[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[lintian] 04/06: dbus: add a new tag for excessively broad match rules



This is an automated email from the git hooks/post-receive script.

nthykier pushed a commit to branch master
in repository lintian.

commit 8241b2fd3d8383b5e609374dbf56b646e9754a21
Author: Simon McVittie <smcv@debian.org>
Date:   Wed Jan 28 13:44:18 2015 +0000

    dbus: add a new tag for excessively broad match rules
    
    This check has already found CVE-2014-8148 and the recently
    unembargoed CVE-2014-8156, which I believe are the only ones
    in current Debian. Hopefully having this as a Lintian check
    will protect us from this class of vulnerability.
---
 checks/dbus.desc         | 31 +++++++++++++++++++++++++++++++
 checks/dbus.pm           | 18 ++++++++++++++++++
 t/tests/dbus-policy/tags |  2 ++
 3 files changed, 51 insertions(+)

diff --git a/checks/dbus.desc b/checks/dbus.desc
index 19befb5..c08e3ee 100644
--- a/checks/dbus.desc
+++ b/checks/dbus.desc
@@ -68,6 +68,37 @@ Info: The package contains D-Bus policy configuration that uses
 Ref: https://bugs.freedesktop.org/show_bug.cgi?id=18961,http://lists.freedesktop.org/archives/dbus/2008-February/009401.html
 Experimental: yes
 
+Tag: dbus-policy-excessively-broad
+Severity: serious
+Certainty: possible
+Info: The package contains D-Bus policy configuration that
+ matches broad classes of messages. This will cause strange side-effects,
+ is almost certainly unintended, and is a probable security flaw.
+ .
+ For instance,
+ .
+   &lt;policy user="daemon"&gt;
+     &lt;allow send_type="method_call"/&gt;
+     &lt;allow send_destination="com.example.Bees"/&gt;
+   &lt;/policy&gt;
+ .
+ in any system bus policy file would allow the <tt>daemon</tt> user to send
+ any method call to any service, including method calls which are meant to
+ be restricted to root-only for security, such as
+ <tt>org.freedesktop.systemd1.Manager.StartTransientUnit</tt>. (In addition,
+ it allows that user to send any message to the <tt>com.example.Bees</tt>
+ service.)
+ .
+ The intended policy for that particular example was probably more like
+ .
+   &lt;policy user="daemon"&gt;
+     &lt;allow send_type="method_call" send_destination="com.example.Bees"/&gt;
+   &lt;/policy&gt;
+ .
+ which correctly allows method calls to that particular service only.
+Ref: http://www.openwall.com/lists/oss-security/2015/01/27/25
+Experimental: yes
+
 Tag: dbus-session-service-wrong-name
 Severity: wishlist
 Certainty: certain
diff --git a/checks/dbus.pm b/checks/dbus.pm
index 18c976b..e56d753 100644
--- a/checks/dbus.pm
+++ b/checks/dbus.pm
@@ -61,6 +61,8 @@ sub run {
     return;
 }
 
+my $PROPERTIES = 'org.freedesktop.DBus.Properties';
+
 sub _check_policy {
     my ($file) = @_;
 
@@ -100,6 +102,22 @@ sub _check_policy {
                 # because root can do anything anyway
             } else {
                 tag('dbus-policy-without-send-destination', $file, $rule);
+
+                if (   $rule =~ m{send_interface=}
+                    && $rule !~ m{send_interface=['"]\Q${PROPERTIES}\E['"]}) {
+                    # That's undesirable, because it opens up communication
+                    # with arbitrary services and can undo DoS mitigation
+                    # efforts; but at least it's specific to an interface
+                    # other than o.fd.DBus.Properties, so all that should
+                    # happen is that the service sends back an error message.
+                    #
+                    # Properties doesn't count as an effective limitation,
+                    # because it's a sort of meta-interface.
+                } elsif ($rule =~ m{<allow}) {
+                    # Looks like CVE-2014-8148 or similar. This is really bad;
+                    # emit an additional tag.
+                    tag('dbus-policy-excessively-broad', $file, $rule);
+                }
             }
         }
 
diff --git a/t/tests/dbus-policy/tags b/t/tests/dbus-policy/tags
index 2d1d32e..8b40f8a 100644
--- a/t/tests/dbus-policy/tags
+++ b/t/tests/dbus-policy/tags
@@ -1,5 +1,7 @@
 X: dbus-policy: dbus-policy-at-console etc/dbus-1/system.d/at-console.conf <policy at_console="true"><allow send_destination="com.example.Other"/>
 X: dbus-policy: dbus-policy-at-console etc/dbus-1/system.d/at-console.conf <policy at_console="true"><allow send_destination="com.example.Service"/>
+X: dbus-policy: dbus-policy-excessively-broad etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_member="AreYouReallySureThisMethodIsAlwaysOK"/>
+X: dbus-policy: dbus-policy-excessively-broad etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_path="/com/example/Here"/>
 X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_interface="org.freedesktop.DBus.ObjectManager"/>
 X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_member="AreYouReallySureThisMethodIsAlwaysOK"/>
 X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_path="/com/example/Here"/>

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git


Reply to: