[OE-core] [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure
Joshua Lock
joshua.lock at collabora.co.uk
Fri Jun 26 14:30:11 UTC 2015
On Wed, 2015-06-24 at 23:06 +0300, Jussi Kukkonen wrote:
> Fix CVE-2015-0245 by preventing non-root and non-systemd processes
> from fooling the dbus daemon into thinking systemd service activation
> failed.
Thanks Jussi,
This is queued in my fido-next branch[1].
Regards,
Joshua
1. http://cgit.openembedded.org/openembedded-core
-contrib/log/?h=joshuagl/fido-next
> Signed-off-by: Jussi Kukkonen <jussi.kukkonen at intel.com>
> ---
> meta/recipes-core/dbus/dbus.inc | 1 +
> ...015-0245-prevent-forged-ActivationFailure.patch | 48
> ++++++++++++++++++++++
> 2 files changed, 49 insertions(+)
> create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent
> -forged-ActivationFailure.patch
>
> diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes
> -core/dbus/dbus.inc
> index fb5d017..f1744c8 100644
> --- a/meta/recipes-core/dbus/dbus.inc
> +++ b/meta/recipes-core/dbus/dbus.inc
> @@ -17,6 +17,7 @@ SRC_URI = "
> http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
> file://dbus-1.init \
> file://os-test.patch \
> file://clear-guid_from_server-if
> -send_negotiate_unix_f.patch \
> + file://CVE-2015-0245-prevent-forged
> -ActivationFailure.patch \
> "
>
> inherit useradd autotools pkgconfig gettext update-rc.d
> diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged
> -ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245
> -prevent-forged-ActivationFailure.patch
> new file mode 100644
> index 0000000..59363b3
> --- /dev/null
> +++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged
> -ActivationFailure.patch
> @@ -0,0 +1,48 @@
> +CVE-2015-0245: prevent forged ActivationFailure from non-root
> processes
> +
> +Upstream has fixed this in code but suggests using this as a easily
> +backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811
> +
> +Upstream-Status: Inappropriate
> +Signed-off-by: Jussi Kukkonen <jussi.kukkonen at intel.com>
> +
> +
> +
> +From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00
> 2001
> +From: Simon McVittie <simon.mcvittie at collabora.co.uk>
> +Date: Mon, 26 Jan 2015 20:09:56 +0000
> +Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure
> from
> + non-root processes
> +
> +Without either this rule or better checking in dbus-daemon, non
> -systemd
> +processes can make dbus-daemon think systemd failed to activate a
> system
> +service, resulting in an error reply back to the requester.
> +
> +This is redundant with the fix in the C code (which I consider to be
> +the real solution), but is likely to be easier to backport.
> +---
> + bus/system.conf.in | 8 ++++++++
> + 1 file changed, 8 insertions(+)
> +
> +diff --git a/bus/system.conf.in b/bus/system.conf.in
> +index 92f4cc4..851b9e6 100644
> +--- a/bus/system.conf.in
> ++++ b/bus/system.conf.in
> +@@ -68,6 +68,14 @@
> + <deny send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.DBus"
> + send_member="UpdateActivationEnvironment"/>
> ++ <deny send_destination="org.freedesktop.DBus"
> ++ send_interface="org.freedesktop.systemd1.Activator"/>
> ++ </policy>
> ++
> ++ <!-- Only systemd, which runs as root, may report activation
> failures. -->
> ++ <policy user="root">
> ++ <allow send_destination="org.freedesktop.DBus"
> ++ send_interface="org.freedesktop.systemd1.Activator"/>
> + </policy>
> +
> + <!-- Config files are placed here that among other things, punch
> +--
> +2.1.4
> +
More information about the Openembedded-core
mailing list