Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package gvfs to fix a missing authorization check on a private D-Bus socket (no CVE ID yet). This also adds some security hardening that was applied upstream at the same time (restricting D-Bus authentication mechanisms on the private socket to only accept EXTERNAL, which is the simplest and most robust mechanism available). unblock gvfs/1.38.1-5
diffstat for gvfs-1.38.1 gvfs-1.38.1 changelog | 13 + patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch | 89 ++++++++++ patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch | 51 +++++ patches/ref-jobs-in-thread.patch | 8 patches/series | 2 5 files changed, 159 insertions(+), 4 deletions(-) diff -Nru gvfs-1.38.1/debian/changelog gvfs-1.38.1/debian/changelog --- gvfs-1.38.1/debian/changelog 2019-06-05 08:34:17.000000000 +0100 +++ gvfs-1.38.1/debian/changelog 2019-06-11 12:28:34.000000000 +0100 @@ -1,3 +1,16 @@ +gvfs (1.38.1-5) unstable; urgency=high + + * Team upload + * d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch: + Add missing authentication, preventing a local attacker from connecting + to an abstract socket address learned from netstat(8) and issuing + arbitrary D-Bus method calls + * d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch: + Harden private D-Bus connection by rejecting the more complicated + DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL. + + -- Simon McVittie <s...@debian.org> Tue, 11 Jun 2019 12:28:34 +0100 + gvfs (1.38.1-4) unstable; urgency=high * Team upload diff -Nru gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch --- gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch 1970-01-01 01:00:00.000000000 +0100 +++ gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch 2019-06-11 12:28:34.000000000 +0100 @@ -0,0 +1,89 @@ +From: Simon McVittie <s...@collabora.com> +Date: Wed, 5 Jun 2019 13:33:38 +0100 +Subject: gvfsdaemon: Check that the connecting client is the same user + +Otherwise, an attacker who learns the abstract socket address from +netstat(8) or similar could connect to it and issue D-Bus method +calls. + +Signed-off-by: Simon McVittie <s...@collabora.com> +Applied-upstream: 1.38.3, commit:e3808a1b4042761055b1d975333a8243d67b8bfe +--- + daemon/gvfsdaemon.c | 36 +++++++++++++++++++++++++++++++++++- + 1 file changed, 35 insertions(+), 1 deletion(-) + +diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c +index 406d4f8..be148a7 100644 +--- a/daemon/gvfsdaemon.c ++++ b/daemon/gvfsdaemon.c +@@ -79,6 +79,7 @@ struct _GVfsDaemon + + gint mount_counter; + ++ GDBusAuthObserver *auth_observer; + GDBusConnection *conn; + GVfsDBusDaemon *daemon_skeleton; + GVfsDBusMountable *mountable_skeleton; +@@ -171,6 +172,8 @@ g_vfs_daemon_finalize (GObject *object) + } + if (daemon->conn != NULL) + g_object_unref (daemon->conn); ++ if (daemon->auth_observer != NULL) ++ g_object_unref (daemon->auth_observer); + + g_hash_table_destroy (daemon->registered_paths); + g_hash_table_destroy (daemon->client_connections); +@@ -236,6 +239,35 @@ name_vanished_handler (GDBusConnection *connection, + daemon->lost_main_daemon = TRUE; + } + ++/* ++ * Authentication observer signal handler that authorizes connections ++ * from the same uid as this process. This matches the behaviour of a ++ * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction ++ * has been set, but is not the default in GDBus. ++ */ ++static gboolean ++authorize_authenticated_peer_cb (GDBusAuthObserver *observer, ++ G_GNUC_UNUSED GIOStream *stream, ++ GCredentials *credentials, ++ G_GNUC_UNUSED gpointer user_data) ++{ ++ gboolean authorized = FALSE; ++ ++ if (credentials != NULL) ++ { ++ GCredentials *own_credentials; ++ ++ own_credentials = g_credentials_new (); ++ ++ if (g_credentials_is_same_user (credentials, own_credentials, NULL)) ++ authorized = TRUE; ++ ++ g_object_unref (own_credentials); ++ } ++ ++ return authorized; ++} ++ + static void + g_vfs_daemon_init (GVfsDaemon *daemon) + { +@@ -265,6 +297,8 @@ g_vfs_daemon_init (GVfsDaemon *daemon) + + daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL); + g_assert (daemon->conn != NULL); ++ daemon->auth_observer = g_dbus_auth_observer_new (); ++ g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL); + + daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new (); + g_signal_connect (daemon->daemon_skeleton, "handle-get-connection", G_CALLBACK (handle_get_connection), daemon); +@@ -876,7 +910,7 @@ handle_get_connection (GVfsDBusDaemon *object, + server = g_dbus_server_new_sync (address1, + G_DBUS_SERVER_FLAGS_NONE, + guid, +- NULL, /* GDBusAuthObserver */ ++ daemon->auth_observer, + NULL, /* GCancellable */ + &error); + g_free (guid); diff -Nru gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch --- gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch 1970-01-01 01:00:00.000000000 +0100 +++ gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch 2019-06-11 12:28:34.000000000 +0100 @@ -0,0 +1,51 @@ +From: Simon McVittie <s...@collabora.com> +Date: Wed, 5 Jun 2019 13:36:52 +0100 +Subject: gvfsdaemon: Only accept EXTERNAL authentication + +EXTERNAL is the mechanism recommended in the D-Bus Specification for +all platforms where it is supported (including Linux, *BSD, Solaris +and Hurd), and is the only mechanism allowed by the session or system +dbus-daemon in their default configurations. It is considerably simpler +than DBUS_COOKIE_SHA1 and relies on fewer assumptions. + +Signed-off-by: Simon McVittie <s...@collabora.com> +Applied-upstream: 1.38.3, commit:756edf6692aa245faedc9573bf88bfe78af3ead3 +--- + daemon/gvfsdaemon.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c +index be148a7..0946f41 100644 +--- a/daemon/gvfsdaemon.c ++++ b/daemon/gvfsdaemon.c +@@ -239,6 +239,22 @@ name_vanished_handler (GDBusConnection *connection, + daemon->lost_main_daemon = TRUE; + } + ++/* ++ * Authentication observer signal handler that rejects all authentication ++ * mechanisms except for EXTERNAL (credentials-passing), which is the ++ * recommended authentication mechanism for AF_UNIX sockets. ++ */ ++static gboolean ++allow_mechanism_cb (GDBusAuthObserver *observer, ++ const gchar *mechanism, ++ G_GNUC_UNUSED gpointer user_data) ++{ ++ if (g_strcmp0 (mechanism, "EXTERNAL") == 0) ++ return TRUE; ++ ++ return FALSE; ++} ++ + /* + * Authentication observer signal handler that authorizes connections + * from the same uid as this process. This matches the behaviour of a +@@ -298,6 +314,7 @@ g_vfs_daemon_init (GVfsDaemon *daemon) + daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL); + g_assert (daemon->conn != NULL); + daemon->auth_observer = g_dbus_auth_observer_new (); ++ g_signal_connect (daemon->auth_observer, "allow-mechanism", G_CALLBACK (allow_mechanism_cb), NULL); + g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL); + + daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new (); diff -Nru gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch --- gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch 2019-06-05 08:34:17.000000000 +0100 +++ gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch 2019-06-11 12:28:34.000000000 +0100 @@ -39,10 +39,10 @@ } diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c -index 406d4f8..61e5904 100644 +index 0946f41..e35d7f7 100644 --- a/daemon/gvfsdaemon.c +++ b/daemon/gvfsdaemon.c -@@ -206,6 +206,7 @@ job_handler_callback (gpointer data, +@@ -209,6 +209,7 @@ job_handler_callback (gpointer data, GVfsJob *job = G_VFS_JOB (data); g_vfs_job_run (job); @@ -50,7 +50,7 @@ } static void -@@ -597,7 +598,8 @@ g_vfs_daemon_queue_job (GVfsDaemon *daemon, +@@ -648,7 +649,8 @@ g_vfs_daemon_queue_job (GVfsDaemon *daemon, if (!g_vfs_job_try (job)) { /* Couldn't finish / run async, queue worker thread */ @@ -60,7 +60,7 @@ } } -@@ -1118,7 +1120,8 @@ void +@@ -1169,7 +1171,8 @@ void g_vfs_daemon_run_job_in_thread (GVfsDaemon *daemon, GVfsJob *job) { diff -Nru gvfs-1.38.1/debian/patches/series gvfs-1.38.1/debian/patches/series --- gvfs-1.38.1/debian/patches/series 2019-06-05 08:34:17.000000000 +0100 +++ gvfs-1.38.1/debian/patches/series 2019-06-11 12:28:34.000000000 +0100 @@ -10,6 +10,8 @@ admin-Allow-changing-file-owner.patch admin-Use-fsuid-to-ensure-correct-file-ownership.patch admin-Ensure-correct-ownership-when-moving-to-file-uri.patch +gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch +gvfsdaemon-Only-accept-EXTERNAL-authentication.patch 02_polkit_sudo_group.patch metadata-nuke-junk-data.patch dont-crash-on-null-job.patch