[OE-core] [PATCH 20/25] dbus: CVE-2015-0245: prevent forged ActivationFailure
Armin Kuster
akuster808 at gmail.com
Sat Jul 18 15:16:27 UTC 2015
From: Jussi Kukkonen <jussi.kukkonen at intel.com>
Fix CVE-2015-0245 by preventing non-root and non-systemd processes
from fooling the dbus daemon into thinking systemd service activation
failed.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen at intel.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
meta/recipes-core/dbus/dbus.inc | 1 +
...015-0245-prevent-forged-ActivationFailure.patch | 48 ++++++++++++++++++++++
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index d38ba7e..971eabf 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
file://dbus-1.init \
file://os-test.patch \
file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+ file://CVE-2015-0245-prevent-forged-ActivationFailure.patch \
"
inherit useradd autotools pkgconfig gettext update-rc.d
diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
new file mode 100644
index 0000000..59363b3
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
@@ -0,0 +1,48 @@
+CVE-2015-0245: prevent forged ActivationFailure from non-root processes
+
+Upstream has fixed this in code but suggests using this as a easily
+backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811
+
+Upstream-Status: Inappropriate
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen at intel.com>
+
+
+
+From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie at collabora.co.uk>
+Date: Mon, 26 Jan 2015 20:09:56 +0000
+Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure from
+ non-root processes
+
+Without either this rule or better checking in dbus-daemon, non-systemd
+processes can make dbus-daemon think systemd failed to activate a system
+service, resulting in an error reply back to the requester.
+
+This is redundant with the fix in the C code (which I consider to be
+the real solution), but is likely to be easier to backport.
+---
+ bus/system.conf.in | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 92f4cc4..851b9e6 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -68,6 +68,14 @@
+ <deny send_destination="org.freedesktop.DBus"
+ send_interface="org.freedesktop.DBus"
+ send_member="UpdateActivationEnvironment"/>
++ <deny send_destination="org.freedesktop.DBus"
++ send_interface="org.freedesktop.systemd1.Activator"/>
++ </policy>
++
++ <!-- Only systemd, which runs as root, may report activation failures. -->
++ <policy user="root">
++ <allow send_destination="org.freedesktop.DBus"
++ send_interface="org.freedesktop.systemd1.Activator"/>
+ </policy>
+
+ <!-- Config files are placed here that among other things, punch
+--
+2.1.4
+
--
1.9.1
More information about the Openembedded-core
mailing list