[Dx-packages] [Bug 2024182] Re: GHSL-2023-139: use-after-free in user.c
** Tags added: patch -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2024182 Title: GHSL-2023-139: use-after-free in user.c Status in accountsservice package in Ubuntu: In Progress Status in accountsservice source package in Focal: Fix Released Status in accountsservice source package in Jammy: Fix Released Status in accountsservice source package in Kinetic: Fix Released Status in accountsservice source package in Lunar: Fix Released Status in accountsservice source package in Mantic: In Progress Bug description: # GitHub Security Lab (GHSL) Vulnerability Report, accountsservice: `GHSL-2023-139` The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [accountsservice](https://code.launchpad.net/ubuntu/+source/accountsservice). We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team. If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `security...@github.com` (please include `GHSL-2023-139` as a reference). If you are _NOT_ the correct point of contact for this report, please let us know! ## Summary An unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process. ## Product accountsservice ## Tested Version [22.08.8-1ubuntu7](https://launchpad.net/ubuntu/+source/accountsservice/22.08.8-1ubuntu7) The bug is easier to observe on Ubuntu 23.04 than on Ubuntu 22.04 LTS, but it is present on both. ## Details ### Use-after-free when `throw_error` is called (`GHSL-2023-139`) After receiving a D-Bus [method call](https://dbus.freedesktop.org/doc/dbus- specification.html#message-protocol-types), a D-Bus server is expected to send either a `METHOD_RETURN` or a `ERROR` message back to the client, _but not both_. This is done incorrectly in several places in accountsservice. For example, in [`user_change_language_authorized_cb`](https://git.launchpad.net/ubuntu/+source/accountsservice/tree/debian/patches/0010-set- language.patch?h=import/22.08.8-1ubuntu7#n427): ```c static void user_change_language_authorized_cb (Daemon*daemon, User *user, GDBusMethodInvocation *context, gpointer data) { const gchar *language = data; if (!user_HOME_available (user)) { /* SetLanguage was probably called from a login greeter, and HOME not mounted and/or not decrypted. Hence don't save anything, or else accountsservice and ~/.pam_environment would become out of sync. */ throw_error (context, ERROR_FAILED, "not access to HOME yet so language not saved"); <= 1 goto out; } out: accounts_user_complete_set_language (ACCOUNTS_USER (user), context); <= 2 } ``` If `user_HOME_available` returns an error, then `throw_error` is called at 1 to send an `ERROR` message, but a regular `METHOD_RETURN` is also sent at 2. This is incorrect D-Bus protocol, but the more serious problem is that it causes a use-after-free because both `throw_error` and `accounts_user_complete_set_language` decrease the reference count on `context`. In other words, `context` is freed by `throw_error` and a UAF occurs in `accounts_user_complete_set_language`. An attacker can trigger the bug above by causing `user_HOME_available` to fail, which they can do by deleting all the files from their home directory. But there are other incorrect uses of `throw_error` in `user.c` which are less inconvenient to trigger. For example, this command triggers a call to `throw_error` in `user_update_environment` due to the invalid characters in the string. ```bash dbus-send --system --print-reply --dest=org.freedesktop.Accounts /org/freedesktop/Accounts/User`id -u` org.freedesktop.Accounts.User.SetLanguage string:'**' ``` On Ubuntu 23.04, the above command causes `accounts-daemon` to crash with a `SIGSEGV`. But on Ubuntu 22.04 LTS it doesn't cause any visible harm. The difference is due to a recent [change in GLib's](https://gitlab.gnome.org/GNOME/glib/-/commit/69e9ba80e2f4d2061a1a68d72bae1c32c1e4f8fa) memory allocation: older versions of GLib used the "slice" allocator, but newer version uses the system allocator. The system allocator trashes the memory when it's freed in a way that causes the use-after-
[Dx-packages] [Bug 2024182] Re: GHSL-2023-139: use-after-free in user.c
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2024182 Title: GHSL-2023-139: use-after-free in user.c Status in accountsservice package in Ubuntu: In Progress Status in accountsservice source package in Focal: Fix Released Status in accountsservice source package in Jammy: Fix Released Status in accountsservice source package in Kinetic: Fix Released Status in accountsservice source package in Lunar: Fix Released Status in accountsservice source package in Mantic: In Progress Bug description: # GitHub Security Lab (GHSL) Vulnerability Report, accountsservice: `GHSL-2023-139` The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [accountsservice](https://code.launchpad.net/ubuntu/+source/accountsservice). We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team. If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `security...@github.com` (please include `GHSL-2023-139` as a reference). If you are _NOT_ the correct point of contact for this report, please let us know! ## Summary An unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process. ## Product accountsservice ## Tested Version [22.08.8-1ubuntu7](https://launchpad.net/ubuntu/+source/accountsservice/22.08.8-1ubuntu7) The bug is easier to observe on Ubuntu 23.04 than on Ubuntu 22.04 LTS, but it is present on both. ## Details ### Use-after-free when `throw_error` is called (`GHSL-2023-139`) After receiving a D-Bus [method call](https://dbus.freedesktop.org/doc/dbus- specification.html#message-protocol-types), a D-Bus server is expected to send either a `METHOD_RETURN` or a `ERROR` message back to the client, _but not both_. This is done incorrectly in several places in accountsservice. For example, in [`user_change_language_authorized_cb`](https://git.launchpad.net/ubuntu/+source/accountsservice/tree/debian/patches/0010-set- language.patch?h=import/22.08.8-1ubuntu7#n427): ```c static void user_change_language_authorized_cb (Daemon*daemon, User *user, GDBusMethodInvocation *context, gpointer data) { const gchar *language = data; if (!user_HOME_available (user)) { /* SetLanguage was probably called from a login greeter, and HOME not mounted and/or not decrypted. Hence don't save anything, or else accountsservice and ~/.pam_environment would become out of sync. */ throw_error (context, ERROR_FAILED, "not access to HOME yet so language not saved"); <= 1 goto out; } out: accounts_user_complete_set_language (ACCOUNTS_USER (user), context); <= 2 } ``` If `user_HOME_available` returns an error, then `throw_error` is called at 1 to send an `ERROR` message, but a regular `METHOD_RETURN` is also sent at 2. This is incorrect D-Bus protocol, but the more serious problem is that it causes a use-after-free because both `throw_error` and `accounts_user_complete_set_language` decrease the reference count on `context`. In other words, `context` is freed by `throw_error` and a UAF occurs in `accounts_user_complete_set_language`. An attacker can trigger the bug above by causing `user_HOME_available` to fail, which they can do by deleting all the files from their home directory. But there are other incorrect uses of `throw_error` in `user.c` which are less inconvenient to trigger. For example, this command triggers a call to `throw_error` in `user_update_environment` due to the invalid characters in the string. ```bash dbus-send --system --print-reply --dest=org.freedesktop.Accounts /org/freedesktop/Accounts/User`id -u` org.freedesktop.Accounts.User.SetLanguage string:'**' ``` On Ubuntu 23.04, the above command causes `accounts-daemon` to crash with a `SIGSEGV`. But on Ubuntu 22.04 LTS it doesn't cause any visible harm. The difference is due to a recent [change in GLib's](https://gitlab.gnome.org/GNOME/glib/-/commit/69e9ba80e2f4d2061a1a68d72bae1c32c1e4f8fa) memory allocation: older versions of GLib used the "slice" allocator, but newer version uses the system allocator. The system allocator trashes the memory when it's
[Dx-packages] [Bug 2024560] Re: Check if 0010-set-language needs to be update for the new languages property
It's probably because you still have that colon separated list in your keyfile in /var/lib/AccountsService/users after having played with version 23.13.9-1ubuntu1. * Go to Settings -> Region & Language (it will complain there too) * Change the language to French, which alters the applicable keyfile entry to "Languages=fr;" Does that fix it? ** Changed in: accountsservice (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2024560 Title: Check if 0010-set-language needs to be update for the new languages property Status in accountsservice package in Ubuntu: Incomplete Bug description: Upstream did changes to add a languages properties https://gitlab.freedesktop.org/accountsservice/accountsservice/-/commit/881e0ea7 I've rebased 0010-set-language to apply correctly but we should review if we need to adapt the patch to apply a similar logic to the new languages property that it's doing for old language one To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024560/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 2024560] Re: Check if 0010-set-language needs to be update for the new languages property
I'm reopening because I think there is still work to be done there, opening the users panel in setting leads to those warnings 10:11:00.4223 **[19511]: WARNING: Couldn't get locale for language: fr_FR:en 10:11:00.4224 GnomeDesktop[19511]:CRITICAL: gnome_get_language_from_locale: assertion '*locale != '\0'' failed ii accountsservice23.13.9-2ubuntu1 amd64query and manipulate user account information ** Changed in: accountsservice (Ubuntu) Status: Fix Released => Confirmed -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2024560 Title: Check if 0010-set-language needs to be update for the new languages property Status in accountsservice package in Ubuntu: Confirmed Bug description: Upstream did changes to add a languages properties https://gitlab.freedesktop.org/accountsservice/accountsservice/-/commit/881e0ea7 I've rebased 0010-set-language to apply correctly but we should review if we need to adapt the patch to apply a similar logic to the new languages property that it's doing for old language one To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024560/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 2015962] Re: indicator-messages-service crashed with SIGSEGV in g_type_check_instance() from g_signal_handlers_disconnect_matched() from act_user_manager_finalize() from g_object_un
This bug was fixed in the package accountsservice - 23.13.9-2ubuntu1 --- accountsservice (23.13.9-2ubuntu1) mantic; urgency=medium * Includes some extra upstream bugfixes accountsservice (23.13.9-2) unstable; urgency=medium * debian/patches/git_user_manager.patch: - Disconnect from manager signals when freeing a request and resolve indicator-messages crashing on logout (lp: #2015962) * debian/patches/git_default_gdm.patch: - default to gdm if there display-manager.service isn't a known target, which is the case for our gdm called gdm3, fixes the service crashing when trying to toggle autologin (lp: #2024870) -- Sebastien Bacher Mon, 26 Jun 2023 16:25:07 +0200 ** Changed in: accountsservice (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2015962 Title: indicator-messages-service crashed with SIGSEGV in g_type_check_instance() from g_signal_handlers_disconnect_matched() from act_user_manager_finalize() from g_object_unref() from im_accounts_service_dispose() Status in accountsservice: Fix Released Status in accountsservice package in Ubuntu: Fix Released Status in ayatana-indicator-messages package in Ubuntu: In Progress Status in indicator-messages package in Ubuntu: Fix Released Bug description: The Ubuntu Error Tracker has been receiving reports about a problem regarding indicator-messages. This problem was most recently seen with package version 13.10.1+18.10.20180918-0ubuntu3, the problem page at https://errors.ubuntu.com/problem/94c77bb11d79da78a8cb610adb9252f41d2ab4a4 contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports. If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/. To manage notifications about this bug go to: https://bugs.launchpad.net/accountsservice/+bug/2015962/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 2024560] Re: Check if 0010-set-language needs to be update for the new languages property
This bug was fixed in the package accountsservice - 23.13.9-2ubuntu1 --- accountsservice (23.13.9-2ubuntu1) mantic; urgency=medium * Includes some extra upstream bugfixes accountsservice (23.13.9-2) unstable; urgency=medium * debian/patches/git_user_manager.patch: - Disconnect from manager signals when freeing a request and resolve indicator-messages crashing on logout (lp: #2015962) * debian/patches/git_default_gdm.patch: - default to gdm if there display-manager.service isn't a known target, which is the case for our gdm called gdm3, fixes the service crashing when trying to toggle autologin (lp: #2024870) -- Sebastien Bacher Mon, 26 Jun 2023 16:25:07 +0200 ** Changed in: accountsservice (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2024560 Title: Check if 0010-set-language needs to be update for the new languages property Status in accountsservice package in Ubuntu: Fix Released Bug description: Upstream did changes to add a languages properties https://gitlab.freedesktop.org/accountsservice/accountsservice/-/commit/881e0ea7 I've rebased 0010-set-language to apply correctly but we should review if we need to adapt the patch to apply a similar logic to the new languages property that it's doing for old language one To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024560/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 2024870] Re: accountsservice segfault when toggling autologin
This bug was fixed in the package accountsservice - 23.13.9-2ubuntu1 --- accountsservice (23.13.9-2ubuntu1) mantic; urgency=medium * Includes some extra upstream bugfixes accountsservice (23.13.9-2) unstable; urgency=medium * debian/patches/git_user_manager.patch: - Disconnect from manager signals when freeing a request and resolve indicator-messages crashing on logout (lp: #2015962) * debian/patches/git_default_gdm.patch: - default to gdm if there display-manager.service isn't a known target, which is the case for our gdm called gdm3, fixes the service crashing when trying to toggle autologin (lp: #2024870) -- Sebastien Bacher Mon, 26 Jun 2023 16:25:07 +0200 ** Changed in: accountsservice (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of DX Packages, which is subscribed to accountsservice in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/2024870 Title: accountsservice segfault when toggling autologin Status in accountsservice package in Ubuntu: Fix Released Bug description: Error encountered after first boot ubuntu-gnome-desktop installed on LiveServer Daily 23.10 attempting to set AutoLogin in Settings>User. ProblemType: Crash DistroRelease: Ubuntu 23.10 Package: accountsservice 23.13.9-1ubuntu1 Uname: Linux 6.3.0-7-generic x86_64 Architecture: amd64 Date: Thu Jun 22 21:28:14 2023 ExecutablePath: /usr/libexec/accounts-daemon ExecutableTimestamp: 1687359023 ProcCmdline: /usr/libexec/accounts-daemon ProcCwd: / ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) Signal: 11 SourcePackage: accountsservice UserGroups: N/A To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024870/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 2025210] [NEW] make failed with new version glib
Public bug reported: $ make /Library/Developer/CommandLineTools/usr/bin/make all-recursive Making all in libindicator ( cd . && /opt/homebrew/bin/glib-mkenums --template /Users/daobingli/workspace/foss/libindicator-12.10.1/libindicator/indicator-object-enum-types.c.template \ indicator.h indicator-desktop-shortcuts.h indicator-image-helper.h indicator-object.h indicator-service.h indicator-service-manager.h ) > tmp-indicator-object-enum-types.c \ && (cmp -s tmp-indicator-object-enum-types.c indicator-object-enum-types.c || cp tmp-indicator-object-enum-types.c indicator-object-enum-types.c ) \ && rm -f tmp-indicator-object-enum-types.c /Library/Developer/CommandLineTools/usr/bin/make all-am CC libindicator3_la-indicator-object.lo indicator-object.c:129:2: error: 'g_type_class_add_private' is deprecated [-Werror,-Wdeprecated-declarations] g_type_class_add_private (klass, sizeof (IndicatorObjectPrivate)); ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/gobject/gtype.h:1382:1: note: 'g_type_class_add_private' has been explicitly marked deprecated here GOBJECT_DEPRECATED_IN_2_58 ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/gobject/gobject-visibility.h:581:36: note: expanded from macro 'GOBJECT_DEPRECATED_IN_2_58' #define GOBJECT_DEPRECATED_IN_2_58 GOBJECT_DEPRECATED ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/gobject/gobject-visibility.h:30:28: note: expanded from macro 'GOBJECT_DEPRECATED' #define GOBJECT_DEPRECATED G_DEPRECATED _GOBJECT_EXTERN ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/glib/gmacros.h:1262:37: note: expanded from macro 'G_DEPRECATED' #define G_DEPRECATED __attribute__((__deprecated__)) ^ indicator-object.c:305:34: warning: Deprecated pre-processor symbol: replace with "G_ADD_PRIVATE" [-W#pragma-messages] IndicatorObjectPrivate * priv = G_TYPE_INSTANCE_GET_PRIVATE (self, INDICATOR_OBJECT_TYPE, IndicatorObjectPrivate); ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/gobject/gtype.h:686:145: note: expanded from macro 'G_TYPE_INSTANCE_GET_PRIVATE' #define G_TYPE_INSTANCE_GET_PRIVATE(instance, g_type, c_type) ((c_type*) g_type_instance_get_private ((GTypeInstance*) (instance), (g_type))) GOBJECT_DEPRECATED_MACRO_IN_2_58_FOR(G_ADD_PRIVATE) ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/gobject/gobject-visibility.h:584:49: note: expanded from macro 'GOBJECT_DEPRECATED_MACRO_IN_2_58_FOR' #define GOBJECT_DEPRECATED_MACRO_IN_2_58_FOR(f) GLIB_DEPRECATED_MACRO_FOR (f) ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/glib/gmacros.h:1299:3: note: expanded from macro 'GLIB_DEPRECATED_MACRO_FOR' _GLIB_GNUC_DO_PRAGMA(GCC warning G_STRINGIFY (Deprecated pre-processor symbol: replace with #f)) ^ /opt/homebrew/Cellar/glib/2.76.3/include/glib-2.0/glib/gmacros.h:1296:33: note: expanded from macro '_GLIB_GNUC_DO_PRAGMA' #define _GLIB_GNUC_DO_PRAGMA(x) _Pragma(G_STRINGIFY (x)) ^ :17:6: note: expanded from here GCC warning "Deprecated pre-processor symbol: replace with \"G_ADD_PRIVATE\"" ^ 1 warning and 1 error generated. make[3]: *** [libindicator3_la-indicator-object.lo] Error 1 make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 ** Affects: libindicator (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of DX Packages, which is subscribed to libindicator in Ubuntu. https://bugs.launchpad.net/bugs/2025210 Title: make failed with new version glib Status in libindicator package in Ubuntu: New Bug description: $ make /Library/Developer/CommandLineTools/usr/bin/make all-recursive Making all in libindicator ( cd . && /opt/homebrew/bin/glib-mkenums --template /Users/daobingli/workspace/foss/libindicator-12.10.1/libindicator/indicator-object-enum-types.c.template \ indicator.h indicator-desktop-shortcuts.h indicator-image-helper.h indicator-object.h indicator-service.h indicator-service-manager.h ) > tmp-indicator-object-enum-types.c \ && (cmp -s tmp-indicator-object-enum-types.c indicator-object-enum-types.c || cp tmp-indicator-object-enum-types.c indicator-object-enum-types.c ) \ && rm -f tmp-indicator-object-enum-types.c /Library/Developer/CommandLineTools/usr/bin/make all-am CC libindicator3_la-indicator-object.lo indicator-object.c:129:2: error: 'g_type_class_add_private' is deprecated [-Werror,-Wdeprecated-declarations]