From 22925147a16c5770a500c2c61c267382599a7205 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 29 2020 07:05:17 +0000 Subject: import dbus-1.10.24-15.el7 --- diff --git a/SOURCES/dbus-1.10.24-fix-CVE-2019-12749.patch b/SOURCES/dbus-1.10.24-fix-CVE-2019-12749.patch new file mode 100644 index 0000000..84e1686 --- /dev/null +++ b/SOURCES/dbus-1.10.24-fix-CVE-2019-12749.patch @@ -0,0 +1,119 @@ +From 525c2314c56504fb232f9ec7f25cf7dda4d4a1c4 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Thu, 30 May 2019 12:53:03 +0100 +Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server + owner + +The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership +of a shared home directory by having the server write a secret "cookie" +into a .dbus-keyrings subdirectory of the desired identity's home +directory with 0700 permissions, and having the client prove that it can +read the cookie. This never actually worked for non-malicious clients in +the case where server uid != client uid (unless the server and client +both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional +Unix uid 0) because an unprivileged server would fail to write out the +cookie, and an unprivileged client would be unable to read the resulting +file owned by the server. + +Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings +is owned by the uid of the server (a side-effect of a check added to +harden our use of XDG_RUNTIME_DIR), further ruling out successful use +by a non-malicious client with a uid differing from the server's. + +Joe Vennix of Apple Information Security discovered that the +implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link +attack: a malicious client with write access to its own home directory +could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to +read and write in unintended locations. In the worst case this could +result in the DBusServer reusing a cookie that is known to the +malicious client, and treating that cookie as evidence that a subsequent +client connection came from an attacker-chosen uid, allowing +authentication bypass. + +This is mitigated by the fact that by default, the well-known system +dbus-daemon (since 2003) and the well-known session dbus-daemon (in +stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL +authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1 +at an early stage, before manipulating cookies. As a result, this +vulnerability only applies to: + +* system or session dbus-daemons with non-standard configuration +* third-party dbus-daemon invocations such as at-spi2-core (although + in practice at-spi2-core also only accepts EXTERNAL by default) +* third-party uses of DBusServer such as the one in Upstart + +Avoiding symlink attacks in a portable way is difficult, because APIs +like openat() and Linux /proc/self/fd are not universally available. +However, because DBUS_COOKIE_SHA1 already doesn't work in practice for +a non-matching uid, we can solve this vulnerability in an easier way +without regressions, by rejecting it early (before looking at +~/.dbus-keyrings) whenever the requested identity doesn't match the +identity of the process hosting the DBusServer. + +Signed-off-by: Simon McVittie +Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269 +Closes: CVE-2019-12749 +--- + dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c +index ea43ce72..c0b7b903 100644 +--- a/dbus/dbus-auth.c ++++ b/dbus/dbus-auth.c +@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth *auth, + DBusString tmp2; + dbus_bool_t retval = FALSE; + DBusError error = DBUS_ERROR_INIT; ++ DBusCredentials *myself = NULL; + + _dbus_string_set_length (&auth->challenge, 0); + +@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth *auth, + return FALSE; + } + ++ myself = _dbus_credentials_new_from_current_process (); ++ ++ if (myself == NULL) ++ goto out; ++ ++ if (!_dbus_credentials_same_user (myself, auth->desired_identity)) ++ { ++ /* ++ * DBUS_COOKIE_SHA1 is not suitable for authenticating that the ++ * client is anyone other than the user owning the process ++ * containing the DBusServer: we probably aren't allowed to write ++ * to other users' home directories. Even if we can (for example ++ * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we ++ * must not, because the other user controls their home directory, ++ * and could carry out symlink attacks to make us read from or ++ * write to unintended locations. It's difficult to avoid symlink ++ * attacks in a portable way, so we just don't try. This isn't a ++ * regression, because DBUS_COOKIE_SHA1 never worked for other ++ * users anyway. ++ */ ++ _dbus_verbose ("%s: client tried to authenticate as \"%s\", " ++ "but that doesn't match this process", ++ DBUS_AUTH_NAME (auth), ++ _dbus_string_get_const_data (data)); ++ retval = send_rejected (auth); ++ goto out; ++ } ++ + /* we cache the keyring for speed, so here we drop it if it's the + * wrong one. FIXME caching the keyring here is useless since we use + * a different DBusAuth for every connection. +@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth *auth, + _dbus_string_zero (&tmp2); + _dbus_string_free (&tmp2); + ++ if (myself != NULL) ++ _dbus_credentials_unref (myself); ++ + return retval; + } + +-- +2.21.0 + diff --git a/SPECS/dbus.spec b/SPECS/dbus.spec index 06f620e..fcedd94 100644 --- a/SPECS/dbus.spec +++ b/SPECS/dbus.spec @@ -18,7 +18,7 @@ Name: dbus Epoch: 1 Version: 1.10.24 -Release: 14%{?dist} +Release: 15%{?dist} Summary: D-BUS message bus Group: System Environment/Libraries @@ -44,8 +44,10 @@ Patch4: dbus-1.10.24-dbus-send-man-page-typo.patch Patch5: 0001-bus-raise-fd-limits-before-dropping-privs.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1470310 Patch6: dbus-1.10.24-dbus-launch-chdir.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1851991 -Patch7: dbus-1.10.24-fix-CVE-2020-12049.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1725571 +Patch7: dbus-1.10.24-fix-CVE-2019-12749.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1851992 +Patch8: dbus-1.10.24-fix-CVE-2020-12049.patch BuildRequires: libtool BuildRequires: expat-devel >= %{expat_version} @@ -148,6 +150,7 @@ in this separate package so server systems need not install X. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %build # Avoid rpath. @@ -384,8 +387,11 @@ popd %{_includedir}/* %changelog -* Tue Jun 30 2020 David King - 1:1.10.24-14 -- Fix CVE-2020-12049 (#1851991) +* Tue Jun 30 2020 David King - 1:1.10.24-15 +- Fix CVE-2020-12049 (#1851992) + +* Tue Jul 09 2019 David King - 1:1.10.24-14 +- Fix CVE-2019-12749 (#1725571) * Tue Dec 11 2018 David King - 1:1.10.24-13 - Add a symlink for dbus-daemon-launch-helper (#1568856)