On Wed, 2015-06-24 at 23:06 +0300, Jussi Kukkonen wrote: > Fix CVE-2015-0245 by preventing non-root and non-systemd processes > from fooling the dbus daemon into thinking systemd service activation > failed.
Thanks Jussi, This is queued in my fido-next branch[1]. Regards, Joshua 1. http://cgit.openembedded.org/openembedded-core -contrib/log/?h=joshuagl/fido-next > Signed-off-by: Jussi Kukkonen <[email protected]> > --- > meta/recipes-core/dbus/dbus.inc | 1 + > ...015-0245-prevent-forged-ActivationFailure.patch | 48 > ++++++++++++++++++++++ > 2 files changed, 49 insertions(+) > create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent > -forged-ActivationFailure.patch > > diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes > -core/dbus/dbus.inc > index fb5d017..f1744c8 100644 > --- a/meta/recipes-core/dbus/dbus.inc > +++ b/meta/recipes-core/dbus/dbus.inc > @@ -17,6 +17,7 @@ SRC_URI = " > http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ > file://dbus-1.init \ > file://os-test.patch \ > file://clear-guid_from_server-if > -send_negotiate_unix_f.patch \ > + file://CVE-2015-0245-prevent-forged > -ActivationFailure.patch \ > " > > inherit useradd autotools pkgconfig gettext update-rc.d > diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged > -ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245 > -prevent-forged-ActivationFailure.patch > new file mode 100644 > index 0000000..59363b3 > --- /dev/null > +++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged > -ActivationFailure.patch > @@ -0,0 +1,48 @@ > +CVE-2015-0245: prevent forged ActivationFailure from non-root > processes > + > +Upstream has fixed this in code but suggests using this as a easily > +backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811 > + > +Upstream-Status: Inappropriate > +Signed-off-by: Jussi Kukkonen <[email protected]> > + > + > + > +From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 > 2001 > +From: Simon McVittie <[email protected]> > +Date: Mon, 26 Jan 2015 20:09:56 +0000 > +Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure > from > + non-root processes > + > +Without either this rule or better checking in dbus-daemon, non > -systemd > +processes can make dbus-daemon think systemd failed to activate a > system > +service, resulting in an error reply back to the requester. > + > +This is redundant with the fix in the C code (which I consider to be > +the real solution), but is likely to be easier to backport. > +--- > + bus/system.conf.in | 8 ++++++++ > + 1 file changed, 8 insertions(+) > + > +diff --git a/bus/system.conf.in b/bus/system.conf.in > +index 92f4cc4..851b9e6 100644 > +--- a/bus/system.conf.in > ++++ b/bus/system.conf.in > +@@ -68,6 +68,14 @@ > + <deny send_destination="org.freedesktop.DBus" > + send_interface="org.freedesktop.DBus" > + send_member="UpdateActivationEnvironment"/> > ++ <deny send_destination="org.freedesktop.DBus" > ++ send_interface="org.freedesktop.systemd1.Activator"/> > ++ </policy> > ++ > ++ <!-- Only systemd, which runs as root, may report activation > failures. --> > ++ <policy user="root"> > ++ <allow send_destination="org.freedesktop.DBus" > ++ send_interface="org.freedesktop.systemd1.Activator"/> > + </policy> > + > + <!-- Config files are placed here that among other things, punch > +-- > +2.1.4 > + -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
