orion / rpms / dbus

Forked from rpms/dbus a year ago
Clone

Blame SOURCES/dbus-1.10.24-fix-CVE-2019-12749.patch

229251
From 525c2314c56504fb232f9ec7f25cf7dda4d4a1c4 Mon Sep 17 00:00:00 2001
229251
From: Simon McVittie <smcv@collabora.com>
229251
Date: Thu, 30 May 2019 12:53:03 +0100
229251
Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
229251
 owner
229251
229251
The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
229251
of a shared home directory by having the server write a secret "cookie"
229251
into a .dbus-keyrings subdirectory of the desired identity's home
229251
directory with 0700 permissions, and having the client prove that it can
229251
read the cookie. This never actually worked for non-malicious clients in
229251
the case where server uid != client uid (unless the server and client
229251
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
229251
Unix uid 0) because an unprivileged server would fail to write out the
229251
cookie, and an unprivileged client would be unable to read the resulting
229251
file owned by the server.
229251
229251
Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
229251
is owned by the uid of the server (a side-effect of a check added to
229251
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
229251
by a non-malicious client with a uid differing from the server's.
229251
229251
Joe Vennix of Apple Information Security discovered that the
229251
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
229251
attack: a malicious client with write access to its own home directory
229251
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
229251
read and write in unintended locations. In the worst case this could
229251
result in the DBusServer reusing a cookie that is known to the
229251
malicious client, and treating that cookie as evidence that a subsequent
229251
client connection came from an attacker-chosen uid, allowing
229251
authentication bypass.
229251
229251
This is mitigated by the fact that by default, the well-known system
229251
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
229251
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
229251
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
229251
at an early stage, before manipulating cookies. As a result, this
229251
vulnerability only applies to:
229251
229251
* system or session dbus-daemons with non-standard configuration
229251
* third-party dbus-daemon invocations such as at-spi2-core (although
229251
  in practice at-spi2-core also only accepts EXTERNAL by default)
229251
* third-party uses of DBusServer such as the one in Upstart
229251
229251
Avoiding symlink attacks in a portable way is difficult, because APIs
229251
like openat() and Linux /proc/self/fd are not universally available.
229251
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
229251
a non-matching uid, we can solve this vulnerability in an easier way
229251
without regressions, by rejecting it early (before looking at
229251
~/.dbus-keyrings) whenever the requested identity doesn't match the
229251
identity of the process hosting the DBusServer.
229251
229251
Signed-off-by: Simon McVittie <smcv@collabora.com>
229251
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
229251
Closes: CVE-2019-12749
229251
---
229251
 dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++
229251
 1 file changed, 32 insertions(+)
229251
229251
diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
229251
index ea43ce72..c0b7b903 100644
229251
--- a/dbus/dbus-auth.c
229251
+++ b/dbus/dbus-auth.c
229251
@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth         *auth,
229251
   DBusString tmp2;
229251
   dbus_bool_t retval = FALSE;
229251
   DBusError error = DBUS_ERROR_INIT;
229251
+  DBusCredentials *myself = NULL;
229251
 
229251
   _dbus_string_set_length (&auth->challenge, 0);
229251
   
229251
@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth         *auth,
229251
       return FALSE;
229251
     }
229251
 
229251
+  myself = _dbus_credentials_new_from_current_process ();
229251
+
229251
+  if (myself == NULL)
229251
+    goto out;
229251
+
229251
+  if (!_dbus_credentials_same_user (myself, auth->desired_identity))
229251
+    {
229251
+      /*
229251
+       * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
229251
+       * client is anyone other than the user owning the process
229251
+       * containing the DBusServer: we probably aren't allowed to write
229251
+       * to other users' home directories. Even if we can (for example
229251
+       * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
229251
+       * must not, because the other user controls their home directory,
229251
+       * and could carry out symlink attacks to make us read from or
229251
+       * write to unintended locations. It's difficult to avoid symlink
229251
+       * attacks in a portable way, so we just don't try. This isn't a
229251
+       * regression, because DBUS_COOKIE_SHA1 never worked for other
229251
+       * users anyway.
229251
+       */
229251
+      _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
229251
+                     "but that doesn't match this process",
229251
+                     DBUS_AUTH_NAME (auth),
229251
+                     _dbus_string_get_const_data (data));
229251
+      retval = send_rejected (auth);
229251
+      goto out;
229251
+    }
229251
+
229251
   /* we cache the keyring for speed, so here we drop it if it's the
229251
    * wrong one. FIXME caching the keyring here is useless since we use
229251
    * a different DBusAuth for every connection.
229251
@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth         *auth,
229251
   _dbus_string_zero (&tmp2);
229251
   _dbus_string_free (&tmp2);
229251
 
229251
+  if (myself != NULL)
229251
+    _dbus_credentials_unref (myself);
229251
+
229251
   return retval;
229251
 }
229251
 
229251
-- 
229251
2.21.0
229251