[Touch-packages] [Bug 2024182] Re: GHSL-2023-139: use-after-free in user.c
This bug was fixed in the package accountsservice - 23.13.9-2ubuntu2
---
accountsservice (23.13.9-2ubuntu2) mantic; urgency=medium
* SECURITY UPDATE: use-after-free in user.c (LP: #2024182)
- debian/patches/0010-set-language.patch: updated to properly return
from functions after throw_error() has been called.
- CVE-2023-3297
-- Marc Deslauriers Wed, 28 Jun 2023
11:10:09 -0400
** Changed in: accountsservice (Ubuntu Mantic)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to accountsservice in Ubuntu.
https://bugs.launchpad.net/bugs/2024182
Title:
GHSL-2023-139: use-after-free in user.c
Status in accountsservice package in Ubuntu:
Fix Released
Status in accountsservice source package in Focal:
Fix Released
Status in accountsservice source package in Jammy:
Fix Released
Status in accountsservice source package in Kinetic:
Fix Released
Status in accountsservice source package in Lunar:
Fix Released
Status in accountsservice source package in Mantic:
Fix Released
Bug description:
# GitHub Security Lab (GHSL) Vulnerability Report, accountsservice:
`GHSL-2023-139`
The [GitHub Security Lab](https://securitylab.github.com) team has
identified a potential security vulnerability in
[accountsservice](https://code.launchpad.net/ubuntu/+source/accountsservice).
We are committed to working with you to help resolve this issue. In
this report you will find everything you need to effectively
coordinate a resolution of this issue with the GHSL team.
If at any point you have concerns or questions about this process,
please do not hesitate to reach out to us at `security...@github.com`
(please include `GHSL-2023-139` as a reference).
If you are _NOT_ the correct point of contact for this report, please
let us know!
## Summary
An unprivileged local attacker can trigger a use-after-free
vulnerability in accountsservice by sending a D-Bus message to the
accounts-daemon process.
## Product
accountsservice
## Tested Version
[22.08.8-1ubuntu7](https://launchpad.net/ubuntu/+source/accountsservice/22.08.8-1ubuntu7)
The bug is easier to observe on Ubuntu 23.04 than on Ubuntu 22.04 LTS,
but it is present on both.
## Details
### Use-after-free when `throw_error` is called (`GHSL-2023-139`)
After receiving a D-Bus [method
call](https://dbus.freedesktop.org/doc/dbus-
specification.html#message-protocol-types), a D-Bus server is expected
to send either a `METHOD_RETURN` or a `ERROR` message back to the
client, _but not both_. This is done incorrectly in several places in
accountsservice. For example, in
[`user_change_language_authorized_cb`](https://git.launchpad.net/ubuntu/+source/accountsservice/tree/debian/patches/0010-set-
language.patch?h=import/22.08.8-1ubuntu7#n427):
```c
static void
user_change_language_authorized_cb (Daemon*daemon,
User *user,
GDBusMethodInvocation *context,
gpointer data)
{
const gchar *language = data;
if (!user_HOME_available (user)) {
/* SetLanguage was probably called from a login greeter,
and HOME not mounted and/or not decrypted.
Hence don't save anything, or else accountsservice
and ~/.pam_environment would become out of sync. */
throw_error (context, ERROR_FAILED, "not access to HOME yet
so language not saved"); <= 1
goto out;
}
out:
accounts_user_complete_set_language (ACCOUNTS_USER (user), context);
<= 2
}
```
If `user_HOME_available` returns an error, then `throw_error` is
called at 1 to send an `ERROR` message, but a regular `METHOD_RETURN`
is also sent at 2. This is incorrect D-Bus protocol, but the more
serious problem is that it causes a use-after-free because both
`throw_error` and `accounts_user_complete_set_language` decrease the
reference count on `context`. In other words, `context` is freed by
`throw_error` and a UAF occurs in
`accounts_user_complete_set_language`.
An attacker can trigger the bug above by causing `user_HOME_available`
to fail, which they can do by deleting all the files from their home
directory. But there are other incorrect uses of `throw_error` in
`user.c` which are less inconvenient to trigger. For example, this
command triggers a call to `throw_error` in `user_update_environment`
due to the invalid characters in the string.
```bash
dbus-send --system --print-reply --dest=org.freedesktop.Accounts
/org/freedesktop/Accounts/User`id -u` org.freedesktop.Accounts.User.SetLanguage
string:'**'
```
On Ubuntu 23.04, the above command causes
[Touch-packages] [Bug 2024182] Re: GHSL-2023-139: use-after-free in user.c
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to accountsservice in Ubuntu.
https://bugs.launchpad.net/bugs/2024182
Title:
GHSL-2023-139: use-after-free in user.c
Status in accountsservice package in Ubuntu:
In Progress
Status in accountsservice source package in Focal:
Fix Released
Status in accountsservice source package in Jammy:
Fix Released
Status in accountsservice source package in Kinetic:
Fix Released
Status in accountsservice source package in Lunar:
Fix Released
Status in accountsservice source package in Mantic:
In Progress
Bug description:
# GitHub Security Lab (GHSL) Vulnerability Report, accountsservice:
`GHSL-2023-139`
The [GitHub Security Lab](https://securitylab.github.com) team has
identified a potential security vulnerability in
[accountsservice](https://code.launchpad.net/ubuntu/+source/accountsservice).
We are committed to working with you to help resolve this issue. In
this report you will find everything you need to effectively
coordinate a resolution of this issue with the GHSL team.
If at any point you have concerns or questions about this process,
please do not hesitate to reach out to us at `security...@github.com`
(please include `GHSL-2023-139` as a reference).
If you are _NOT_ the correct point of contact for this report, please
let us know!
## Summary
An unprivileged local attacker can trigger a use-after-free
vulnerability in accountsservice by sending a D-Bus message to the
accounts-daemon process.
## Product
accountsservice
## Tested Version
[22.08.8-1ubuntu7](https://launchpad.net/ubuntu/+source/accountsservice/22.08.8-1ubuntu7)
The bug is easier to observe on Ubuntu 23.04 than on Ubuntu 22.04 LTS,
but it is present on both.
## Details
### Use-after-free when `throw_error` is called (`GHSL-2023-139`)
After receiving a D-Bus [method
call](https://dbus.freedesktop.org/doc/dbus-
specification.html#message-protocol-types), a D-Bus server is expected
to send either a `METHOD_RETURN` or a `ERROR` message back to the
client, _but not both_. This is done incorrectly in several places in
accountsservice. For example, in
[`user_change_language_authorized_cb`](https://git.launchpad.net/ubuntu/+source/accountsservice/tree/debian/patches/0010-set-
language.patch?h=import/22.08.8-1ubuntu7#n427):
```c
static void
user_change_language_authorized_cb (Daemon*daemon,
User *user,
GDBusMethodInvocation *context,
gpointer data)
{
const gchar *language = data;
if (!user_HOME_available (user)) {
/* SetLanguage was probably called from a login greeter,
and HOME not mounted and/or not decrypted.
Hence don't save anything, or else accountsservice
and ~/.pam_environment would become out of sync. */
throw_error (context, ERROR_FAILED, "not access to HOME yet
so language not saved"); <= 1
goto out;
}
out:
accounts_user_complete_set_language (ACCOUNTS_USER (user), context);
<= 2
}
```
If `user_HOME_available` returns an error, then `throw_error` is
called at 1 to send an `ERROR` message, but a regular `METHOD_RETURN`
is also sent at 2. This is incorrect D-Bus protocol, but the more
serious problem is that it causes a use-after-free because both
`throw_error` and `accounts_user_complete_set_language` decrease the
reference count on `context`. In other words, `context` is freed by
`throw_error` and a UAF occurs in
`accounts_user_complete_set_language`.
An attacker can trigger the bug above by causing `user_HOME_available`
to fail, which they can do by deleting all the files from their home
directory. But there are other incorrect uses of `throw_error` in
`user.c` which are less inconvenient to trigger. For example, this
command triggers a call to `throw_error` in `user_update_environment`
due to the invalid characters in the string.
```bash
dbus-send --system --print-reply --dest=org.freedesktop.Accounts
/org/freedesktop/Accounts/User`id -u` org.freedesktop.Accounts.User.SetLanguage
string:'**'
```
On Ubuntu 23.04, the above command causes `accounts-daemon` to crash
with a `SIGSEGV`. But on Ubuntu 22.04 LTS it doesn't cause any visible
harm. The difference is due to a recent [change in
GLib's](https://gitlab.gnome.org/GNOME/glib/-/commit/69e9ba80e2f4d2061a1a68d72bae1c32c1e4f8fa)
memory allocation: older versions of GLib used the "slice" allocator,
but newer version uses the system allocator. The system allocator
trashes the memory when it's freed in a way that causes the use-after-
free to trigger a
[Touch-packages] [Bug 2024182] Re: GHSL-2023-139: use-after-free in user.c
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to accountsservice in Ubuntu.
https://bugs.launchpad.net/bugs/2024182
Title:
GHSL-2023-139: use-after-free in user.c
Status in accountsservice package in Ubuntu:
In Progress
Status in accountsservice source package in Focal:
Fix Released
Status in accountsservice source package in Jammy:
Fix Released
Status in accountsservice source package in Kinetic:
Fix Released
Status in accountsservice source package in Lunar:
Fix Released
Status in accountsservice source package in Mantic:
In Progress
Bug description:
# GitHub Security Lab (GHSL) Vulnerability Report, accountsservice:
`GHSL-2023-139`
The [GitHub Security Lab](https://securitylab.github.com) team has
identified a potential security vulnerability in
[accountsservice](https://code.launchpad.net/ubuntu/+source/accountsservice).
We are committed to working with you to help resolve this issue. In
this report you will find everything you need to effectively
coordinate a resolution of this issue with the GHSL team.
If at any point you have concerns or questions about this process,
please do not hesitate to reach out to us at `security...@github.com`
(please include `GHSL-2023-139` as a reference).
If you are _NOT_ the correct point of contact for this report, please
let us know!
## Summary
An unprivileged local attacker can trigger a use-after-free
vulnerability in accountsservice by sending a D-Bus message to the
accounts-daemon process.
## Product
accountsservice
## Tested Version
[22.08.8-1ubuntu7](https://launchpad.net/ubuntu/+source/accountsservice/22.08.8-1ubuntu7)
The bug is easier to observe on Ubuntu 23.04 than on Ubuntu 22.04 LTS,
but it is present on both.
## Details
### Use-after-free when `throw_error` is called (`GHSL-2023-139`)
After receiving a D-Bus [method
call](https://dbus.freedesktop.org/doc/dbus-
specification.html#message-protocol-types), a D-Bus server is expected
to send either a `METHOD_RETURN` or a `ERROR` message back to the
client, _but not both_. This is done incorrectly in several places in
accountsservice. For example, in
[`user_change_language_authorized_cb`](https://git.launchpad.net/ubuntu/+source/accountsservice/tree/debian/patches/0010-set-
language.patch?h=import/22.08.8-1ubuntu7#n427):
```c
static void
user_change_language_authorized_cb (Daemon*daemon,
User *user,
GDBusMethodInvocation *context,
gpointer data)
{
const gchar *language = data;
if (!user_HOME_available (user)) {
/* SetLanguage was probably called from a login greeter,
and HOME not mounted and/or not decrypted.
Hence don't save anything, or else accountsservice
and ~/.pam_environment would become out of sync. */
throw_error (context, ERROR_FAILED, "not access to HOME yet
so language not saved"); <= 1
goto out;
}
out:
accounts_user_complete_set_language (ACCOUNTS_USER (user), context);
<= 2
}
```
If `user_HOME_available` returns an error, then `throw_error` is
called at 1 to send an `ERROR` message, but a regular `METHOD_RETURN`
is also sent at 2. This is incorrect D-Bus protocol, but the more
serious problem is that it causes a use-after-free because both
`throw_error` and `accounts_user_complete_set_language` decrease the
reference count on `context`. In other words, `context` is freed by
`throw_error` and a UAF occurs in
`accounts_user_complete_set_language`.
An attacker can trigger the bug above by causing `user_HOME_available`
to fail, which they can do by deleting all the files from their home
directory. But there are other incorrect uses of `throw_error` in
`user.c` which are less inconvenient to trigger. For example, this
command triggers a call to `throw_error` in `user_update_environment`
due to the invalid characters in the string.
```bash
dbus-send --system --print-reply --dest=org.freedesktop.Accounts
/org/freedesktop/Accounts/User`id -u` org.freedesktop.Accounts.User.SetLanguage
string:'**'
```
On Ubuntu 23.04, the above command causes `accounts-daemon` to crash
with a `SIGSEGV`. But on Ubuntu 22.04 LTS it doesn't cause any visible
harm. The difference is due to a recent [change in
GLib's](https://gitlab.gnome.org/GNOME/glib/-/commit/69e9ba80e2f4d2061a1a68d72bae1c32c1e4f8fa)
memory allocation: older versions of GLib used the "slice" allocator,
but newer version uses the system allocator. The system allocator
trashes the memory when it's freed in a way
