Bug#930371: unblock: dbus/1.12.16-1
Package: release.debian.org
Severity: normal
Tags: d-i
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package dbus to fix CVE-2019-12749. I forgot to set high
urgency, so you might want to adjust its age-days too.
Filtered and full diffs are attached (the former has Autotools noise
removed). As usual, I'm happy to revert anything that -release can't
accept, because the whole 1.12.x branch exists for the benefit of
distros with a bugfix-only policy (but having said that, everything
in this particular version is either CVE-2019-12749, tests for it,
or release preparation).
dbus builds udebs, so this will need an ack from debian-boot (although
from comments on #929132 it isn't clear to me whether the udebs are
actually used for anything).
unblock dbus/1.12.16-1
Breakdown of the diff:
> diffstat for dbus-1.12.14 dbus-1.12.16
>
> dbus/dbus-auth.c | 32 ++++++++
CVE-2019-12749
> dbus/dbus-auth-script.c | 87 +++++++++++++++++++++++-
> dbus/dbus-sysdeps-util-unix.c | 40 +++++++++++
> dbus/dbus-sysdeps-util-win.c | 25 ++++++
> dbus/dbus-sysdeps.h | 10 ++
> test/Makefile.am | 2
> test/data/auth/cookie-sha1-username.auth-script | 12 +++
> test/data/auth/cookie-sha1.auth-script | 11 +++
Regression tests for CVE-2019-12749 (these are #ifdef'd out and do
not affect the dbus binary package, although they do end up in the
special debug build in the dbus-tests package)
> NEWS | 18 ++++
> configure.ac | 4 -
> debian/changelog | 15 ++++
Release preparation
> Makefile.in | 4 -
> aminclude_static.am | 2
> bus/Makefile.in | 2
> configure | 26 +++----
> dbus/Makefile.in | 2
> test/Makefile.in | 4 -
Autotools noise from doing the release
Thanks,
smcv
filterdiff -p1 -xMakefile.in -x'*/Makefile.in' -xaminclude_static.am -xconfigure < dbus_1.12.16-1.diff > dbus_1.12.16-1-filtered.diff
diffstat for dbus-1.12.14 dbus-1.12.16
Makefile.in | 4 -
NEWS | 18 ++++
aminclude_static.am | 2
bus/Makefile.in | 2
configure | 26 +++----
configure.ac | 4 -
dbus/Makefile.in | 2
dbus/dbus-auth-script.c | 87 +++++++++++++++++++++++-
dbus/dbus-auth.c | 32 ++++++++
dbus/dbus-sysdeps-util-unix.c | 40 +++++++++++
dbus/dbus-sysdeps-util-win.c | 25 ++++++
dbus/dbus-sysdeps.h | 10 ++
debian/changelog | 15 ++++
test/Makefile.am | 2
test/Makefile.in | 4 -
test/data/auth/cookie-sha1-username.auth-script | 12 +++
test/data/auth/cookie-sha1.auth-script | 11 +++
17 files changed, 272 insertions(+), 24 deletions(-)
diff -Nru dbus-1.12.14/configure.ac dbus-1.12.16/configure.ac
--- dbus-1.12.14/configure.ac 2019-05-17 10:38:45.000000000 +0100
+++ dbus-1.12.16/configure.ac 2019-06-09 13:09:13.000000000 +0100
@@ -3,7 +3,7 @@
m4_define([dbus_major_version], [1])
m4_define([dbus_minor_version], [12])
-m4_define([dbus_micro_version], [14])
+m4_define([dbus_micro_version], [16])
m4_define([dbus_version],
[dbus_major_version.dbus_minor_version.dbus_micro_version])
AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -42,7 +42,7 @@
## increment any time the source changes; set to
## 0 if you increment CURRENT
-LT_REVISION=10
+LT_REVISION=11
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
diff -Nru dbus-1.12.14/dbus/dbus-auth.c dbus-1.12.16/dbus/dbus-auth.c
--- dbus-1.12.14/dbus/dbus-auth.c 2017-10-30 12:26:18.000000000 +0000
+++ dbus-1.12.16/dbus/dbus-auth.c 2019-06-09 13:08:12.000000000 +0100
@@ -529,6 +529,7 @@
DBusString tmp2;
dbus_bool_t retval = FALSE;
DBusError error = DBUS_ERROR_INIT;
+ DBusCredentials *myself = NULL;
_dbus_string_set_length (&auth->challenge, 0);
@@ -565,6 +566,34 @@
return FALSE;
}
+ myself = _dbus_credentials_new_from_current_process ();
+
+ if (myself == NULL)
+ goto out;
+
+ if (!_dbus_credentials_same_user (myself, auth->desired_identity))
+ {
+ /*
+ * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
+ * client is anyone other than the user owning the process
+ * containing the DBusServer: we probably aren't allowed to write
+ * to other users' home directories. Even if we can (for example
+ * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
+ * must not, because the other user controls their home directory,
+ * and could carry out symlink attacks to make us read from or
+ * write to unintended locations. It's difficult to avoid symlink
+ * attacks in a portable way, so we just don't try. This isn't a
+ * regression, because DBUS_COOKIE_SHA1 never worked for other
+ * users anyway.
+ */
+ _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
+ "but that doesn't match this process",
+ DBUS_AUTH_NAME (auth),
+ _dbus_string_get_const_data (data));
+ retval = send_rejected (auth);
+ goto out;
+ }
+
/* we cache the keyring for speed, so here we drop it if it's the
* wrong one. FIXME caching the keyring here is useless since we use
* a different DBusAuth for every connection.
@@ -679,6 +708,9 @@
_dbus_string_zero (&tmp2);
_dbus_string_free (&tmp2);
+ if (myself != NULL)
+ _dbus_credentials_unref (myself);
+
return retval;
}
diff -Nru dbus-1.12.14/dbus/dbus-auth-script.c dbus-1.12.16/dbus/dbus-auth-script.c
--- dbus-1.12.14/dbus/dbus-auth-script.c 2017-10-30 12:26:18.000000000 +0000
+++ dbus-1.12.16/dbus/dbus-auth-script.c 2019-06-09 13:08:49.000000000 +0100
@@ -34,6 +34,8 @@
#include "dbus-credentials.h"
#include "dbus-internals.h"
+#include "test/test-utils.h"
+
/**
* @defgroup DBusAuthScript code for running unit test scripts for DBusAuth
* @ingroup DBusInternals
@@ -518,9 +520,43 @@
/* Replace USERID_HEX with our username in hex */
{
int where;
-
- if (_dbus_string_find (&to_send, 0,
- "USERID_HEX", &where))
+
+ if (_dbus_string_find (&to_send, 0, "WRONG_USERID_HEX", &where))
+ {
+ /* This must be checked for before USERID_HEX, because
+ * that's a substring. */
+ DBusString uid;
+
+ if (!_dbus_string_init (&uid))
+ {
+ _dbus_warn ("no memory for uid");
+ _dbus_string_free (&to_send);
+ goto out;
+ }
+
+ if (!_dbus_test_append_different_uid (&uid))
+ {
+ _dbus_warn ("no memory for uid");
+ _dbus_string_free (&to_send);
+ _dbus_string_free (&uid);
+ goto out;
+ }
+
+ _dbus_string_delete (&to_send, where,
+ (int) strlen ("WRONG_USERID_HEX"));
+
+ if (!_dbus_string_hex_encode (&uid, 0, &to_send, where))
+ {
+ _dbus_warn ("no memory to subst WRONG_USERID_HEX");
+ _dbus_string_free (&to_send);
+ _dbus_string_free (&uid);
+ goto out;
+ }
+
+ _dbus_string_free (&uid);
+ }
+ else if (_dbus_string_find (&to_send, 0,
+ "USERID_HEX", &where))
{
DBusString username;
@@ -553,6 +589,51 @@
_dbus_string_free (&username);
}
else if (_dbus_string_find (&to_send, 0,
+ "WRONG_USERNAME_HEX", &where))
+ {
+ /* This must be checked for before USERNAME_HEX, because
+ * that's a substring. */
+#ifdef DBUS_UNIX
+ DBusString username;
+
+ if (!_dbus_string_init (&username))
+ {
+ _dbus_warn ("no memory for username");
+ _dbus_string_free (&to_send);
+ goto out;
+ }
+
+ if (!_dbus_test_append_different_username (&username))
+ {
+ _dbus_warn ("no memory for username");
+ _dbus_string_free (&to_send);
+ _dbus_string_free (&username);
+ goto out;
+ }
+
+ _dbus_string_delete (&to_send, where,
+ (int) strlen ("WRONG_USERNAME_HEX"));
+
+ if (!_dbus_string_hex_encode (&username, 0,
+ &to_send, where))
+ {
+ _dbus_warn ("no memory to subst WRONG_USERNAME_HEX");
+ _dbus_string_free (&to_send);
+ _dbus_string_free (&username);
+ goto out;
+ }
+
+ _dbus_string_free (&username);
+#else
+ /* No authentication mechanism uses the login name on
+ * Windows, so there's no point in it appearing in an
+ * auth script that is not UNIX_ONLY. */
+ _dbus_warn ("WRONG_USERNAME_HEX cannot be used on Windows");
+ _dbus_string_free (&to_send);
+ goto out;
+#endif
+ }
+ else if (_dbus_string_find (&to_send, 0,
"USERNAME_HEX", &where))
{
DBusString username;
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps.h dbus-1.12.16/dbus/dbus-sysdeps.h
--- dbus-1.12.14/dbus/dbus-sysdeps.h 2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps.h 2019-06-09 13:08:49.000000000 +0100
@@ -703,6 +703,16 @@
DBusError *error);
void _dbus_rlimit_free (DBusRLimit *lim);
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+_DBUS_GNUC_WARN_UNUSED_RESULT
+dbus_bool_t _dbus_test_append_different_uid (DBusString *uid);
+
+#ifdef DBUS_UNIX
+_DBUS_GNUC_WARN_UNUSED_RESULT
+dbus_bool_t _dbus_test_append_different_username (DBusString *username);
+#endif
+#endif /* DBUS_ENABLE_EMBEDDED_TESTS */
+
/** @} */
DBUS_END_DECLS
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c
--- dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c 2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c 2019-06-09 13:08:49.000000000 +0100
@@ -1524,3 +1524,43 @@
return _dbus_string_append (str, DBUS_SESSION_CONFIG_FILE);
}
+
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+
+/*
+ * Set uid to a machine-readable authentication identity (numeric Unix
+ * uid or ConvertSidToStringSid-style Windows SID) that is likely to exist,
+ * and differs from the identity of the current process.
+ *
+ * @param uid Populated with a machine-readable authentication identity
+ * on success
+ * @returns #FALSE if no memory
+ */
+dbus_bool_t
+_dbus_test_append_different_uid (DBusString *uid)
+{
+ if (geteuid () == 0)
+ return _dbus_string_append (uid, "65534");
+ else
+ return _dbus_string_append (uid, "0");
+}
+
+/*
+ * Set uid to a human-readable authentication identity (login name)
+ * that is likely to exist, and differs from the identity of the current
+ * process. This function currently only exists on Unix platforms.
+ *
+ * @param uid Populated with a machine-readable authentication identity
+ * on success
+ * @returns #FALSE if no memory
+ */
+dbus_bool_t
+_dbus_test_append_different_username (DBusString *username)
+{
+ if (geteuid () == 0)
+ return _dbus_string_append (username, "nobody");
+ else
+ return _dbus_string_append (username, "root");
+}
+
+#endif
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-win.c dbus-1.12.16/dbus/dbus-sysdeps-util-win.c
--- dbus-1.12.14/dbus/dbus-sysdeps-util-win.c 2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps-util-win.c 2019-06-09 13:08:49.000000000 +0100
@@ -1653,3 +1653,28 @@
return _dbus_get_config_file_name(str, "session.conf");
}
+
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+
+#define ANONYMOUS_SID "S-1-5-7"
+#define LOCAL_SYSTEM_SID "S-1-5-18"
+
+dbus_bool_t
+_dbus_test_append_different_uid (DBusString *uid)
+{
+ char *sid = NULL;
+ dbus_bool_t ret;
+
+ if (!_dbus_getsid (&sid, _dbus_getpid ()))
+ return FALSE;
+
+ if (strcmp (sid, ANONYMOUS_SID) == 0)
+ ret = _dbus_string_append (uid, LOCAL_SYSTEM_SID);
+ else
+ ret = _dbus_string_append (uid, ANONYMOUS_SID);
+
+ LocalFree (sid);
+ return ret;
+}
+
+#endif
diff -Nru dbus-1.12.14/debian/changelog dbus-1.12.16/debian/changelog
--- dbus-1.12.14/debian/changelog 2019-05-18 17:37:08.000000000 +0100
+++ dbus-1.12.16/debian/changelog 2019-06-09 21:34:34.000000000 +0100
@@ -1,3 +1,18 @@
+dbus (1.12.16-1) unstable; urgency=medium
+
+ * New upstream stable release
+ - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
+ authentication for identities that differ from the user running the
+ DBusServer. Previously, a local attacker could manipulate symbolic
+ links in their own home directory to bypass authentication and
+ connect to a DBusServer with elevated privileges. The standard
+ system and session dbus-daemons in their default configuration were
+ immune to this attack because they did not allow DBUS_COOKIE_SHA1,
+ but third-party users of DBusServer such as Upstart could be
+ vulnerable.
+
+ -- Simon McVittie <smcv@debian.org> Sun, 09 Jun 2019 21:34:34 +0100
+
dbus (1.12.14-1) unstable; urgency=medium
* New upstream release
diff -Nru dbus-1.12.14/NEWS dbus-1.12.16/NEWS
--- dbus-1.12.14/NEWS 2019-05-17 10:40:49.000000000 +0100
+++ dbus-1.12.16/NEWS 2019-06-09 13:09:13.000000000 +0100
@@ -1,3 +1,21 @@
+dbus 1.12.16 (2019-06-11)
+=========================
+
+The “tree cat” release.
+
+Security fixes:
+
+• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
+ authentication for identities that differ from the user running the
+ DBusServer. Previously, a local attacker could manipulate symbolic
+ links in their own home directory to bypass authentication and connect
+ to a DBusServer with elevated privileges. The standard system and
+ session dbus-daemons in their default configuration were immune to this
+ attack because they did not allow DBUS_COOKIE_SHA1, but third-party
+ users of DBusServer such as Upstart could be vulnerable.
+ Thanks to Joe Vennix of Apple Information Security.
+ (dbus#269, Simon McVittie)
+
dbus 1.12.14 (2019-05-17)
=========================
diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1.auth-script dbus-1.12.16/test/data/auth/cookie-sha1.auth-script
--- dbus-1.12.14/test/data/auth/cookie-sha1.auth-script 1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.12.16/test/data/auth/cookie-sha1.auth-script 2019-06-09 13:16:35.000000000 +0100
@@ -0,0 +1,11 @@
+SERVER
+SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERID_HEX'
+EXPECT_COMMAND REJECTED
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+SEND 'AUTH DBUS_COOKIE_SHA1 USERID_HEX'
+EXPECT_COMMAND DATA
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+# We don't actually complete DBUS_COOKIE_SHA1 authentication, because
+# it's non-trivial.
diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script
--- dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script 1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script 2019-06-09 13:16:35.000000000 +0100
@@ -0,0 +1,12 @@
+UNIX_ONLY
+SERVER
+SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERNAME_HEX'
+EXPECT_COMMAND REJECTED
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+SEND 'AUTH DBUS_COOKIE_SHA1 USERNAME_HEX'
+EXPECT_COMMAND DATA
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+# We don't actually complete DBUS_COOKIE_SHA1 authentication, because
+# it's non-trivial.
diff -Nru dbus-1.12.14/test/Makefile.am dbus-1.12.16/test/Makefile.am
--- dbus-1.12.14/test/Makefile.am 2019-05-13 10:33:56.000000000 +0100
+++ dbus-1.12.16/test/Makefile.am 2019-06-09 13:08:49.000000000 +0100
@@ -471,6 +471,8 @@
data/auth/anonymous-server-successful.auth-script \
data/auth/cancel.auth-script \
data/auth/client-out-of-mechanisms.auth-script \
+ data/auth/cookie-sha1-username.auth-script \
+ data/auth/cookie-sha1.auth-script \
data/auth/external-failed.auth-script \
data/auth/external-root.auth-script \
data/auth/external-silly.auth-script \
diffstat for dbus-1.12.14 dbus-1.12.16
Makefile.in | 4 -
NEWS | 18 ++++
aminclude_static.am | 2
bus/Makefile.in | 2
configure | 26 +++----
configure.ac | 4 -
dbus/Makefile.in | 2
dbus/dbus-auth-script.c | 87 +++++++++++++++++++++++-
dbus/dbus-auth.c | 32 ++++++++
dbus/dbus-sysdeps-util-unix.c | 40 +++++++++++
dbus/dbus-sysdeps-util-win.c | 25 ++++++
dbus/dbus-sysdeps.h | 10 ++
debian/changelog | 15 ++++
test/Makefile.am | 2
test/Makefile.in | 4 -
test/data/auth/cookie-sha1-username.auth-script | 12 +++
test/data/auth/cookie-sha1.auth-script | 11 +++
17 files changed, 272 insertions(+), 24 deletions(-)
diff -Nru dbus-1.12.14/aminclude_static.am dbus-1.12.16/aminclude_static.am
--- dbus-1.12.14/aminclude_static.am 2019-05-17 10:41:19.000000000 +0100
+++ dbus-1.12.16/aminclude_static.am 2019-06-09 13:09:33.000000000 +0100
@@ -1,6 +1,6 @@
# aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019
+# from AX_AM_MACROS_STATIC on Sun Jun 9 13:09:33 BST 2019
# Code coverage
diff -Nru dbus-1.12.14/bus/Makefile.in dbus-1.12.16/bus/Makefile.in
--- dbus-1.12.14/bus/Makefile.in 2019-05-17 10:41:19.000000000 +0100
+++ dbus-1.12.16/bus/Makefile.in 2019-06-09 13:09:33.000000000 +0100
@@ -15,7 +15,7 @@
@SET_MAKE@
# aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019
+# from AX_AM_MACROS_STATIC on Sun Jun 9 13:09:33 BST 2019
VPATH = @srcdir@
diff -Nru dbus-1.12.14/configure dbus-1.12.16/configure
--- dbus-1.12.14/configure 2019-05-17 10:41:20.000000000 +0100
+++ dbus-1.12.16/configure 2019-06-09 13:09:33.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for dbus 1.12.14.
+# Generated by GNU Autoconf 2.69 for dbus 1.12.16.
#
# Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=dbus>.
#
@@ -591,8 +591,8 @@
# Identity of this package.
PACKAGE_NAME='dbus'
PACKAGE_TARNAME='dbus'
-PACKAGE_VERSION='1.12.14'
-PACKAGE_STRING='dbus 1.12.14'
+PACKAGE_VERSION='1.12.16'
+PACKAGE_STRING='dbus 1.12.16'
PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus'
PACKAGE_URL=''
@@ -1579,7 +1579,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures dbus 1.12.14 to adapt to many kinds of systems.
+\`configure' configures dbus 1.12.16 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1654,7 +1654,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of dbus 1.12.14:";;
+ short | recursive ) echo "Configuration of dbus 1.12.16:";;
esac
cat <<\_ACEOF
@@ -1881,7 +1881,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-dbus configure 1.12.14
+dbus configure 1.12.16
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2657,7 +2657,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by dbus $as_me 1.12.14, which was
+It was created by dbus $as_me 1.12.16, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3603,7 +3603,7 @@
# Define the identity of the package.
PACKAGE='dbus'
- VERSION='1.12.14'
+ VERSION='1.12.16'
cat >>confdefs.h <<_ACEOF
@@ -3903,7 +3903,7 @@
## increment any time the source changes; set to
## 0 if you increment CURRENT
-LT_REVISION=10
+LT_REVISION=11
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
@@ -3918,8 +3918,8 @@
DBUS_MAJOR_VERSION=1
DBUS_MINOR_VERSION=12
-DBUS_MICRO_VERSION=14
-DBUS_VERSION=1.12.14
+DBUS_MICRO_VERSION=16
+DBUS_VERSION=1.12.16
@@ -29013,7 +29013,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by dbus $as_me 1.12.14, which was
+This file was extended by dbus $as_me 1.12.16, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -29079,7 +29079,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-dbus config.status 1.12.14
+dbus config.status 1.12.16
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -Nru dbus-1.12.14/configure.ac dbus-1.12.16/configure.ac
--- dbus-1.12.14/configure.ac 2019-05-17 10:38:45.000000000 +0100
+++ dbus-1.12.16/configure.ac 2019-06-09 13:09:13.000000000 +0100
@@ -3,7 +3,7 @@
m4_define([dbus_major_version], [1])
m4_define([dbus_minor_version], [12])
-m4_define([dbus_micro_version], [14])
+m4_define([dbus_micro_version], [16])
m4_define([dbus_version],
[dbus_major_version.dbus_minor_version.dbus_micro_version])
AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -42,7 +42,7 @@
## increment any time the source changes; set to
## 0 if you increment CURRENT
-LT_REVISION=10
+LT_REVISION=11
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
diff -Nru dbus-1.12.14/dbus/dbus-auth.c dbus-1.12.16/dbus/dbus-auth.c
--- dbus-1.12.14/dbus/dbus-auth.c 2017-10-30 12:26:18.000000000 +0000
+++ dbus-1.12.16/dbus/dbus-auth.c 2019-06-09 13:08:12.000000000 +0100
@@ -529,6 +529,7 @@
DBusString tmp2;
dbus_bool_t retval = FALSE;
DBusError error = DBUS_ERROR_INIT;
+ DBusCredentials *myself = NULL;
_dbus_string_set_length (&auth->challenge, 0);
@@ -565,6 +566,34 @@
return FALSE;
}
+ myself = _dbus_credentials_new_from_current_process ();
+
+ if (myself == NULL)
+ goto out;
+
+ if (!_dbus_credentials_same_user (myself, auth->desired_identity))
+ {
+ /*
+ * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
+ * client is anyone other than the user owning the process
+ * containing the DBusServer: we probably aren't allowed to write
+ * to other users' home directories. Even if we can (for example
+ * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
+ * must not, because the other user controls their home directory,
+ * and could carry out symlink attacks to make us read from or
+ * write to unintended locations. It's difficult to avoid symlink
+ * attacks in a portable way, so we just don't try. This isn't a
+ * regression, because DBUS_COOKIE_SHA1 never worked for other
+ * users anyway.
+ */
+ _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
+ "but that doesn't match this process",
+ DBUS_AUTH_NAME (auth),
+ _dbus_string_get_const_data (data));
+ retval = send_rejected (auth);
+ goto out;
+ }
+
/* we cache the keyring for speed, so here we drop it if it's the
* wrong one. FIXME caching the keyring here is useless since we use
* a different DBusAuth for every connection.
@@ -679,6 +708,9 @@
_dbus_string_zero (&tmp2);
_dbus_string_free (&tmp2);
+ if (myself != NULL)
+ _dbus_credentials_unref (myself);
+
return retval;
}
diff -Nru dbus-1.12.14/dbus/dbus-auth-script.c dbus-1.12.16/dbus/dbus-auth-script.c
--- dbus-1.12.14/dbus/dbus-auth-script.c 2017-10-30 12:26:18.000000000 +0000
+++ dbus-1.12.16/dbus/dbus-auth-script.c 2019-06-09 13:08:49.000000000 +0100
@@ -34,6 +34,8 @@
#include "dbus-credentials.h"
#include "dbus-internals.h"
+#include "test/test-utils.h"
+
/**
* @defgroup DBusAuthScript code for running unit test scripts for DBusAuth
* @ingroup DBusInternals
@@ -518,9 +520,43 @@
/* Replace USERID_HEX with our username in hex */
{
int where;
-
- if (_dbus_string_find (&to_send, 0,
- "USERID_HEX", &where))
+
+ if (_dbus_string_find (&to_send, 0, "WRONG_USERID_HEX", &where))
+ {
+ /* This must be checked for before USERID_HEX, because
+ * that's a substring. */
+ DBusString uid;
+
+ if (!_dbus_string_init (&uid))
+ {
+ _dbus_warn ("no memory for uid");
+ _dbus_string_free (&to_send);
+ goto out;
+ }
+
+ if (!_dbus_test_append_different_uid (&uid))
+ {
+ _dbus_warn ("no memory for uid");
+ _dbus_string_free (&to_send);
+ _dbus_string_free (&uid);
+ goto out;
+ }
+
+ _dbus_string_delete (&to_send, where,
+ (int) strlen ("WRONG_USERID_HEX"));
+
+ if (!_dbus_string_hex_encode (&uid, 0, &to_send, where))
+ {
+ _dbus_warn ("no memory to subst WRONG_USERID_HEX");
+ _dbus_string_free (&to_send);
+ _dbus_string_free (&uid);
+ goto out;
+ }
+
+ _dbus_string_free (&uid);
+ }
+ else if (_dbus_string_find (&to_send, 0,
+ "USERID_HEX", &where))
{
DBusString username;
@@ -553,6 +589,51 @@
_dbus_string_free (&username);
}
else if (_dbus_string_find (&to_send, 0,
+ "WRONG_USERNAME_HEX", &where))
+ {
+ /* This must be checked for before USERNAME_HEX, because
+ * that's a substring. */
+#ifdef DBUS_UNIX
+ DBusString username;
+
+ if (!_dbus_string_init (&username))
+ {
+ _dbus_warn ("no memory for username");
+ _dbus_string_free (&to_send);
+ goto out;
+ }
+
+ if (!_dbus_test_append_different_username (&username))
+ {
+ _dbus_warn ("no memory for username");
+ _dbus_string_free (&to_send);
+ _dbus_string_free (&username);
+ goto out;
+ }
+
+ _dbus_string_delete (&to_send, where,
+ (int) strlen ("WRONG_USERNAME_HEX"));
+
+ if (!_dbus_string_hex_encode (&username, 0,
+ &to_send, where))
+ {
+ _dbus_warn ("no memory to subst WRONG_USERNAME_HEX");
+ _dbus_string_free (&to_send);
+ _dbus_string_free (&username);
+ goto out;
+ }
+
+ _dbus_string_free (&username);
+#else
+ /* No authentication mechanism uses the login name on
+ * Windows, so there's no point in it appearing in an
+ * auth script that is not UNIX_ONLY. */
+ _dbus_warn ("WRONG_USERNAME_HEX cannot be used on Windows");
+ _dbus_string_free (&to_send);
+ goto out;
+#endif
+ }
+ else if (_dbus_string_find (&to_send, 0,
"USERNAME_HEX", &where))
{
DBusString username;
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps.h dbus-1.12.16/dbus/dbus-sysdeps.h
--- dbus-1.12.14/dbus/dbus-sysdeps.h 2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps.h 2019-06-09 13:08:49.000000000 +0100
@@ -703,6 +703,16 @@
DBusError *error);
void _dbus_rlimit_free (DBusRLimit *lim);
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+_DBUS_GNUC_WARN_UNUSED_RESULT
+dbus_bool_t _dbus_test_append_different_uid (DBusString *uid);
+
+#ifdef DBUS_UNIX
+_DBUS_GNUC_WARN_UNUSED_RESULT
+dbus_bool_t _dbus_test_append_different_username (DBusString *username);
+#endif
+#endif /* DBUS_ENABLE_EMBEDDED_TESTS */
+
/** @} */
DBUS_END_DECLS
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c
--- dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c 2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c 2019-06-09 13:08:49.000000000 +0100
@@ -1524,3 +1524,43 @@
return _dbus_string_append (str, DBUS_SESSION_CONFIG_FILE);
}
+
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+
+/*
+ * Set uid to a machine-readable authentication identity (numeric Unix
+ * uid or ConvertSidToStringSid-style Windows SID) that is likely to exist,
+ * and differs from the identity of the current process.
+ *
+ * @param uid Populated with a machine-readable authentication identity
+ * on success
+ * @returns #FALSE if no memory
+ */
+dbus_bool_t
+_dbus_test_append_different_uid (DBusString *uid)
+{
+ if (geteuid () == 0)
+ return _dbus_string_append (uid, "65534");
+ else
+ return _dbus_string_append (uid, "0");
+}
+
+/*
+ * Set uid to a human-readable authentication identity (login name)
+ * that is likely to exist, and differs from the identity of the current
+ * process. This function currently only exists on Unix platforms.
+ *
+ * @param uid Populated with a machine-readable authentication identity
+ * on success
+ * @returns #FALSE if no memory
+ */
+dbus_bool_t
+_dbus_test_append_different_username (DBusString *username)
+{
+ if (geteuid () == 0)
+ return _dbus_string_append (username, "nobody");
+ else
+ return _dbus_string_append (username, "root");
+}
+
+#endif
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-win.c dbus-1.12.16/dbus/dbus-sysdeps-util-win.c
--- dbus-1.12.14/dbus/dbus-sysdeps-util-win.c 2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps-util-win.c 2019-06-09 13:08:49.000000000 +0100
@@ -1653,3 +1653,28 @@
return _dbus_get_config_file_name(str, "session.conf");
}
+
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+
+#define ANONYMOUS_SID "S-1-5-7"
+#define LOCAL_SYSTEM_SID "S-1-5-18"
+
+dbus_bool_t
+_dbus_test_append_different_uid (DBusString *uid)
+{
+ char *sid = NULL;
+ dbus_bool_t ret;
+
+ if (!_dbus_getsid (&sid, _dbus_getpid ()))
+ return FALSE;
+
+ if (strcmp (sid, ANONYMOUS_SID) == 0)
+ ret = _dbus_string_append (uid, LOCAL_SYSTEM_SID);
+ else
+ ret = _dbus_string_append (uid, ANONYMOUS_SID);
+
+ LocalFree (sid);
+ return ret;
+}
+
+#endif
diff -Nru dbus-1.12.14/dbus/Makefile.in dbus-1.12.16/dbus/Makefile.in
--- dbus-1.12.14/dbus/Makefile.in 2019-05-17 10:41:19.000000000 +0100
+++ dbus-1.12.16/dbus/Makefile.in 2019-06-09 13:09:34.000000000 +0100
@@ -15,7 +15,7 @@
@SET_MAKE@
# aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019
+# from AX_AM_MACROS_STATIC on Sun Jun 9 13:09:33 BST 2019
diff -Nru dbus-1.12.14/debian/changelog dbus-1.12.16/debian/changelog
--- dbus-1.12.14/debian/changelog 2019-05-18 17:37:08.000000000 +0100
+++ dbus-1.12.16/debian/changelog 2019-06-09 21:34:34.000000000 +0100
@@ -1,3 +1,18 @@
+dbus (1.12.16-1) unstable; urgency=medium
+
+ * New upstream stable release
+ - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
+ authentication for identities that differ from the user running the
+ DBusServer. Previously, a local attacker could manipulate symbolic
+ links in their own home directory to bypass authentication and
+ connect to a DBusServer with elevated privileges. The standard
+ system and session dbus-daemons in their default configuration were
+ immune to this attack because they did not allow DBUS_COOKIE_SHA1,
+ but third-party users of DBusServer such as Upstart could be
+ vulnerable.
+
+ -- Simon McVittie <smcv@debian.org> Sun, 09 Jun 2019 21:34:34 +0100
+
dbus (1.12.14-1) unstable; urgency=medium
* New upstream release
diff -Nru dbus-1.12.14/Makefile.in dbus-1.12.16/Makefile.in
--- dbus-1.12.14/Makefile.in 2019-05-17 10:41:19.000000000 +0100
+++ dbus-1.12.16/Makefile.in 2019-06-09 13:09:33.000000000 +0100
@@ -15,7 +15,7 @@
@SET_MAKE@
# aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019
+# from AX_AM_MACROS_STATIC on Sun Jun 9 13:09:33 BST 2019
VPATH = @srcdir@
am__is_gnu_make = { \
@@ -225,7 +225,7 @@
$(top_srcdir)/cmake/DBus1Config.pkgconfig.in \
$(top_srcdir)/cmake/DBus1ConfigVersion.cmake.in AUTHORS \
COPYING ChangeLog INSTALL NEWS README build-aux/compile \
- build-aux/config.guess build-aux/config.sub \
+ build-aux/config.guess build-aux/config.sub build-aux/depcomp \
build-aux/install-sh build-aux/ltmain.sh build-aux/missing
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
diff -Nru dbus-1.12.14/NEWS dbus-1.12.16/NEWS
--- dbus-1.12.14/NEWS 2019-05-17 10:40:49.000000000 +0100
+++ dbus-1.12.16/NEWS 2019-06-09 13:09:13.000000000 +0100
@@ -1,3 +1,21 @@
+dbus 1.12.16 (2019-06-11)
+=========================
+
+The “tree cat” release.
+
+Security fixes:
+
+• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
+ authentication for identities that differ from the user running the
+ DBusServer. Previously, a local attacker could manipulate symbolic
+ links in their own home directory to bypass authentication and connect
+ to a DBusServer with elevated privileges. The standard system and
+ session dbus-daemons in their default configuration were immune to this
+ attack because they did not allow DBUS_COOKIE_SHA1, but third-party
+ users of DBusServer such as Upstart could be vulnerable.
+ Thanks to Joe Vennix of Apple Information Security.
+ (dbus#269, Simon McVittie)
+
dbus 1.12.14 (2019-05-17)
=========================
diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1.auth-script dbus-1.12.16/test/data/auth/cookie-sha1.auth-script
--- dbus-1.12.14/test/data/auth/cookie-sha1.auth-script 1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.12.16/test/data/auth/cookie-sha1.auth-script 2019-06-09 13:16:35.000000000 +0100
@@ -0,0 +1,11 @@
+SERVER
+SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERID_HEX'
+EXPECT_COMMAND REJECTED
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+SEND 'AUTH DBUS_COOKIE_SHA1 USERID_HEX'
+EXPECT_COMMAND DATA
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+# We don't actually complete DBUS_COOKIE_SHA1 authentication, because
+# it's non-trivial.
diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script
--- dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script 1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script 2019-06-09 13:16:35.000000000 +0100
@@ -0,0 +1,12 @@
+UNIX_ONLY
+SERVER
+SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERNAME_HEX'
+EXPECT_COMMAND REJECTED
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+SEND 'AUTH DBUS_COOKIE_SHA1 USERNAME_HEX'
+EXPECT_COMMAND DATA
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+# We don't actually complete DBUS_COOKIE_SHA1 authentication, because
+# it's non-trivial.
diff -Nru dbus-1.12.14/test/Makefile.am dbus-1.12.16/test/Makefile.am
--- dbus-1.12.14/test/Makefile.am 2019-05-13 10:33:56.000000000 +0100
+++ dbus-1.12.16/test/Makefile.am 2019-06-09 13:08:49.000000000 +0100
@@ -471,6 +471,8 @@
data/auth/anonymous-server-successful.auth-script \
data/auth/cancel.auth-script \
data/auth/client-out-of-mechanisms.auth-script \
+ data/auth/cookie-sha1-username.auth-script \
+ data/auth/cookie-sha1.auth-script \
data/auth/external-failed.auth-script \
data/auth/external-root.auth-script \
data/auth/external-silly.auth-script \
diff -Nru dbus-1.12.14/test/Makefile.in dbus-1.12.16/test/Makefile.in
--- dbus-1.12.14/test/Makefile.in 2019-05-17 10:41:20.000000000 +0100
+++ dbus-1.12.16/test/Makefile.in 2019-06-09 13:09:34.000000000 +0100
@@ -15,7 +15,7 @@
@SET_MAKE@
# aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019
+# from AX_AM_MACROS_STATIC on Sun Jun 9 13:09:33 BST 2019
@@ -1267,6 +1267,8 @@
data/auth/anonymous-server-successful.auth-script \
data/auth/cancel.auth-script \
data/auth/client-out-of-mechanisms.auth-script \
+ data/auth/cookie-sha1-username.auth-script \
+ data/auth/cookie-sha1.auth-script \
data/auth/external-failed.auth-script \
data/auth/external-root.auth-script \
data/auth/external-silly.auth-script \
Reply to: