 13:14:09 +0100 (BST) Received: from localhost ([::1]:60340 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hc7ZP-0000hh-Ro for patchwork@mira.cbaines.net; Sat, 15 Jun 2019 08:14:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58827) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hc7ZM-0000hE-Gc for guix-patches@gnu.org; Sat, 15 Jun 2019 08:14:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hc7ZK-0001ai-Pm for guix-patches@gnu.org; Sat, 15 Jun 2019 08:14:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53131) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hc7ZK-0001aS-Gw for guix-patches@gnu.org; Sat, 15 Jun 2019 08:14:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hc7ZK-00047K-CQ for guix-patches@gnu.org; Sat, 15 Jun 2019 08:14:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#36224] [PATCH] gnu: dbus: Fix CVE-2019-12749. Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 15 Jun 2019 12:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 36224 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 36224@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.156060078915744 (code B ref -1); Sat, 15 Jun 2019 12:14:02 +0000 Received: (at submit) by debbugs.gnu.org; 15 Jun 2019 12:13:09 +0000 Received: from localhost ([127.0.0.1]:38438 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hc7YL-00045E-Vv for submit@debbugs.gnu.org; Sat, 15 Jun 2019 08:13:09 -0400 Received: from lists.gnu.org ([209.51.188.17]:45046) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hc7YJ-00044t-NC for submit@debbugs.gnu.org; Sat, 15 Jun 2019 08:13:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58409) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hc7YH-0000I9-Qu for guix-patches@gnu.org; Sat, 15 Jun 2019 08:12:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hc7Jm-0001Y2-Dp for guix-patches@gnu.org; Sat, 15 Jun 2019 07:58:00 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:40099) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hc7Jm-0001U9-2I for guix-patches@gnu.org; Sat, 15 Jun 2019 07:57:58 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id B2D0921CDA for ; Sat, 15 Jun 2019 07:57:55 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sat, 15 Jun 2019 07:57:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:subject:date:message-id:mime-version :content-transfer-encoding; s=fm3; bh=P6iawFFHHYgE/+I7Y/lTvX3clk usSimpyasEzY7hixE=; b=x2sMCru1hFNALawX1TmNNITC2XJdYb/GfHXqHy6tjE zJvtlE/JD+1JNICA9tzBIKfLJ4eHRvJttpwnS7KrrAH1Fj+xGsrcLGWgHFm5R0Eq u1jVtWT4dJoMEBhfyPWtmLm2MriDONJxLTX0ZlUbneHN6D7HMqrMStmwTGN6Z/jb Q/grwiA+wlJdIsVFW38EbcRqiOLruAy6UT1KUsx3O2Gr8kXf0cXReqyTyqya+nbc veJ8+tAfSNCkYNLxB+Vmj19KnTimldh3R5Fo8stms9x4lFdRuHI04zjYY9EV+UD9 wiDP1yMJhFeyPPQtF24g4fZ6KHtWKSV1hDqkNi9a+8aA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=P6iawFFHHYgE/+I7Y /lTvX3clkusSimpyasEzY7hixE=; b=SKhGpS/l5iuXAyp9fDqMq3Ux839OyL0jJ UDf93dbM/YxKsb4HeEGgSZ9aAo2Y3K9ocTJwoSbQkmUs75pop8sYmXyENmdjrm/J sis7XJObEk09Un2pYjoVMGAg7iaykhQzs87o/fqCX2lcPDwezIZUjOQaezyP0wzN 7MEUzqNk/3Z8iCXkn1gBJC9wxPRwawrgfGVB6PK3ZqmnpLgVAksi33Og5jW7Ru92 TsPn++Zj9sY6JJZfTfdIrXBTDuL7pDatokzN8y86rkvPbnGWe+Th2P6gAmafaV9/ P0LmnQ39xqaSYZKDznKTFRnkOVN47AU2FcLhKLg0+UioQ6TZopIwA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrudeifedggeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgggfestdekredtre dttdenucfhrhhomhepofgrrhhiuhhsuceurghkkhgvuceomhgsrghkkhgvsehfrghsthhm rghilhdrtghomheqnecuffhomhgrihhnpehfrhgvvgguvghskhhtohhprdhorhhgnecukf hppeeivddrudeirddvvdeirddugedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmsggr khhkvgesfhgrshhtmhgrihhlrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140]) by mail.messagingengine.com (Postfix) with ESMTPA id A56AC380084 for ; Sat, 15 Jun 2019 07:57:54 -0400 (EDT) From: Marius Bakke Date: Sat, 15 Jun 2019 13:57:53 +0200 Message-Id: <20190615115753.31197-1-mbakke@fastmail.com> X-Mailer: git-send-email 2.22.0 MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches * gnu/packages/patches/dbus-CVE-2019-12749.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/glib.scm (dbus)[replacement]: New field. (dbus/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/glib.scm | 9 ++ .../patches/dbus-CVE-2019-12749.patch | 116 ++++++++++++++++++ 3 files changed, 126 insertions(+) create mode 100644 gnu/packages/patches/dbus-CVE-2019-12749.patch diff --git a/gnu/local.mk b/gnu/local.mk index 5b6dd31b11..f4331f8a95 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -740,6 +740,7 @@ dist_patch_DATA = \ %D%/packages/patches/cursynth-wave-rand.patch \ %D%/packages/patches/cvs-2017-12836.patch \ %D%/packages/patches/dbus-helper-search-path.patch \ + %D%/packages/patches/dbus-CVE-2019-12749.patch \ %D%/packages/patches/dealii-mpi-deprecations.patch \ %D%/packages/patches/deja-dup-use-ref-keyword-for-iter.patch \ %D%/packages/patches/dfu-programmer-fix-libusb.patch \ diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm index 7af7c86853..d75b963794 100644 --- a/gnu/packages/glib.scm +++ b/gnu/packages/glib.scm @@ -80,6 +80,7 @@ (package (name "dbus") (version "1.12.12") + (replacement dbus/fixed) (source (origin (method url-fetch) (uri (string-append @@ -146,6 +147,14 @@ or through unencrypted TCP/IP suitable for use behind a firewall with shared NFS home directories.") (license license:gpl2+))) ; or Academic Free License 2.1 +(define dbus/fixed + (package + (inherit dbus) + (source (origin + (inherit (package-source dbus)) + (patches (append (search-patches "dbus-CVE-2019-12749.patch") + (origin-patches (package-source dbus)))))))) + (define glib (package (name "glib") diff --git a/gnu/packages/patches/dbus-CVE-2019-12749.patch b/gnu/packages/patches/dbus-CVE-2019-12749.patch new file mode 100644 index 0000000000..12106f4589 --- /dev/null +++ b/gnu/packages/patches/dbus-CVE-2019-12749.patch @@ -0,0 +1,116 @@ +From 47b1a4c41004bf494b87370987b222c934b19016 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Thu, 30 May 2019 12:53:03 +0100 +Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server + owner + +The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership +of a shared home directory by having the server write a secret "cookie" +into a .dbus-keyrings subdirectory of the desired identity's home +directory with 0700 permissions, and having the client prove that it can +read the cookie. This never actually worked for non-malicious clients in +the case where server uid != client uid (unless the server and client +both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional +Unix uid 0) because an unprivileged server would fail to write out the +cookie, and an unprivileged client would be unable to read the resulting +file owned by the server. + +Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings +is owned by the uid of the server (a side-effect of a check added to +harden our use of XDG_RUNTIME_DIR), further ruling out successful use +by a non-malicious client with a uid differing from the server's. + +Joe Vennix of Apple Information Security discovered that the +implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link +attack: a malicious client with write access to its own home directory +could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to +read and write in unintended locations. In the worst case this could +result in the DBusServer reusing a cookie that is known to the +malicious client, and treating that cookie as evidence that a subsequent +client connection came from an attacker-chosen uid, allowing +authentication bypass. + +This is mitigated by the fact that by default, the well-known system +dbus-daemon (since 2003) and the well-known session dbus-daemon (in +stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL +authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1 +at an early stage, before manipulating cookies. As a result, this +vulnerability only applies to: + +* system or session dbus-daemons with non-standard configuration +* third-party dbus-daemon invocations such as at-spi2-core (although + in practice at-spi2-core also only accepts EXTERNAL by default) +* third-party uses of DBusServer such as the one in Upstart + +Avoiding symlink attacks in a portable way is difficult, because APIs +like openat() and Linux /proc/self/fd are not universally available. +However, because DBUS_COOKIE_SHA1 already doesn't work in practice for +a non-matching uid, we can solve this vulnerability in an easier way +without regressions, by rejecting it early (before looking at +~/.dbus-keyrings) whenever the requested identity doesn't match the +identity of the process hosting the DBusServer. + +Signed-off-by: Simon McVittie +Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269 +Closes: CVE-2019-12749 +--- + dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c +index 37d8d4c9..7390a9d5 100644 +--- a/dbus/dbus-auth.c ++++ b/dbus/dbus-auth.c +@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth *auth, + DBusString tmp2; + dbus_bool_t retval = FALSE; + DBusError error = DBUS_ERROR_INIT; ++ DBusCredentials *myself = NULL; + + _dbus_string_set_length (&auth->challenge, 0); + +@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth *auth, + return FALSE; + } + ++ myself = _dbus_credentials_new_from_current_process (); ++ ++ if (myself == NULL) ++ goto out; ++ ++ if (!_dbus_credentials_same_user (myself, auth->desired_identity)) ++ { ++ /* ++ * DBUS_COOKIE_SHA1 is not suitable for authenticating that the ++ * client is anyone other than the user owning the process ++ * containing the DBusServer: we probably aren't allowed to write ++ * to other users' home directories. Even if we can (for example ++ * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we ++ * must not, because the other user controls their home directory, ++ * and could carry out symlink attacks to make us read from or ++ * write to unintended locations. It's difficult to avoid symlink ++ * attacks in a portable way, so we just don't try. This isn't a ++ * regression, because DBUS_COOKIE_SHA1 never worked for other ++ * users anyway. ++ */ ++ _dbus_verbose ("%s: client tried to authenticate as \"%s\", " ++ "but that doesn't match this process", ++ DBUS_AUTH_NAME (auth), ++ _dbus_string_get_const_data (data)); ++ retval = send_rejected (auth); ++ goto out; ++ } ++ + /* we cache the keyring for speed, so here we drop it if it's the + * wrong one. FIXME caching the keyring here is useless since we use + * a different DBusAuth for every connection. +@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth *auth, + _dbus_string_zero (&tmp2); + _dbus_string_free (&tmp2); + ++ if (myself != NULL) ++ _dbus_credentials_unref (myself); ++ + return retval; + } +