[Dx-packages] [Bug 2024182] Re: GHSL-2023-139: use-after-free in user.c
** Tags added: patch
--
You received this bug notification because you are a member of DX
Packages, which is subscribed to accountsservice in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/2024182
Title:
GHSL-2023-139: use-after-free in user.c
Status in accountsservice package in Ubuntu:
In Progress
Status in accountsservice source package in Focal:
Fix Released
Status in accountsservice source package in Jammy:
Fix Released
Status in accountsservice source package in Kinetic:
Fix Released
Status in accountsservice source package in Lunar:
Fix Released
Status in accountsservice source package in Mantic:
In Progress
Bug description:
# GitHub Security Lab (GHSL) Vulnerability Report, accountsservice:
`GHSL-2023-139`
The [GitHub Security Lab](https://securitylab.github.com) team has
identified a potential security vulnerability in
[accountsservice](https://code.launchpad.net/ubuntu/+source/accountsservice).
We are committed to working with you to help resolve this issue. In
this report you will find everything you need to effectively
coordinate a resolution of this issue with the GHSL team.
If at any point you have concerns or questions about this process,
please do not hesitate to reach out to us at `security...@github.com`
(please include `GHSL-2023-139` as a reference).
If you are _NOT_ the correct point of contact for this report, please
let us know!
## Summary
An unprivileged local attacker can trigger a use-after-free
vulnerability in accountsservice by sending a D-Bus message to the
accounts-daemon process.
## Product
accountsservice
## Tested Version
[22.08.8-1ubuntu7](https://launchpad.net/ubuntu/+source/accountsservice/22.08.8-1ubuntu7)
The bug is easier to observe on Ubuntu 23.04 than on Ubuntu 22.04 LTS,
but it is present on both.
## Details
### Use-after-free when `throw_error` is called (`GHSL-2023-139`)
After receiving a D-Bus [method
call](https://dbus.freedesktop.org/doc/dbus-
specification.html#message-protocol-types), a D-Bus server is expected
to send either a `METHOD_RETURN` or a `ERROR` message back to the
client, _but not both_. This is done incorrectly in several places in
accountsservice. For example, in
[`user_change_language_authorized_cb`](https://git.launchpad.net/ubuntu/+source/accountsservice/tree/debian/patches/0010-set-
language.patch?h=import/22.08.8-1ubuntu7#n427):
```c
static void
user_change_language_authorized_cb (Daemon*daemon,
User *user,
GDBusMethodInvocation *context,
gpointer data)
{
const gchar *language = data;
if (!user_HOME_available (user)) {
/* SetLanguage was probably called from a login greeter,
and HOME not mounted and/or not decrypted.
Hence don't save anything, or else accountsservice
and ~/.pam_environment would become out of sync. */
throw_error (context, ERROR_FAILED, "not access to HOME yet
so language not saved"); <= 1
goto out;
}
out:
accounts_user_complete_set_language (ACCOUNTS_USER (user), context);
<= 2
}
```
If `user_HOME_available` returns an error, then `throw_error` is
called at 1 to send an `ERROR` message, but a regular `METHOD_RETURN`
is also sent at 2. This is incorrect D-Bus protocol, but the more
serious problem is that it causes a use-after-free because both
`throw_error` and `accounts_user_complete_set_language` decrease the
reference count on `context`. In other words, `context` is freed by
`throw_error` and a UAF occurs in
`accounts_user_complete_set_language`.
An attacker can trigger the bug above by causing `user_HOME_available`
to fail, which they can do by deleting all the files from their home
directory. But there are other incorrect uses of `throw_error` in
`user.c` which are less inconvenient to trigger. For example, this
command triggers a call to `throw_error` in `user_update_environment`
due to the invalid characters in the string.
```bash
dbus-send --system --print-reply --dest=org.freedesktop.Accounts
/org/freedesktop/Accounts/User`id -u` org.freedesktop.Accounts.User.SetLanguage
string:'**'
```
On Ubuntu 23.04, the above command causes `accounts-daemon` to crash
with a `SIGSEGV`. But on Ubuntu 22.04 LTS it doesn't cause any visible
harm. The difference is due to a recent [change in
GLib's](https://gitlab.gnome.org/GNOME/glib/-/commit/69e9ba80e2f4d2061a1a68d72bae1c32c1e4f8fa)
memory allocation: older versions of GLib used the "slice" allocator,
but newer version uses the system allocator. The system allocator
trashes the memory when it's freed in a way that causes the use-after-
[Dx-packages] [Bug 2024182] Re: GHSL-2023-139: use-after-free in user.c
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of DX
Packages, which is subscribed to accountsservice in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/2024182
Title:
GHSL-2023-139: use-after-free in user.c
Status in accountsservice package in Ubuntu:
In Progress
Status in accountsservice source package in Focal:
Fix Released
Status in accountsservice source package in Jammy:
Fix Released
Status in accountsservice source package in Kinetic:
Fix Released
Status in accountsservice source package in Lunar:
Fix Released
Status in accountsservice source package in Mantic:
In Progress
Bug description:
# GitHub Security Lab (GHSL) Vulnerability Report, accountsservice:
`GHSL-2023-139`
The [GitHub Security Lab](https://securitylab.github.com) team has
identified a potential security vulnerability in
[accountsservice](https://code.launchpad.net/ubuntu/+source/accountsservice).
We are committed to working with you to help resolve this issue. In
this report you will find everything you need to effectively
coordinate a resolution of this issue with the GHSL team.
If at any point you have concerns or questions about this process,
please do not hesitate to reach out to us at `security...@github.com`
(please include `GHSL-2023-139` as a reference).
If you are _NOT_ the correct point of contact for this report, please
let us know!
## Summary
An unprivileged local attacker can trigger a use-after-free
vulnerability in accountsservice by sending a D-Bus message to the
accounts-daemon process.
## Product
accountsservice
## Tested Version
[22.08.8-1ubuntu7](https://launchpad.net/ubuntu/+source/accountsservice/22.08.8-1ubuntu7)
The bug is easier to observe on Ubuntu 23.04 than on Ubuntu 22.04 LTS,
but it is present on both.
## Details
### Use-after-free when `throw_error` is called (`GHSL-2023-139`)
After receiving a D-Bus [method
call](https://dbus.freedesktop.org/doc/dbus-
specification.html#message-protocol-types), a D-Bus server is expected
to send either a `METHOD_RETURN` or a `ERROR` message back to the
client, _but not both_. This is done incorrectly in several places in
accountsservice. For example, in
[`user_change_language_authorized_cb`](https://git.launchpad.net/ubuntu/+source/accountsservice/tree/debian/patches/0010-set-
language.patch?h=import/22.08.8-1ubuntu7#n427):
```c
static void
user_change_language_authorized_cb (Daemon*daemon,
User *user,
GDBusMethodInvocation *context,
gpointer data)
{
const gchar *language = data;
if (!user_HOME_available (user)) {
/* SetLanguage was probably called from a login greeter,
and HOME not mounted and/or not decrypted.
Hence don't save anything, or else accountsservice
and ~/.pam_environment would become out of sync. */
throw_error (context, ERROR_FAILED, "not access to HOME yet
so language not saved"); <= 1
goto out;
}
out:
accounts_user_complete_set_language (ACCOUNTS_USER (user), context);
<= 2
}
```
If `user_HOME_available` returns an error, then `throw_error` is
called at 1 to send an `ERROR` message, but a regular `METHOD_RETURN`
is also sent at 2. This is incorrect D-Bus protocol, but the more
serious problem is that it causes a use-after-free because both
`throw_error` and `accounts_user_complete_set_language` decrease the
reference count on `context`. In other words, `context` is freed by
`throw_error` and a UAF occurs in
`accounts_user_complete_set_language`.
An attacker can trigger the bug above by causing `user_HOME_available`
to fail, which they can do by deleting all the files from their home
directory. But there are other incorrect uses of `throw_error` in
`user.c` which are less inconvenient to trigger. For example, this
command triggers a call to `throw_error` in `user_update_environment`
due to the invalid characters in the string.
```bash
dbus-send --system --print-reply --dest=org.freedesktop.Accounts
/org/freedesktop/Accounts/User`id -u` org.freedesktop.Accounts.User.SetLanguage
string:'**'
```
On Ubuntu 23.04, the above command causes `accounts-daemon` to crash
with a `SIGSEGV`. But on Ubuntu 22.04 LTS it doesn't cause any visible
harm. The difference is due to a recent [change in
GLib's](https://gitlab.gnome.org/GNOME/glib/-/commit/69e9ba80e2f4d2061a1a68d72bae1c32c1e4f8fa)
memory allocation: older versions of GLib used the "slice" allocator,
but newer version uses the system allocator. The system allocator
trashes the memory when it's
[Dx-packages] [Bug 2024560] Re: Check if 0010-set-language needs to be update for the new languages property
It's probably because you still have that colon separated list in your keyfile in /var/lib/AccountsService/users after having played with version 23.13.9-1ubuntu1. * Go to Settings -> Region & Language (it will complain there too) * Change the language to French, which alters the applicable keyfile entry to "Languages=fr;" Does that fix it? ** Changed in: accountsservice (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2024560 Title: Check if 0010-set-language needs to be update for the new languages property Status in accountsservice package in Ubuntu: Incomplete Bug description: Upstream did changes to add a languages properties https://gitlab.freedesktop.org/accountsservice/accountsservice/-/commit/881e0ea7 I've rebased 0010-set-language to apply correctly but we should review if we need to adapt the patch to apply a similar logic to the new languages property that it's doing for old language one To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024560/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 2024560] Re: Check if 0010-set-language needs to be update for the new languages property
I'm reopening because I think there is still work to be done there, opening the users panel in setting leads to those warnings 10:11:00.4223 **[19511]: WARNING: Couldn't get locale for language: fr_FR:en 10:11:00.4224 GnomeDesktop[19511]:CRITICAL: gnome_get_language_from_locale: assertion '*locale != '\0'' failed ii accountsservice23.13.9-2ubuntu1 amd64query and manipulate user account information ** Changed in: accountsservice (Ubuntu) Status: Fix Released => Confirmed -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2024560 Title: Check if 0010-set-language needs to be update for the new languages property Status in accountsservice package in Ubuntu: Confirmed Bug description: Upstream did changes to add a languages properties https://gitlab.freedesktop.org/accountsservice/accountsservice/-/commit/881e0ea7 I've rebased 0010-set-language to apply correctly but we should review if we need to adapt the patch to apply a similar logic to the new languages property that it's doing for old language one To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024560/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 2015962] Re: indicator-messages-service crashed with SIGSEGV in g_type_check_instance() from g_signal_handlers_disconnect_matched() from act_user_manager_finalize() from g_object_un
This bug was fixed in the package accountsservice - 23.13.9-2ubuntu1 --- accountsservice (23.13.9-2ubuntu1) mantic; urgency=medium * Includes some extra upstream bugfixes accountsservice (23.13.9-2) unstable; urgency=medium * debian/patches/git_user_manager.patch: - Disconnect from manager signals when freeing a request and resolve indicator-messages crashing on logout (lp: #2015962) * debian/patches/git_default_gdm.patch: - default to gdm if there display-manager.service isn't a known target, which is the case for our gdm called gdm3, fixes the service crashing when trying to toggle autologin (lp: #2024870) -- Sebastien Bacher Mon, 26 Jun 2023 16:25:07 +0200 ** Changed in: accountsservice (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2015962 Title: indicator-messages-service crashed with SIGSEGV in g_type_check_instance() from g_signal_handlers_disconnect_matched() from act_user_manager_finalize() from g_object_unref() from im_accounts_service_dispose() Status in accountsservice: Fix Released Status in accountsservice package in Ubuntu: Fix Released Status in ayatana-indicator-messages package in Ubuntu: In Progress Status in indicator-messages package in Ubuntu: Fix Released Bug description: The Ubuntu Error Tracker has been receiving reports about a problem regarding indicator-messages. This problem was most recently seen with package version 13.10.1+18.10.20180918-0ubuntu3, the problem page at https://errors.ubuntu.com/problem/94c77bb11d79da78a8cb610adb9252f41d2ab4a4 contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports. If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/. To manage notifications about this bug go to: https://bugs.launchpad.net/accountsservice/+bug/2015962/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 2024560] Re: Check if 0010-set-language needs to be update for the new languages property
This bug was fixed in the package accountsservice - 23.13.9-2ubuntu1 --- accountsservice (23.13.9-2ubuntu1) mantic; urgency=medium * Includes some extra upstream bugfixes accountsservice (23.13.9-2) unstable; urgency=medium * debian/patches/git_user_manager.patch: - Disconnect from manager signals when freeing a request and resolve indicator-messages crashing on logout (lp: #2015962) * debian/patches/git_default_gdm.patch: - default to gdm if there display-manager.service isn't a known target, which is the case for our gdm called gdm3, fixes the service crashing when trying to toggle autologin (lp: #2024870) -- Sebastien Bacher Mon, 26 Jun 2023 16:25:07 +0200 ** Changed in: accountsservice (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2024560 Title: Check if 0010-set-language needs to be update for the new languages property Status in accountsservice package in Ubuntu: Fix Released Bug description: Upstream did changes to add a languages properties https://gitlab.freedesktop.org/accountsservice/accountsservice/-/commit/881e0ea7 I've rebased 0010-set-language to apply correctly but we should review if we need to adapt the patch to apply a similar logic to the new languages property that it's doing for old language one To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024560/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 2024870] Re: accountsservice segfault when toggling autologin
This bug was fixed in the package accountsservice - 23.13.9-2ubuntu1 --- accountsservice (23.13.9-2ubuntu1) mantic; urgency=medium * Includes some extra upstream bugfixes accountsservice (23.13.9-2) unstable; urgency=medium * debian/patches/git_user_manager.patch: - Disconnect from manager signals when freeing a request and resolve indicator-messages crashing on logout (lp: #2015962) * debian/patches/git_default_gdm.patch: - default to gdm if there display-manager.service isn't a known target, which is the case for our gdm called gdm3, fixes the service crashing when trying to toggle autologin (lp: #2024870) -- Sebastien Bacher Mon, 26 Jun 2023 16:25:07 +0200 ** Changed in: accountsservice (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2024870 Title: accountsservice segfault when toggling autologin Status in accountsservice package in Ubuntu: Fix Released Bug description: Error encountered after first boot ubuntu-gnome-desktop installed on LiveServer Daily 23.10 attempting to set AutoLogin in Settings>User. ProblemType: Crash DistroRelease: Ubuntu 23.10 Package: accountsservice 23.13.9-1ubuntu1 Uname: Linux 6.3.0-7-generic x86_64 Architecture: amd64 Date: Thu Jun 22 21:28:14 2023 ExecutablePath: /usr/libexec/accounts-daemon ExecutableTimestamp: 1687359023 ProcCmdline: /usr/libexec/accounts-daemon ProcCwd: / ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) Signal: 11 SourcePackage: accountsservice UserGroups: N/A To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024870/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 2025210] [NEW] make failed with new version glib
Public bug reported: $ make /Library/Developer/CommandLineTools/usr/bin/make all-recursive Making all in libindicator ( cd . && /opt/homebrew/bin/glib-mkenums --template /Users/daobingli/workspace/foss/libindicator-12.10.1/libindicator/indicator-object-enum-types.c.template \ indicator.h indicator-desktop-shortcuts.h indicator-image-helper.h indicator-object.h indicator-service.h indicator-service-manager.h ) > tmp-indicator-object-enum-types.c \ && (cmp -s tmp-indicator-object-enum-types.c indicator-object-enum-types.c || cp tmp-indicator-object-enum-types.c indicator-object-enum-types.c ) \ && rm -f tmp-indicator-object-enum-types.c /Library/Developer/CommandLineTools/usr/bin/make all-am CC libindicator3_la-indicator-object.lo indicator-object.c:129:2: error: 'g_type_class_add_private' is deprecated [-Werror,-Wdeprecated-declarations] g_type_class_add_private (klass, sizeof (IndicatorObjectPrivate)); ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/gobject/gtype.h:1382:1: note: 'g_type_class_add_private' has been explicitly marked deprecated here GOBJECT_DEPRECATED_IN_2_58 ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/gobject/gobject-visibility.h:581:36: note: expanded from macro 'GOBJECT_DEPRECATED_IN_2_58' #define GOBJECT_DEPRECATED_IN_2_58 GOBJECT_DEPRECATED ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/gobject/gobject-visibility.h:30:28: note: expanded from macro 'GOBJECT_DEPRECATED' #define GOBJECT_DEPRECATED G_DEPRECATED _GOBJECT_EXTERN ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/glib/gmacros.h:1262:37: note: expanded from macro 'G_DEPRECATED' #define G_DEPRECATED __attribute__((__deprecated__)) ^ indicator-object.c:305:34: warning: Deprecated pre-processor symbol: replace with "G_ADD_PRIVATE" [-W#pragma-messages] IndicatorObjectPrivate * priv = G_TYPE_INSTANCE_GET_PRIVATE (self, INDICATOR_OBJECT_TYPE, IndicatorObjectPrivate); ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/gobject/gtype.h:686:145: note: expanded from macro 'G_TYPE_INSTANCE_GET_PRIVATE' #define G_TYPE_INSTANCE_GET_PRIVATE(instance, g_type, c_type) ((c_type*) g_type_instance_get_private ((GTypeInstance*) (instance), (g_type))) GOBJECT_DEPRECATED_MACRO_IN_2_58_FOR(G_ADD_PRIVATE) ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/gobject/gobject-visibility.h:584:49: note: expanded from macro 'GOBJECT_DEPRECATED_MACRO_IN_2_58_FOR' #define GOBJECT_DEPRECATED_MACRO_IN_2_58_FOR(f) GLIB_DEPRECATED_MACRO_FOR (f) ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/glib/gmacros.h:1299:3: note: expanded from macro 'GLIB_DEPRECATED_MACRO_FOR' _GLIB_GNUC_DO_PRAGMA(GCC warning G_STRINGIFY (Deprecated pre-processor symbol: replace with #f)) ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/glib/gmacros.h:1296:33: note: expanded from macro '_GLIB_GNUC_DO_PRAGMA' #define _GLIB_GNUC_DO_PRAGMA(x) _Pragma(G_STRINGIFY (x)) ^ :17:6: note: expanded from here GCC warning "Deprecated pre-processor symbol: replace with \"G_ADD_PRIVATE\"" ^ 1 warning and 1 error generated. make[3]: *** [libindicator3_la-indicator-object.lo] Error 1 make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 ** Affects: libindicator (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of DX Packages, which is subscribed to libindicator in Ubuntu. https://bugs.launchpad.net/bugs/2025210 Title: make failed with new version glib Status in libindicator package in Ubuntu: New Bug description: $ make /Library/Developer/CommandLineTools/usr/bin/make all-recursive Making all in libindicator ( cd . && /opt/homebrew/bin/glib-mkenums --template /Users/daobingli/workspace/foss/libindicator-12.10.1/libindicator/indicator-object-enum-types.c.template \ indicator.h indicator-desktop-shortcuts.h indicator-image-helper.h indicator-object.h indicator-service.h indicator-service-manager.h ) > tmp-indicator-object-enum-types.c \ && (cmp -s tmp-indicator-object-enum-types.c indicator-object-enum-types.c || cp tmp-indicator-object-enum-types.c indicator-object-enum-types.c ) \ && rm -f tmp-indicator-object-enum-types.c /Library/Developer/CommandLineTools/usr/bin/make all-am CC libindicator3_la-indicator-object.lo indicator-object.c:129:2: error: 'g_type_class_add_private' is deprecated [-Werror,-Wdeprecated-declarations]
