[lintian] 04/06: dbus: add a new tag for excessively broad match rules
This is an automated email from the git hooks/post-receive script.
nthykier pushed a commit to branch master
in repository lintian.
commit 8241b2fd3d8383b5e609374dbf56b646e9754a21
Author: Simon McVittie <smcv@debian.org>
Date: Wed Jan 28 13:44:18 2015 +0000
dbus: add a new tag for excessively broad match rules
This check has already found CVE-2014-8148 and the recently
unembargoed CVE-2014-8156, which I believe are the only ones
in current Debian. Hopefully having this as a Lintian check
will protect us from this class of vulnerability.
---
checks/dbus.desc | 31 +++++++++++++++++++++++++++++++
checks/dbus.pm | 18 ++++++++++++++++++
t/tests/dbus-policy/tags | 2 ++
3 files changed, 51 insertions(+)
diff --git a/checks/dbus.desc b/checks/dbus.desc
index 19befb5..c08e3ee 100644
--- a/checks/dbus.desc
+++ b/checks/dbus.desc
@@ -68,6 +68,37 @@ Info: The package contains D-Bus policy configuration that uses
Ref: https://bugs.freedesktop.org/show_bug.cgi?id=18961,http://lists.freedesktop.org/archives/dbus/2008-February/009401.html
Experimental: yes
+Tag: dbus-policy-excessively-broad
+Severity: serious
+Certainty: possible
+Info: The package contains D-Bus policy configuration that
+ matches broad classes of messages. This will cause strange side-effects,
+ is almost certainly unintended, and is a probable security flaw.
+ .
+ For instance,
+ .
+ <policy user="daemon">
+ <allow send_type="method_call"/>
+ <allow send_destination="com.example.Bees"/>
+ </policy>
+ .
+ in any system bus policy file would allow the <tt>daemon</tt> user to send
+ any method call to any service, including method calls which are meant to
+ be restricted to root-only for security, such as
+ <tt>org.freedesktop.systemd1.Manager.StartTransientUnit</tt>. (In addition,
+ it allows that user to send any message to the <tt>com.example.Bees</tt>
+ service.)
+ .
+ The intended policy for that particular example was probably more like
+ .
+ <policy user="daemon">
+ <allow send_type="method_call" send_destination="com.example.Bees"/>
+ </policy>
+ .
+ which correctly allows method calls to that particular service only.
+Ref: http://www.openwall.com/lists/oss-security/2015/01/27/25
+Experimental: yes
+
Tag: dbus-session-service-wrong-name
Severity: wishlist
Certainty: certain
diff --git a/checks/dbus.pm b/checks/dbus.pm
index 18c976b..e56d753 100644
--- a/checks/dbus.pm
+++ b/checks/dbus.pm
@@ -61,6 +61,8 @@ sub run {
return;
}
+my $PROPERTIES = 'org.freedesktop.DBus.Properties';
+
sub _check_policy {
my ($file) = @_;
@@ -100,6 +102,22 @@ sub _check_policy {
# because root can do anything anyway
} else {
tag('dbus-policy-without-send-destination', $file, $rule);
+
+ if ( $rule =~ m{send_interface=}
+ && $rule !~ m{send_interface=['"]\Q${PROPERTIES}\E['"]}) {
+ # That's undesirable, because it opens up communication
+ # with arbitrary services and can undo DoS mitigation
+ # efforts; but at least it's specific to an interface
+ # other than o.fd.DBus.Properties, so all that should
+ # happen is that the service sends back an error message.
+ #
+ # Properties doesn't count as an effective limitation,
+ # because it's a sort of meta-interface.
+ } elsif ($rule =~ m{<allow}) {
+ # Looks like CVE-2014-8148 or similar. This is really bad;
+ # emit an additional tag.
+ tag('dbus-policy-excessively-broad', $file, $rule);
+ }
}
}
diff --git a/t/tests/dbus-policy/tags b/t/tests/dbus-policy/tags
index 2d1d32e..8b40f8a 100644
--- a/t/tests/dbus-policy/tags
+++ b/t/tests/dbus-policy/tags
@@ -1,5 +1,7 @@
X: dbus-policy: dbus-policy-at-console etc/dbus-1/system.d/at-console.conf <policy at_console="true"><allow send_destination="com.example.Other"/>
X: dbus-policy: dbus-policy-at-console etc/dbus-1/system.d/at-console.conf <policy at_console="true"><allow send_destination="com.example.Service"/>
+X: dbus-policy: dbus-policy-excessively-broad etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_member="AreYouReallySureThisMethodIsAlwaysOK"/>
+X: dbus-policy: dbus-policy-excessively-broad etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_path="/com/example/Here"/>
X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_interface="org.freedesktop.DBus.ObjectManager"/>
X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_member="AreYouReallySureThisMethodIsAlwaysOK"/>
X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_path="/com/example/Here"/>
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: