Package: release.debian.org Severity: normal Tags: d-i User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package dbus to fix CVE-2019-12749. I forgot to set high urgency, so you might want to adjust its age-days too. Filtered and full diffs are attached (the former has Autotools noise removed). As usual, I'm happy to revert anything that -release can't accept, because the whole 1.12.x branch exists for the benefit of distros with a bugfix-only policy (but having said that, everything in this particular version is either CVE-2019-12749, tests for it, or release preparation). dbus builds udebs, so this will need an ack from debian-boot (although from comments on #929132 it isn't clear to me whether the udebs are actually used for anything). unblock dbus/1.12.16-1 Breakdown of the diff: > diffstat for dbus-1.12.14 dbus-1.12.16 > > dbus/dbus-auth.c | 32 ++++++++ CVE-2019-12749 > dbus/dbus-auth-script.c | 87 > +++++++++++++++++++++++- > dbus/dbus-sysdeps-util-unix.c | 40 +++++++++++ > dbus/dbus-sysdeps-util-win.c | 25 ++++++ > dbus/dbus-sysdeps.h | 10 ++ > test/Makefile.am | 2 > test/data/auth/cookie-sha1-username.auth-script | 12 +++ > test/data/auth/cookie-sha1.auth-script | 11 +++ Regression tests for CVE-2019-12749 (these are #ifdef'd out and do not affect the dbus binary package, although they do end up in the special debug build in the dbus-tests package) > NEWS | 18 ++++ > configure.ac | 4 - > debian/changelog | 15 ++++ Release preparation > Makefile.in | 4 - > aminclude_static.am | 2 > bus/Makefile.in | 2 > configure | 26 +++---- > dbus/Makefile.in | 2 > test/Makefile.in | 4 - Autotools noise from doing the release Thanks, smcv
filterdiff -p1 -xMakefile.in -x'*/Makefile.in' -xaminclude_static.am -xconfigure < dbus_1.12.16-1.diff > dbus_1.12.16-1-filtered.diff diffstat for dbus-1.12.14 dbus-1.12.16 Makefile.in | 4 - NEWS | 18 ++++ aminclude_static.am | 2 bus/Makefile.in | 2 configure | 26 +++---- configure.ac | 4 - dbus/Makefile.in | 2 dbus/dbus-auth-script.c | 87 +++++++++++++++++++++++- dbus/dbus-auth.c | 32 ++++++++ dbus/dbus-sysdeps-util-unix.c | 40 +++++++++++ dbus/dbus-sysdeps-util-win.c | 25 ++++++ dbus/dbus-sysdeps.h | 10 ++ debian/changelog | 15 ++++ test/Makefile.am | 2 test/Makefile.in | 4 - test/data/auth/cookie-sha1-username.auth-script | 12 +++ test/data/auth/cookie-sha1.auth-script | 11 +++ 17 files changed, 272 insertions(+), 24 deletions(-) diff -Nru dbus-1.12.14/configure.ac dbus-1.12.16/configure.ac --- dbus-1.12.14/configure.ac 2019-05-17 10:38:45.000000000 +0100 +++ dbus-1.12.16/configure.ac 2019-06-09 13:09:13.000000000 +0100 @@ -3,7 +3,7 @@ m4_define([dbus_major_version], [1]) m4_define([dbus_minor_version], [12]) -m4_define([dbus_micro_version], [14]) +m4_define([dbus_micro_version], [16]) m4_define([dbus_version], [dbus_major_version.dbus_minor_version.dbus_micro_version]) AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus]) @@ -42,7 +42,7 @@ ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=10 +LT_REVISION=11 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has diff -Nru dbus-1.12.14/dbus/dbus-auth.c dbus-1.12.16/dbus/dbus-auth.c --- dbus-1.12.14/dbus/dbus-auth.c 2017-10-30 12:26:18.000000000 +0000 +++ dbus-1.12.16/dbus/dbus-auth.c 2019-06-09 13:08:12.000000000 +0100 @@ -529,6 +529,7 @@ DBusString tmp2; dbus_bool_t retval = FALSE; DBusError error = DBUS_ERROR_INIT; + DBusCredentials *myself = NULL; _dbus_string_set_length (&auth->challenge, 0); @@ -565,6 +566,34 @@ return FALSE; } + myself = _dbus_credentials_new_from_current_process (); + + if (myself == NULL) + goto out; + + if (!_dbus_credentials_same_user (myself, auth->desired_identity)) + { + /* + * DBUS_COOKIE_SHA1 is not suitable for authenticating that the + * client is anyone other than the user owning the process + * containing the DBusServer: we probably aren't allowed to write + * to other users' home directories. Even if we can (for example + * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we + * must not, because the other user controls their home directory, + * and could carry out symlink attacks to make us read from or + * write to unintended locations. It's difficult to avoid symlink + * attacks in a portable way, so we just don't try. This isn't a + * regression, because DBUS_COOKIE_SHA1 never worked for other + * users anyway. + */ + _dbus_verbose ("%s: client tried to authenticate as \"%s\", " + "but that doesn't match this process", + DBUS_AUTH_NAME (auth), + _dbus_string_get_const_data (data)); + retval = send_rejected (auth); + goto out; + } + /* we cache the keyring for speed, so here we drop it if it's the * wrong one. FIXME caching the keyring here is useless since we use * a different DBusAuth for every connection. @@ -679,6 +708,9 @@ _dbus_string_zero (&tmp2); _dbus_string_free (&tmp2); + if (myself != NULL) + _dbus_credentials_unref (myself); + return retval; } diff -Nru dbus-1.12.14/dbus/dbus-auth-script.c dbus-1.12.16/dbus/dbus-auth-script.c --- dbus-1.12.14/dbus/dbus-auth-script.c 2017-10-30 12:26:18.000000000 +0000 +++ dbus-1.12.16/dbus/dbus-auth-script.c 2019-06-09 13:08:49.000000000 +0100 @@ -34,6 +34,8 @@ #include "dbus-credentials.h" #include "dbus-internals.h" +#include "test/test-utils.h" + /** * @defgroup DBusAuthScript code for running unit test scripts for DBusAuth * @ingroup DBusInternals @@ -518,9 +520,43 @@ /* Replace USERID_HEX with our username in hex */ { int where; - - if (_dbus_string_find (&to_send, 0, - "USERID_HEX", &where)) + + if (_dbus_string_find (&to_send, 0, "WRONG_USERID_HEX", &where)) + { + /* This must be checked for before USERID_HEX, because + * that's a substring. */ + DBusString uid; + + if (!_dbus_string_init (&uid)) + { + _dbus_warn ("no memory for uid"); + _dbus_string_free (&to_send); + goto out; + } + + if (!_dbus_test_append_different_uid (&uid)) + { + _dbus_warn ("no memory for uid"); + _dbus_string_free (&to_send); + _dbus_string_free (&uid); + goto out; + } + + _dbus_string_delete (&to_send, where, + (int) strlen ("WRONG_USERID_HEX")); + + if (!_dbus_string_hex_encode (&uid, 0, &to_send, where)) + { + _dbus_warn ("no memory to subst WRONG_USERID_HEX"); + _dbus_string_free (&to_send); + _dbus_string_free (&uid); + goto out; + } + + _dbus_string_free (&uid); + } + else if (_dbus_string_find (&to_send, 0, + "USERID_HEX", &where)) { DBusString username; @@ -553,6 +589,51 @@ _dbus_string_free (&username); } else if (_dbus_string_find (&to_send, 0, + "WRONG_USERNAME_HEX", &where)) + { + /* This must be checked for before USERNAME_HEX, because + * that's a substring. */ +#ifdef DBUS_UNIX + DBusString username; + + if (!_dbus_string_init (&username)) + { + _dbus_warn ("no memory for username"); + _dbus_string_free (&to_send); + goto out; + } + + if (!_dbus_test_append_different_username (&username)) + { + _dbus_warn ("no memory for username"); + _dbus_string_free (&to_send); + _dbus_string_free (&username); + goto out; + } + + _dbus_string_delete (&to_send, where, + (int) strlen ("WRONG_USERNAME_HEX")); + + if (!_dbus_string_hex_encode (&username, 0, + &to_send, where)) + { + _dbus_warn ("no memory to subst WRONG_USERNAME_HEX"); + _dbus_string_free (&to_send); + _dbus_string_free (&username); + goto out; + } + + _dbus_string_free (&username); +#else + /* No authentication mechanism uses the login name on + * Windows, so there's no point in it appearing in an + * auth script that is not UNIX_ONLY. */ + _dbus_warn ("WRONG_USERNAME_HEX cannot be used on Windows"); + _dbus_string_free (&to_send); + goto out; +#endif + } + else if (_dbus_string_find (&to_send, 0, "USERNAME_HEX", &where)) { DBusString username; diff -Nru dbus-1.12.14/dbus/dbus-sysdeps.h dbus-1.12.16/dbus/dbus-sysdeps.h --- dbus-1.12.14/dbus/dbus-sysdeps.h 2019-05-13 11:50:32.000000000 +0100 +++ dbus-1.12.16/dbus/dbus-sysdeps.h 2019-06-09 13:08:49.000000000 +0100 @@ -703,6 +703,16 @@ DBusError *error); void _dbus_rlimit_free (DBusRLimit *lim); +#ifdef DBUS_ENABLE_EMBEDDED_TESTS +_DBUS_GNUC_WARN_UNUSED_RESULT +dbus_bool_t _dbus_test_append_different_uid (DBusString *uid); + +#ifdef DBUS_UNIX +_DBUS_GNUC_WARN_UNUSED_RESULT +dbus_bool_t _dbus_test_append_different_username (DBusString *username); +#endif +#endif /* DBUS_ENABLE_EMBEDDED_TESTS */ + /** @} */ DBUS_END_DECLS diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c --- dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c 2019-05-13 11:50:32.000000000 +0100 +++ dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c 2019-06-09 13:08:49.000000000 +0100 @@ -1524,3 +1524,43 @@ return _dbus_string_append (str, DBUS_SESSION_CONFIG_FILE); } + +#ifdef DBUS_ENABLE_EMBEDDED_TESTS + +/* + * Set uid to a machine-readable authentication identity (numeric Unix + * uid or ConvertSidToStringSid-style Windows SID) that is likely to exist, + * and differs from the identity of the current process. + * + * @param uid Populated with a machine-readable authentication identity + * on success + * @returns #FALSE if no memory + */ +dbus_bool_t +_dbus_test_append_different_uid (DBusString *uid) +{ + if (geteuid () == 0) + return _dbus_string_append (uid, "65534"); + else + return _dbus_string_append (uid, "0"); +} + +/* + * Set uid to a human-readable authentication identity (login name) + * that is likely to exist, and differs from the identity of the current + * process. This function currently only exists on Unix platforms. + * + * @param uid Populated with a machine-readable authentication identity + * on success + * @returns #FALSE if no memory + */ +dbus_bool_t +_dbus_test_append_different_username (DBusString *username) +{ + if (geteuid () == 0) + return _dbus_string_append (username, "nobody"); + else + return _dbus_string_append (username, "root"); +} + +#endif diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-win.c dbus-1.12.16/dbus/dbus-sysdeps-util-win.c --- dbus-1.12.14/dbus/dbus-sysdeps-util-win.c 2019-05-13 11:50:32.000000000 +0100 +++ dbus-1.12.16/dbus/dbus-sysdeps-util-win.c 2019-06-09 13:08:49.000000000 +0100 @@ -1653,3 +1653,28 @@ return _dbus_get_config_file_name(str, "session.conf"); } + +#ifdef DBUS_ENABLE_EMBEDDED_TESTS + +#define ANONYMOUS_SID "S-1-5-7" +#define LOCAL_SYSTEM_SID "S-1-5-18" + +dbus_bool_t +_dbus_test_append_different_uid (DBusString *uid) +{ + char *sid = NULL; + dbus_bool_t ret; + + if (!_dbus_getsid (&sid, _dbus_getpid ())) + return FALSE; + + if (strcmp (sid, ANONYMOUS_SID) == 0) + ret = _dbus_string_append (uid, LOCAL_SYSTEM_SID); + else + ret = _dbus_string_append (uid, ANONYMOUS_SID); + + LocalFree (sid); + return ret; +} + +#endif diff -Nru dbus-1.12.14/debian/changelog dbus-1.12.16/debian/changelog --- dbus-1.12.14/debian/changelog 2019-05-18 17:37:08.000000000 +0100 +++ dbus-1.12.16/debian/changelog 2019-06-09 21:34:34.000000000 +0100 @@ -1,3 +1,18 @@ +dbus (1.12.16-1) unstable; urgency=medium + + * New upstream stable release + - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 + authentication for identities that differ from the user running the + DBusServer. Previously, a local attacker could manipulate symbolic + links in their own home directory to bypass authentication and + connect to a DBusServer with elevated privileges. The standard + system and session dbus-daemons in their default configuration were + immune to this attack because they did not allow DBUS_COOKIE_SHA1, + but third-party users of DBusServer such as Upstart could be + vulnerable. + + -- Simon McVittie <s...@debian.org> Sun, 09 Jun 2019 21:34:34 +0100 + dbus (1.12.14-1) unstable; urgency=medium * New upstream release diff -Nru dbus-1.12.14/NEWS dbus-1.12.16/NEWS --- dbus-1.12.14/NEWS 2019-05-17 10:40:49.000000000 +0100 +++ dbus-1.12.16/NEWS 2019-06-09 13:09:13.000000000 +0100 @@ -1,3 +1,21 @@ +dbus 1.12.16 (2019-06-11) +========================= + +The “tree cat” release. + +Security fixes: + +• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 + authentication for identities that differ from the user running the + DBusServer. Previously, a local attacker could manipulate symbolic + links in their own home directory to bypass authentication and connect + to a DBusServer with elevated privileges. The standard system and + session dbus-daemons in their default configuration were immune to this + attack because they did not allow DBUS_COOKIE_SHA1, but third-party + users of DBusServer such as Upstart could be vulnerable. + Thanks to Joe Vennix of Apple Information Security. + (dbus#269, Simon McVittie) + dbus 1.12.14 (2019-05-17) ========================= diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1.auth-script dbus-1.12.16/test/data/auth/cookie-sha1.auth-script --- dbus-1.12.14/test/data/auth/cookie-sha1.auth-script 1970-01-01 01:00:00.000000000 +0100 +++ dbus-1.12.16/test/data/auth/cookie-sha1.auth-script 2019-06-09 13:16:35.000000000 +0100 @@ -0,0 +1,11 @@ +SERVER +SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERID_HEX' +EXPECT_COMMAND REJECTED +EXPECT_STATE WAITING_FOR_INPUT +EXPECT_HAVE_NO_CREDENTIALS +SEND 'AUTH DBUS_COOKIE_SHA1 USERID_HEX' +EXPECT_COMMAND DATA +EXPECT_STATE WAITING_FOR_INPUT +EXPECT_HAVE_NO_CREDENTIALS +# We don't actually complete DBUS_COOKIE_SHA1 authentication, because +# it's non-trivial. diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script --- dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script 1970-01-01 01:00:00.000000000 +0100 +++ dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script 2019-06-09 13:16:35.000000000 +0100 @@ -0,0 +1,12 @@ +UNIX_ONLY +SERVER +SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERNAME_HEX' +EXPECT_COMMAND REJECTED +EXPECT_STATE WAITING_FOR_INPUT +EXPECT_HAVE_NO_CREDENTIALS +SEND 'AUTH DBUS_COOKIE_SHA1 USERNAME_HEX' +EXPECT_COMMAND DATA +EXPECT_STATE WAITING_FOR_INPUT +EXPECT_HAVE_NO_CREDENTIALS +# We don't actually complete DBUS_COOKIE_SHA1 authentication, because +# it's non-trivial. diff -Nru dbus-1.12.14/test/Makefile.am dbus-1.12.16/test/Makefile.am --- dbus-1.12.14/test/Makefile.am 2019-05-13 10:33:56.000000000 +0100 +++ dbus-1.12.16/test/Makefile.am 2019-06-09 13:08:49.000000000 +0100 @@ -471,6 +471,8 @@ data/auth/anonymous-server-successful.auth-script \ data/auth/cancel.auth-script \ data/auth/client-out-of-mechanisms.auth-script \ + data/auth/cookie-sha1-username.auth-script \ + data/auth/cookie-sha1.auth-script \ data/auth/external-failed.auth-script \ data/auth/external-root.auth-script \ data/auth/external-silly.auth-script \
diffstat for dbus-1.12.14 dbus-1.12.16 Makefile.in | 4 - NEWS | 18 ++++ aminclude_static.am | 2 bus/Makefile.in | 2 configure | 26 +++---- configure.ac | 4 - dbus/Makefile.in | 2 dbus/dbus-auth-script.c | 87 +++++++++++++++++++++++- dbus/dbus-auth.c | 32 ++++++++ dbus/dbus-sysdeps-util-unix.c | 40 +++++++++++ dbus/dbus-sysdeps-util-win.c | 25 ++++++ dbus/dbus-sysdeps.h | 10 ++ debian/changelog | 15 ++++ test/Makefile.am | 2 test/Makefile.in | 4 - test/data/auth/cookie-sha1-username.auth-script | 12 +++ test/data/auth/cookie-sha1.auth-script | 11 +++ 17 files changed, 272 insertions(+), 24 deletions(-) diff -Nru dbus-1.12.14/aminclude_static.am dbus-1.12.16/aminclude_static.am --- dbus-1.12.14/aminclude_static.am 2019-05-17 10:41:19.000000000 +0100 +++ dbus-1.12.16/aminclude_static.am 2019-06-09 13:09:33.000000000 +0100 @@ -1,6 +1,6 @@ # aminclude_static.am generated automatically by Autoconf -# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019 +# from AX_AM_MACROS_STATIC on Sun Jun 9 13:09:33 BST 2019 # Code coverage diff -Nru dbus-1.12.14/bus/Makefile.in dbus-1.12.16/bus/Makefile.in --- dbus-1.12.14/bus/Makefile.in 2019-05-17 10:41:19.000000000 +0100 +++ dbus-1.12.16/bus/Makefile.in 2019-06-09 13:09:33.000000000 +0100 @@ -15,7 +15,7 @@ @SET_MAKE@ # aminclude_static.am generated automatically by Autoconf -# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019 +# from AX_AM_MACROS_STATIC on Sun Jun 9 13:09:33 BST 2019 VPATH = @srcdir@ diff -Nru dbus-1.12.14/configure dbus-1.12.16/configure --- dbus-1.12.14/configure 2019-05-17 10:41:20.000000000 +0100 +++ dbus-1.12.16/configure 2019-06-09 13:09:33.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for dbus 1.12.14. +# Generated by GNU Autoconf 2.69 for dbus 1.12.16. # # Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=dbus>. # @@ -591,8 +591,8 @@ # Identity of this package. PACKAGE_NAME='dbus' PACKAGE_TARNAME='dbus' -PACKAGE_VERSION='1.12.14' -PACKAGE_STRING='dbus 1.12.14' +PACKAGE_VERSION='1.12.16' +PACKAGE_STRING='dbus 1.12.16' PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus' PACKAGE_URL='' @@ -1579,7 +1579,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures dbus 1.12.14 to adapt to many kinds of systems. +\`configure' configures dbus 1.12.16 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1654,7 +1654,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of dbus 1.12.14:";; + short | recursive ) echo "Configuration of dbus 1.12.16:";; esac cat <<\_ACEOF @@ -1881,7 +1881,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -dbus configure 1.12.14 +dbus configure 1.12.16 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2657,7 +2657,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by dbus $as_me 1.12.14, which was +It was created by dbus $as_me 1.12.16, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3603,7 +3603,7 @@ # Define the identity of the package. PACKAGE='dbus' - VERSION='1.12.14' + VERSION='1.12.16' cat >>confdefs.h <<_ACEOF @@ -3903,7 +3903,7 @@ ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=10 +LT_REVISION=11 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has @@ -3918,8 +3918,8 @@ DBUS_MAJOR_VERSION=1 DBUS_MINOR_VERSION=12 -DBUS_MICRO_VERSION=14 -DBUS_VERSION=1.12.14 +DBUS_MICRO_VERSION=16 +DBUS_VERSION=1.12.16 @@ -29013,7 +29013,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by dbus $as_me 1.12.14, which was +This file was extended by dbus $as_me 1.12.16, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -29079,7 +29079,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -dbus config.status 1.12.14 +dbus config.status 1.12.16 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru dbus-1.12.14/configure.ac dbus-1.12.16/configure.ac --- dbus-1.12.14/configure.ac 2019-05-17 10:38:45.000000000 +0100 +++ dbus-1.12.16/configure.ac 2019-06-09 13:09:13.000000000 +0100 @@ -3,7 +3,7 @@ m4_define([dbus_major_version], [1]) m4_define([dbus_minor_version], [12]) -m4_define([dbus_micro_version], [14]) +m4_define([dbus_micro_version], [16]) m4_define([dbus_version], [dbus_major_version.dbus_minor_version.dbus_micro_version]) AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus]) @@ -42,7 +42,7 @@ ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=10 +LT_REVISION=11 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has diff -Nru dbus-1.12.14/dbus/dbus-auth.c dbus-1.12.16/dbus/dbus-auth.c --- dbus-1.12.14/dbus/dbus-auth.c 2017-10-30 12:26:18.000000000 +0000 +++ dbus-1.12.16/dbus/dbus-auth.c 2019-06-09 13:08:12.000000000 +0100 @@ -529,6 +529,7 @@ DBusString tmp2; dbus_bool_t retval = FALSE; DBusError error = DBUS_ERROR_INIT; + DBusCredentials *myself = NULL; _dbus_string_set_length (&auth->challenge, 0); @@ -565,6 +566,34 @@ return FALSE; } + myself = _dbus_credentials_new_from_current_process (); + + if (myself == NULL) + goto out; + + if (!_dbus_credentials_same_user (myself, auth->desired_identity)) + { + /* + * DBUS_COOKIE_SHA1 is not suitable for authenticating that the + * client is anyone other than the user owning the process + * containing the DBusServer: we probably aren't allowed to write + * to other users' home directories. Even if we can (for example + * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we + * must not, because the other user controls their home directory, + * and could carry out symlink attacks to make us read from or + * write to unintended locations. It's difficult to avoid symlink + * attacks in a portable way, so we just don't try. This isn't a + * regression, because DBUS_COOKIE_SHA1 never worked for other + * users anyway. + */ + _dbus_verbose ("%s: client tried to authenticate as \"%s\", " + "but that doesn't match this process", + DBUS_AUTH_NAME (auth), + _dbus_string_get_const_data (data)); + retval = send_rejected (auth); + goto out; + } + /* we cache the keyring for speed, so here we drop it if it's the * wrong one. FIXME caching the keyring here is useless since we use * a different DBusAuth for every connection. @@ -679,6 +708,9 @@ _dbus_string_zero (&tmp2); _dbus_string_free (&tmp2); + if (myself != NULL) + _dbus_credentials_unref (myself); + return retval; } diff -Nru dbus-1.12.14/dbus/dbus-auth-script.c dbus-1.12.16/dbus/dbus-auth-script.c --- dbus-1.12.14/dbus/dbus-auth-script.c 2017-10-30 12:26:18.000000000 +0000 +++ dbus-1.12.16/dbus/dbus-auth-script.c 2019-06-09 13:08:49.000000000 +0100 @@ -34,6 +34,8 @@ #include "dbus-credentials.h" #include "dbus-internals.h" +#include "test/test-utils.h" + /** * @defgroup DBusAuthScript code for running unit test scripts for DBusAuth * @ingroup DBusInternals @@ -518,9 +520,43 @@ /* Replace USERID_HEX with our username in hex */ { int where; - - if (_dbus_string_find (&to_send, 0, - "USERID_HEX", &where)) + + if (_dbus_string_find (&to_send, 0, "WRONG_USERID_HEX", &where)) + { + /* This must be checked for before USERID_HEX, because + * that's a substring. */ + DBusString uid; + + if (!_dbus_string_init (&uid)) + { + _dbus_warn ("no memory for uid"); + _dbus_string_free (&to_send); + goto out; + } + + if (!_dbus_test_append_different_uid (&uid)) + { + _dbus_warn ("no memory for uid"); + _dbus_string_free (&to_send); + _dbus_string_free (&uid); + goto out; + } + + _dbus_string_delete (&to_send, where, + (int) strlen ("WRONG_USERID_HEX")); + + if (!_dbus_string_hex_encode (&uid, 0, &to_send, where)) + { + _dbus_warn ("no memory to subst WRONG_USERID_HEX"); + _dbus_string_free (&to_send); + _dbus_string_free (&uid); + goto out; + } + + _dbus_string_free (&uid); + } + else if (_dbus_string_find (&to_send, 0, + "USERID_HEX", &where)) { DBusString username; @@ -553,6 +589,51 @@ _dbus_string_free (&username); } else if (_dbus_string_find (&to_send, 0, + "WRONG_USERNAME_HEX", &where)) + { + /* This must be checked for before USERNAME_HEX, because + * that's a substring. */ +#ifdef DBUS_UNIX + DBusString username; + + if (!_dbus_string_init (&username)) + { + _dbus_warn ("no memory for username"); + _dbus_string_free (&to_send); + goto out; + } + + if (!_dbus_test_append_different_username (&username)) + { + _dbus_warn ("no memory for username"); + _dbus_string_free (&to_send); + _dbus_string_free (&username); + goto out; + } + + _dbus_string_delete (&to_send, where, + (int) strlen ("WRONG_USERNAME_HEX")); + + if (!_dbus_string_hex_encode (&username, 0, + &to_send, where)) + { + _dbus_warn ("no memory to subst WRONG_USERNAME_HEX"); + _dbus_string_free (&to_send); + _dbus_string_free (&username); + goto out; + } + + _dbus_string_free (&username); +#else + /* No authentication mechanism uses the login name on + * Windows, so there's no point in it appearing in an + * auth script that is not UNIX_ONLY. */ + _dbus_warn ("WRONG_USERNAME_HEX cannot be used on Windows"); + _dbus_string_free (&to_send); + goto out; +#endif + } + else if (_dbus_string_find (&to_send, 0, "USERNAME_HEX", &where)) { DBusString username; diff -Nru dbus-1.12.14/dbus/dbus-sysdeps.h dbus-1.12.16/dbus/dbus-sysdeps.h --- dbus-1.12.14/dbus/dbus-sysdeps.h 2019-05-13 11:50:32.000000000 +0100 +++ dbus-1.12.16/dbus/dbus-sysdeps.h 2019-06-09 13:08:49.000000000 +0100 @@ -703,6 +703,16 @@ DBusError *error); void _dbus_rlimit_free (DBusRLimit *lim); +#ifdef DBUS_ENABLE_EMBEDDED_TESTS +_DBUS_GNUC_WARN_UNUSED_RESULT +dbus_bool_t _dbus_test_append_different_uid (DBusString *uid); + +#ifdef DBUS_UNIX +_DBUS_GNUC_WARN_UNUSED_RESULT +dbus_bool_t _dbus_test_append_different_username (DBusString *username); +#endif +#endif /* DBUS_ENABLE_EMBEDDED_TESTS */ + /** @} */ DBUS_END_DECLS diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c --- dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c 2019-05-13 11:50:32.000000000 +0100 +++ dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c 2019-06-09 13:08:49.000000000 +0100 @@ -1524,3 +1524,43 @@ return _dbus_string_append (str, DBUS_SESSION_CONFIG_FILE); } + +#ifdef DBUS_ENABLE_EMBEDDED_TESTS + +/* + * Set uid to a machine-readable authentication identity (numeric Unix + * uid or ConvertSidToStringSid-style Windows SID) that is likely to exist, + * and differs from the identity of the current process. + * + * @param uid Populated with a machine-readable authentication identity + * on success + * @returns #FALSE if no memory + */ +dbus_bool_t +_dbus_test_append_different_uid (DBusString *uid) +{ + if (geteuid () == 0) + return _dbus_string_append (uid, "65534"); + else + return _dbus_string_append (uid, "0"); +} + +/* + * Set uid to a human-readable authentication identity (login name) + * that is likely to exist, and differs from the identity of the current + * process. This function currently only exists on Unix platforms. + * + * @param uid Populated with a machine-readable authentication identity + * on success + * @returns #FALSE if no memory + */ +dbus_bool_t +_dbus_test_append_different_username (DBusString *username) +{ + if (geteuid () == 0) + return _dbus_string_append (username, "nobody"); + else + return _dbus_string_append (username, "root"); +} + +#endif diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-win.c dbus-1.12.16/dbus/dbus-sysdeps-util-win.c --- dbus-1.12.14/dbus/dbus-sysdeps-util-win.c 2019-05-13 11:50:32.000000000 +0100 +++ dbus-1.12.16/dbus/dbus-sysdeps-util-win.c 2019-06-09 13:08:49.000000000 +0100 @@ -1653,3 +1653,28 @@ return _dbus_get_config_file_name(str, "session.conf"); } + +#ifdef DBUS_ENABLE_EMBEDDED_TESTS + +#define ANONYMOUS_SID "S-1-5-7" +#define LOCAL_SYSTEM_SID "S-1-5-18" + +dbus_bool_t +_dbus_test_append_different_uid (DBusString *uid) +{ + char *sid = NULL; + dbus_bool_t ret; + + if (!_dbus_getsid (&sid, _dbus_getpid ())) + return FALSE; + + if (strcmp (sid, ANONYMOUS_SID) == 0) + ret = _dbus_string_append (uid, LOCAL_SYSTEM_SID); + else + ret = _dbus_string_append (uid, ANONYMOUS_SID); + + LocalFree (sid); + return ret; +} + +#endif diff -Nru dbus-1.12.14/dbus/Makefile.in dbus-1.12.16/dbus/Makefile.in --- dbus-1.12.14/dbus/Makefile.in 2019-05-17 10:41:19.000000000 +0100 +++ dbus-1.12.16/dbus/Makefile.in 2019-06-09 13:09:34.000000000 +0100 @@ -15,7 +15,7 @@ @SET_MAKE@ # aminclude_static.am generated automatically by Autoconf -# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019 +# from AX_AM_MACROS_STATIC on Sun Jun 9 13:09:33 BST 2019 diff -Nru dbus-1.12.14/debian/changelog dbus-1.12.16/debian/changelog --- dbus-1.12.14/debian/changelog 2019-05-18 17:37:08.000000000 +0100 +++ dbus-1.12.16/debian/changelog 2019-06-09 21:34:34.000000000 +0100 @@ -1,3 +1,18 @@ +dbus (1.12.16-1) unstable; urgency=medium + + * New upstream stable release + - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 + authentication for identities that differ from the user running the + DBusServer. Previously, a local attacker could manipulate symbolic + links in their own home directory to bypass authentication and + connect to a DBusServer with elevated privileges. The standard + system and session dbus-daemons in their default configuration were + immune to this attack because they did not allow DBUS_COOKIE_SHA1, + but third-party users of DBusServer such as Upstart could be + vulnerable. + + -- Simon McVittie <s...@debian.org> Sun, 09 Jun 2019 21:34:34 +0100 + dbus (1.12.14-1) unstable; urgency=medium * New upstream release diff -Nru dbus-1.12.14/Makefile.in dbus-1.12.16/Makefile.in --- dbus-1.12.14/Makefile.in 2019-05-17 10:41:19.000000000 +0100 +++ dbus-1.12.16/Makefile.in 2019-06-09 13:09:33.000000000 +0100 @@ -15,7 +15,7 @@ @SET_MAKE@ # aminclude_static.am generated automatically by Autoconf -# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019 +# from AX_AM_MACROS_STATIC on Sun Jun 9 13:09:33 BST 2019 VPATH = @srcdir@ am__is_gnu_make = { \ @@ -225,7 +225,7 @@ $(top_srcdir)/cmake/DBus1Config.pkgconfig.in \ $(top_srcdir)/cmake/DBus1ConfigVersion.cmake.in AUTHORS \ COPYING ChangeLog INSTALL NEWS README build-aux/compile \ - build-aux/config.guess build-aux/config.sub \ + build-aux/config.guess build-aux/config.sub build-aux/depcomp \ build-aux/install-sh build-aux/ltmain.sh build-aux/missing DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) diff -Nru dbus-1.12.14/NEWS dbus-1.12.16/NEWS --- dbus-1.12.14/NEWS 2019-05-17 10:40:49.000000000 +0100 +++ dbus-1.12.16/NEWS 2019-06-09 13:09:13.000000000 +0100 @@ -1,3 +1,21 @@ +dbus 1.12.16 (2019-06-11) +========================= + +The “tree cat” release. + +Security fixes: + +• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 + authentication for identities that differ from the user running the + DBusServer. Previously, a local attacker could manipulate symbolic + links in their own home directory to bypass authentication and connect + to a DBusServer with elevated privileges. The standard system and + session dbus-daemons in their default configuration were immune to this + attack because they did not allow DBUS_COOKIE_SHA1, but third-party + users of DBusServer such as Upstart could be vulnerable. + Thanks to Joe Vennix of Apple Information Security. + (dbus#269, Simon McVittie) + dbus 1.12.14 (2019-05-17) ========================= diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1.auth-script dbus-1.12.16/test/data/auth/cookie-sha1.auth-script --- dbus-1.12.14/test/data/auth/cookie-sha1.auth-script 1970-01-01 01:00:00.000000000 +0100 +++ dbus-1.12.16/test/data/auth/cookie-sha1.auth-script 2019-06-09 13:16:35.000000000 +0100 @@ -0,0 +1,11 @@ +SERVER +SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERID_HEX' +EXPECT_COMMAND REJECTED +EXPECT_STATE WAITING_FOR_INPUT +EXPECT_HAVE_NO_CREDENTIALS +SEND 'AUTH DBUS_COOKIE_SHA1 USERID_HEX' +EXPECT_COMMAND DATA +EXPECT_STATE WAITING_FOR_INPUT +EXPECT_HAVE_NO_CREDENTIALS +# We don't actually complete DBUS_COOKIE_SHA1 authentication, because +# it's non-trivial. diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script --- dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script 1970-01-01 01:00:00.000000000 +0100 +++ dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script 2019-06-09 13:16:35.000000000 +0100 @@ -0,0 +1,12 @@ +UNIX_ONLY +SERVER +SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERNAME_HEX' +EXPECT_COMMAND REJECTED +EXPECT_STATE WAITING_FOR_INPUT +EXPECT_HAVE_NO_CREDENTIALS +SEND 'AUTH DBUS_COOKIE_SHA1 USERNAME_HEX' +EXPECT_COMMAND DATA +EXPECT_STATE WAITING_FOR_INPUT +EXPECT_HAVE_NO_CREDENTIALS +# We don't actually complete DBUS_COOKIE_SHA1 authentication, because +# it's non-trivial. diff -Nru dbus-1.12.14/test/Makefile.am dbus-1.12.16/test/Makefile.am --- dbus-1.12.14/test/Makefile.am 2019-05-13 10:33:56.000000000 +0100 +++ dbus-1.12.16/test/Makefile.am 2019-06-09 13:08:49.000000000 +0100 @@ -471,6 +471,8 @@ data/auth/anonymous-server-successful.auth-script \ data/auth/cancel.auth-script \ data/auth/client-out-of-mechanisms.auth-script \ + data/auth/cookie-sha1-username.auth-script \ + data/auth/cookie-sha1.auth-script \ data/auth/external-failed.auth-script \ data/auth/external-root.auth-script \ data/auth/external-silly.auth-script \ diff -Nru dbus-1.12.14/test/Makefile.in dbus-1.12.16/test/Makefile.in --- dbus-1.12.14/test/Makefile.in 2019-05-17 10:41:20.000000000 +0100 +++ dbus-1.12.16/test/Makefile.in 2019-06-09 13:09:34.000000000 +0100 @@ -15,7 +15,7 @@ @SET_MAKE@ # aminclude_static.am generated automatically by Autoconf -# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019 +# from AX_AM_MACROS_STATIC on Sun Jun 9 13:09:33 BST 2019 @@ -1267,6 +1267,8 @@ data/auth/anonymous-server-successful.auth-script \ data/auth/cancel.auth-script \ data/auth/client-out-of-mechanisms.auth-script \ + data/auth/cookie-sha1-username.auth-script \ + data/auth/cookie-sha1.auth-script \ data/auth/external-failed.auth-script \ data/auth/external-root.auth-script \ data/auth/external-silly.auth-script \