--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: dbus/1.6.8-1 or tpu: dbus/1.6.0-2
- From: Simon McVittie <smcv@debian.org>
- Date: Sat, 29 Sep 2012 15:28:15 +0100
- Message-id: <20120929142802.GA4736@reptile.pseudorandom.co.uk>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please either unblock dbus/1.6.8-1 for CVE-2012-3524, or if the changes
in that version are considered too broad, allow an upload of dbus/1.6.0-2
to t-p-u. I attach both debdiffs for your consideration.
This avoids local privilege escalation, potentially to root, when setuid
applications use libdbus without first sanitizing their caller-supplied
environment via a whitelist (CVE-2012-3524, #689070).
D-Bus upstream consensus is that it is an application bug to use any
non-trivial library in a setuid application without first clearing the
caller-supplied environment; but having said that, hardening libdbus
against applications with this bug seems wise.
Note on versions: D-Bus 1.6.x is a stable branch. dbus/1.6.2-1 was uploaded
before the freeze, but had a regression which meant it never migrated; I
fixed that regression shortly after the freeze, in dbus/1.6.2-2. The diff
from wheezy to 1.6.8 has been filtered to exclude generated Autotools
files and generated HTML in the upstream tarball (both are re-generated during
Debian builds anyway).
S
diffstat for dbus-1.6.0 dbus-1.6.8
NEWS | 65 ++++++++++++++++++++++++++++++++++++
bus/activation-helper.c | 28 ++-------------
configure.ac | 46 +++++++++++++++++++-------
dbus-1-uninstalled.pc.in | 2 -
dbus-1.pc.in | 2 -
dbus/dbus-keyring.c | 7 +++
dbus/dbus-pending-call.c | 8 +++-
dbus/dbus-sysdeps-pthread.c | 5 ++
dbus/dbus-sysdeps-unix.c | 74 ++++++++++++++++++++++++++++++++++++++++++
dbus/dbus-sysdeps-util-unix.c | 7 ++-
dbus/dbus-sysdeps-win.c | 6 +++
dbus/dbus-sysdeps.c | 5 ++
dbus/dbus-sysdeps.h | 1
dbus/dbus-transport.c | 1
debian/changelog | 42 +++++++++++++++++++++++
debian/dbus-Xsession | 14 -------
doc/dbus-launch.1 | 62 +++++++++++++++++++++++++----------
test/Makefile.am | 3 +
tools/Makefile.am | 10 +++--
tools/dbus-launch-win.c | 7 ++-
tools/dbus-launch.c | 58 ++++++++++++++++++++++++++++++--
21 files changed, 369 insertions(+), 84 deletions(-)
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/bus/activation-helper.c dbus-1.6.8/bus/activation-helper.c
--- dbus-1.6.0/bus/activation-helper.c 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/bus/activation-helper.c 2012-09-28 20:17:25.000000000 +0100
@@ -140,21 +140,12 @@
return desktop_file;
}
-/* Cleares the environment, except for DBUS_VERBOSE and DBUS_STARTER_x */
+/* Clears the environment, except for DBUS_STARTER_x,
+ * which we hardcode to the system bus.
+ */
static dbus_bool_t
clear_environment (DBusError *error)
{
- const char *starter_env = NULL;
-#ifdef DBUS_ENABLE_VERBOSE_MODE
- const char *debug_env = NULL;
-
- /* are we debugging */
- debug_env = _dbus_getenv ("DBUS_VERBOSE");
-#endif
-
- /* we save the starter */
- starter_env = _dbus_getenv ("DBUS_STARTER_ADDRESS");
-
#ifndef ACTIVATION_LAUNCHER_TEST
/* totally clear the environment */
if (!_dbus_clearenv ())
@@ -165,17 +156,8 @@
}
#endif
-#ifdef DBUS_ENABLE_VERBOSE_MODE
- /* restore the debugging environment setting if set */
- if (debug_env)
- _dbus_setenv ("DBUS_VERBOSE", debug_env);
-#endif
-
- /* restore the starter */
- if (starter_env)
- _dbus_setenv ("DBUS_STARTER_ADDRESS", starter_env);
-
- /* set the type, which must be system if we got this far */
+ /* Ensure the bus is set to system */
+ _dbus_setenv ("DBUS_STARTER_ADDRESS", DBUS_SYSTEM_BUS_DEFAULT_ADDRESS);
_dbus_setenv ("DBUS_STARTER_BUS_TYPE", "system");
return TRUE;
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/configure.ac dbus-1.6.8/configure.ac
--- dbus-1.6.0/configure.ac 2012-06-05 13:08:07.000000000 +0100
+++ dbus-1.6.8/configure.ac 2012-09-28 20:41:40.000000000 +0100
@@ -3,7 +3,7 @@
m4_define([dbus_major_version], [1])
m4_define([dbus_minor_version], [6])
-m4_define([dbus_micro_version], [0])
+m4_define([dbus_micro_version], [8])
m4_define([dbus_version],
[dbus_major_version.dbus_minor_version.dbus_micro_version])
AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -19,8 +19,9 @@
AC_SUBST(GETTEXT_PACKAGE)
AC_DEFINE_UNQUOTED(GETTEXT_PACKAGE,"$GETTEXT_PACKAGE",[The name of the gettext domain])
- ## must come before we use the $USE_MAINTAINER_MODE variable later
-AM_MAINTAINER_MODE
+# By default, rebuild autotools files on demand; only use ./missing if the
+# user says --disable-maintainer-mode (some distributions like to do this)
+AM_MAINTAINER_MODE([enable])
m4_ifdef([AM_SILENT_RULES],[AM_SILENT_RULES([yes])])
@@ -36,7 +37,7 @@
## increment any time the source changes; set to
## 0 if you increment CURRENT
-LT_REVISION=1
+LT_REVISION=2
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
@@ -123,9 +124,26 @@
AM_CONDITIONAL(DBUS_UNIX, test "$dbus_unix" = yes)
AM_CONDITIONAL(DBUS_CYGWIN, test "$dbus_cygwin" = yes)
+# this must come first: other options use this to set their defaults
+AC_ARG_ENABLE([developer],
+ [AS_HELP_STRING([--enable-developer],
+ [set defaults to be appropriate for a D-Bus developer instead of a distribution/end-user])],
+ [],
+ [enable_developer=no])
+
+DBUS_STATIC_BUILD_CPPFLAGS=
+if test "x$enable_shared" = xno; then
+ # On Windows, linking against the static library requires special effort
+ # to turn off DLL import/export processing. We normally link some things
+ # against the dynamic library, but if we're not building that, we'll
+ # have to link everything statically.
+ DBUS_STATIC_BUILD_CPPFLAGS=-DDBUS_STATIC_BUILD
+fi
+AC_SUBST([DBUS_STATIC_BUILD_CPPFLAGS])
+
AC_ARG_ENABLE(ansi, AS_HELP_STRING([--enable-ansi],[enable -ansi -pedantic gcc flags]),enable_ansi=$enableval,enable_ansi=no)
-AC_ARG_ENABLE(verbose-mode, AS_HELP_STRING([--enable-verbose-mode],[support verbose debug mode]),enable_verbose_mode=$enableval,enable_verbose_mode=$USE_MAINTAINER_MODE)
-AC_ARG_ENABLE(asserts, AS_HELP_STRING([--enable-asserts],[include assertion checks]),enable_asserts=$enableval,enable_asserts=$USE_MAINTAINER_MODE)
+AC_ARG_ENABLE(verbose-mode, AS_HELP_STRING([--enable-verbose-mode],[support verbose debug mode]),enable_verbose_mode=$enableval,enable_verbose_mode=$enable_developer)
+AC_ARG_ENABLE(asserts, AS_HELP_STRING([--enable-asserts],[include assertion checks]),enable_asserts=$enableval,enable_asserts=$enable_developer)
AC_ARG_ENABLE(checks, AS_HELP_STRING([--enable-checks],[include sanity checks on public API]),enable_checks=$enableval,enable_checks=yes)
AC_ARG_ENABLE(xml-docs, AS_HELP_STRING([--enable-xml-docs],[build XML documentation (requires xmlto)]),enable_xml_docs=$enableval,enable_xml_docs=auto)
AC_ARG_ENABLE(doxygen-docs, AS_HELP_STRING([--enable-doxygen-docs],[build DOXYGEN documentation (requires Doxygen)]),enable_doxygen_docs=$enableval,enable_doxygen_docs=auto)
@@ -156,7 +174,7 @@
AC_ARG_ENABLE([embedded-tests],
AS_HELP_STRING([--enable-embedded-tests],
[enable unit test code in the library and binaries]),
- [], [enable_embedded_tests=$USE_MAINTAINER_MODE])
+ [], [enable_embedded_tests=$enable_developer])
AC_ARG_ENABLE([modular-tests],
AS_HELP_STRING([--enable-modular-tests],
[enable modular regression tests (requires GLib)]),
@@ -578,7 +596,7 @@
AC_SEARCH_LIBS(socket,[socket network])
AC_CHECK_FUNC(gethostbyname,,[AC_CHECK_LIB(nsl,gethostbyname)])
-AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull)
+AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull issetugid getresuid)
AC_CHECK_HEADERS([syslog.h])
if test "x$ac_cv_header_syslog_h" = "xyes"; then
@@ -748,7 +766,8 @@
AC_CHECK_HEADERS(sys/syslimits.h)
dnl Make it easy to check if we have MSG_NOSIGNAL without actually having to include sys/socket.h
-AC_CHECK_DECLS([MSG_NOSIGNAL], [], [], [[ #include <sys/socket.h> ]])
+AC_CHECK_DECLS([MSG_NOSIGNAL], [], [], [[ #include <sys/types.h>
+#include <sys/socket.h> ]])
dnl check for flavours of varargs macros (test from GLib)
AC_MSG_CHECKING(for ISO C99 varargs macros in C)
@@ -1202,6 +1221,7 @@
# Check for SCM_RIGHTS
AC_MSG_CHECKING([for SCM_RIGHTS])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
static int x = SCM_RIGHTS;
@@ -1298,9 +1318,9 @@
TP_COMPILER_WARNINGS([WARNING_CFLAGS],
dnl Use -Werror by default if:
dnl - we're not on Windows (too many warnings), and
- dnl - we're in maintainer mode (a D-Bus developer, not a distro or end-user)
+ dnl - we're in developer mode (a D-Bus developer, not a distro or end-user)
dnl Override with --enable-Werror or --disable-Werror
- [test x$dbus_win != xyes -a x$dbus_cygwin != xyes -a x$USE_MAINTAINER_MODE = xyes],
+ [test x$dbus_win != xyes -a x$dbus_cygwin != xyes -a x$enable_developer = xyes],
dnl Enable these warnings if possible:
[all \
@@ -1361,6 +1381,8 @@
solaris*)
# Solaris' C library apparently needs these runes to be threadsafe...
CFLAGS="$CFLAGS -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT"
+ # ... this opt-in to get sockaddr_in6 and sockaddr_storage...
+ CFLAGS="$CFLAGS -D__EXTENSIONS__"
# ... and this opt-in to get file descriptor passing support
CFLAGS="$CFLAGS -D_XOPEN_SOURCE=500"
;;
@@ -1744,7 +1766,7 @@
man2html: ${MAN2HTML:-not found}"
echo "
- Maintainer mode: ${USE_MAINTAINER_MODE}
+ Rebuilding generated files: ${USE_MAINTAINER_MODE}
gcc coverage profiling: ${enable_compiler_coverage}
Building embedded tests: ${enable_embedded_tests}
Building modular tests: ${enable_modular_tests}
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/dbus/dbus-keyring.c dbus-1.6.8/dbus/dbus-keyring.c
--- dbus-1.6.0/dbus/dbus-keyring.c 2012-04-25 19:18:54.000000000 +0100
+++ dbus-1.6.8/dbus/dbus-keyring.c 2012-09-28 20:31:47.000000000 +0100
@@ -717,6 +717,13 @@
DBusCredentials *our_credentials;
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
+
+ if (_dbus_check_setuid ())
+ {
+ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
+ "Unable to create DBus keyring when setuid");
+ return NULL;
+ }
keyring = NULL;
error_set = FALSE;
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/dbus/dbus-pending-call.c dbus-1.6.8/dbus/dbus-pending-call.c
--- dbus-1.6.0/dbus/dbus-pending-call.c 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/dbus/dbus-pending-call.c 2012-09-28 20:17:25.000000000 +0100
@@ -631,6 +631,8 @@
void *user_data,
DBusFreeFunction free_user_data)
{
+ dbus_bool_t ret = FALSE;
+
_dbus_return_val_if_fail (pending != NULL, FALSE);
CONNECTION_LOCK (pending->connection);
@@ -638,13 +640,15 @@
/* could invoke application code! */
if (!_dbus_pending_call_set_data_unlocked (pending, notify_user_data_slot,
user_data, free_user_data))
- return FALSE;
+ goto out;
pending->function = function;
+ ret = TRUE;
+out:
CONNECTION_UNLOCK (pending->connection);
- return TRUE;
+ return ret;
}
/**
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/dbus/dbus-sysdeps.c dbus-1.6.8/dbus/dbus-sysdeps.c
--- dbus-1.6.0/dbus/dbus-sysdeps.c 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/dbus/dbus-sysdeps.c 2012-09-28 20:31:05.000000000 +0100
@@ -182,6 +182,11 @@
const char*
_dbus_getenv (const char *varname)
{
+ /* Don't respect any environment variables if the current process is
+ * setuid. This is the equivalent of glibc's __secure_getenv().
+ */
+ if (_dbus_check_setuid ())
+ return NULL;
return getenv (varname);
}
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/dbus/dbus-sysdeps.h dbus-1.6.8/dbus/dbus-sysdeps.h
--- dbus-1.6.0/dbus/dbus-sysdeps.h 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/dbus/dbus-sysdeps.h 2012-09-28 20:17:25.000000000 +0100
@@ -87,6 +87,7 @@
void _dbus_abort (void) _DBUS_GNUC_NORETURN;
+dbus_bool_t _dbus_check_setuid (void);
const char* _dbus_getenv (const char *varname);
dbus_bool_t _dbus_setenv (const char *varname,
const char *value);
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/dbus/dbus-sysdeps-pthread.c dbus-1.6.8/dbus/dbus-sysdeps-pthread.c
--- dbus-1.6.0/dbus/dbus-sysdeps-pthread.c 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/dbus/dbus-sysdeps-pthread.c 2012-09-28 20:17:25.000000000 +0100
@@ -275,6 +275,11 @@
dbus_bool_t
_dbus_threads_init_platform_specific (void)
{
+ /* These have static variables, and we need to handle both the case
+ * where dbus_threads_init() has been called and when it hasn't;
+ * so initialize them before any threads are allowed to enter.
+ */
check_monotonic_clock ();
+ (void) _dbus_check_setuid ();
return dbus_threads_init (NULL);
}
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/dbus/dbus-sysdeps-unix.c dbus-1.6.8/dbus/dbus-sysdeps-unix.c
--- dbus-1.6.0/dbus/dbus-sysdeps-unix.c 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/dbus/dbus-sysdeps-unix.c 2012-09-28 20:31:47.000000000 +0100
@@ -3434,6 +3434,13 @@
DBusString uuid;
dbus_bool_t retval;
+ if (_dbus_check_setuid ())
+ {
+ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
+ "Unable to autolaunch when setuid");
+ return FALSE;
+ }
+
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
retval = FALSE;
@@ -3551,6 +3558,13 @@
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
+ if (_dbus_check_setuid ())
+ {
+ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
+ "Unable to find launchd socket when setuid");
+ return FALSE;
+ }
+
i = 0;
argv[i] = "launchctl";
++i;
@@ -3591,6 +3605,13 @@
dbus_bool_t valid_socket;
DBusString socket_path;
+ if (_dbus_check_setuid ())
+ {
+ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
+ "Unable to find launchd socket when setuid");
+ return FALSE;
+ }
+
if (!_dbus_string_init (&socket_path))
{
_DBUS_SET_OOM (error);
@@ -4086,4 +4107,57 @@
close (i);
}
+/**
+ * **NOTE**: If you modify this function, please also consider making
+ * the corresponding change in GLib. See
+ * glib/gutils.c:g_check_setuid().
+ *
+ * Returns TRUE if the current process was executed as setuid (or an
+ * equivalent __libc_enable_secure is available). See:
+ * http://osdir.com/ml/linux.lfs.hardened/2007-04/msg00032.html
+ */
+dbus_bool_t
+_dbus_check_setuid (void)
+{
+ /* TODO: get __libc_enable_secure exported from glibc.
+ * See http://www.openwall.com/lists/owl-dev/2012/08/14/1
+ */
+#if 0 && defined(HAVE_LIBC_ENABLE_SECURE)
+ {
+ /* See glibc/include/unistd.h */
+ extern int __libc_enable_secure;
+ return __libc_enable_secure;
+ }
+#elif defined(HAVE_ISSETUGID)
+ /* BSD: http://www.freebsd.org/cgi/man.cgi?query=issetugid&sektion=2 */
+ return issetugid ();
+#else
+ uid_t ruid, euid, suid; /* Real, effective and saved user ID's */
+ gid_t rgid, egid, sgid; /* Real, effective and saved group ID's */
+
+ static dbus_bool_t check_setuid_initialised;
+ static dbus_bool_t is_setuid;
+
+ if (_DBUS_UNLIKELY (!check_setuid_initialised))
+ {
+#ifdef HAVE_GETRESUID
+ if (getresuid (&ruid, &euid, &suid) != 0 ||
+ getresgid (&rgid, &egid, &sgid) != 0)
+#endif /* HAVE_GETRESUID */
+ {
+ suid = ruid = getuid ();
+ sgid = rgid = getgid ();
+ euid = geteuid ();
+ egid = getegid ();
+ }
+
+ check_setuid_initialised = TRUE;
+ is_setuid = (ruid != euid || ruid != suid ||
+ rgid != egid || rgid != sgid);
+
+ }
+ return is_setuid;
+#endif
+}
+
/* tests in dbus-sysdeps-util.c */
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/dbus/dbus-sysdeps-util-unix.c dbus-1.6.8/dbus/dbus-sysdeps-util-unix.c
--- dbus-1.6.0/dbus/dbus-sysdeps-util-unix.c 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/dbus/dbus-sysdeps-util-unix.c 2012-09-28 20:17:25.000000000 +0100
@@ -424,7 +424,7 @@
void
_dbus_init_system_log (void)
{
-#ifdef HAVE_DECL_LOG_PERROR
+#if HAVE_DECL_LOG_PERROR
openlog ("dbus", LOG_PID | LOG_PERROR, LOG_DAEMON);
#else
openlog ("dbus", LOG_PID, LOG_DAEMON);
@@ -540,7 +540,7 @@
DBusError *error)
{
- DBusString f;
+ DBusString u, f;
dbus_bool_t result;
result = FALSE;
@@ -556,8 +556,9 @@
goto out;
}
+ _dbus_string_init_const (&u, username);
- if (!_dbus_string_append (&f, username))
+ if (!_dbus_concat_dir_and_file (&f, &u))
{
_DBUS_SET_OOM (error);
goto out;
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/dbus/dbus-sysdeps-win.c dbus-1.6.8/dbus/dbus-sysdeps-win.c
--- dbus-1.6.0/dbus/dbus-sysdeps-win.c 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/dbus/dbus-sysdeps-win.c 2012-09-28 20:17:25.000000000 +0100
@@ -3632,6 +3632,12 @@
return FALSE;
}
+dbus_bool_t
+_dbus_check_setuid (void)
+{
+ return FALSE;
+}
+
/** @} end of sysdeps-win */
/* tests in dbus-sysdeps-util.c */
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/dbus/dbus-transport.c dbus-1.6.8/dbus/dbus-transport.c
--- dbus-1.6.0/dbus/dbus-transport.c 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/dbus/dbus-transport.c 2012-09-28 20:17:25.000000000 +0100
@@ -253,7 +253,6 @@
int len, i;
_dbus_assert (address != NULL);
- _dbus_assert (*address != '\0');
if (!dbus_parse_address (address, &entries, &len, error))
return NULL; /* not a valid address */
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/dbus-1.pc.in dbus-1.6.8/dbus-1.pc.in
--- dbus-1.6.0/dbus-1.pc.in 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/dbus-1.pc.in 2012-09-28 20:17:25.000000000 +0100
@@ -14,4 +14,4 @@
Version: @VERSION@
Libs: -L${libdir} -ldbus-1
Libs.private: @LIBDBUS_LIBS@
-Cflags: -I${includedir}/dbus-1.0 -I${libdir}/dbus-1.0/include
+Cflags: -I${includedir}/dbus-1.0 -I${libdir}/dbus-1.0/include @DBUS_STATIC_BUILD_CPPFLAGS@
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/dbus-1-uninstalled.pc.in dbus-1.6.8/dbus-1-uninstalled.pc.in
--- dbus-1.6.0/dbus-1-uninstalled.pc.in 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/dbus-1-uninstalled.pc.in 2012-09-28 20:17:25.000000000 +0100
@@ -14,4 +14,4 @@
Version: @VERSION@
Libs: ${abs_top_builddir}/dbus/libdbus-1.la
Libs.private: @LIBDBUS_LIBS@
-Cflags: -I${abs_top_srcdir}
+Cflags: -I${abs_top_srcdir} @DBUS_STATIC_BUILD_CPPFLAGS@
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/debian/changelog dbus-1.6.8/debian/changelog
--- dbus-1.6.0/debian/changelog 2012-06-05 14:23:50.000000000 +0100
+++ dbus-1.6.8/debian/changelog 2012-09-29 13:26:00.000000000 +0100
@@ -1,3 +1,45 @@
+dbus (1.6.8-1) unstable; urgency=low
+
+ * Merge from experimental
+ * New upstream stable release 1.6.6
+ - CVE-2012-3524: mitigates arbitrary code execution in setuid or otherwise
+ privileged binaries that use libdbus without first sanitizing the
+ environment variables inherited from their less-privileged caller
+ (Closes: #689070)
+ * New upstream stable release 1.6.8
+ - Revert part of 1.6.6 (do not check filesystem capabilities, only
+ setuid/setgid), fixing regressions in certain configurations of
+ gnome-keyring
+
+ -- Simon McVittie <smcv@debian.org> Sat, 29 Sep 2012 13:25:50 +0100
+
+dbus (1.6.4-1) experimental; urgency=low
+
+ * gbp.conf: switch to experimental branch
+ * New upstream stable release
+ - remove incorrect assertion and have correct default for developer mode
+ (Closes: #680027, differently)
+
+ -- Simon McVittie <smcv@debian.org> Wed, 18 Jul 2012 18:42:52 +0100
+
+dbus (1.6.2-2) unstable; urgency=low
+
+ * Disable "developer mode", which was intended to be off-by-default,
+ but was incorrectly on-by-default in 1.6.2, causing an incorrect
+ assertion to be hit when starting fcitx before dbus-launch.
+ (Closes: #680027)
+
+ -- Simon McVittie <smcv@debian.org> Tue, 03 Jul 2012 19:33:42 +0100
+
+dbus (1.6.2-1) unstable; urgency=low
+
+ * New upstream stable release
+ - dbus-launch --exit-with-session no longer monitors its stdin if
+ run under X11 (Closes: #453755)
+ * Remove the workaround for #453755 from dbus-Xsession
+
+ -- Simon McVittie <smcv@debian.org> Wed, 27 Jun 2012 18:22:20 +0100
+
dbus (1.6.0-1) unstable; urgency=low
* Merge from "experimental" (1.5.12 was accidentally uploaded to unstable)
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/debian/dbus-Xsession dbus-1.6.8/debian/dbus-Xsession
--- dbus-1.6.0/debian/dbus-Xsession 2012-06-05 14:23:50.000000000 +0100
+++ dbus-1.6.8/debian/dbus-Xsession 2012-09-29 13:26:00.000000000 +0100
@@ -13,19 +13,5 @@
fi
if [ -n "$STARTDBUS" ]; then
- # dbus-launch misbehaves when stdin is a console:
- # - http://bugs.debian.org/453755
- # - https://bugs.freedesktop.org/show_bug.cgi?id=39197
- #
- # While we sort out with upstream what the right solution is,
- # work around it by ensuring that stdin is not a console (this is a no-op
- # on xdm and gdm, but not on startx, slim, nodm).
- #
- # It isn't really D-Bus' place to do this - we're changing the environment
- # of everything executed from Xsession.d, not just dbus-launch - but having
- # X apps whose stdin is the console makes very little sense, so arguably
- # startx, slim, nodm etc. should be doing this themselves.
- exec < /dev/null
-
STARTUP="$DBUSLAUNCH --exit-with-session $STARTUP"
fi
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/doc/dbus-launch.1 dbus-1.6.8/doc/dbus-launch.1
--- dbus-1.6.0/doc/dbus-launch.1 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/doc/dbus-launch.1 2012-09-28 20:17:25.000000000 +0100
@@ -51,30 +51,45 @@
See http://www.freedesktop.org/software/dbus/ for more information
about D\-Bus. See also the man page for \fIdbus\-daemon\fP.
-.PP
-Here is an example of how to use \fIdbus\-launch\fP with an
-sh\-compatible shell to start the per\-session bus daemon:
-.nf
+.SH EXAMPLES
+
+Distributions running
+.B dbus\-launch
+as part of a standard X session should run
+.B "dbus\-launch \-\-exit\-with\-session"
+after the X server has started and become available, as a wrapper around
+the "main" X client (typically a session manager or window manager), as in
+these examples:
+
+.RS
+.B "dbus\-launch \-\-exit\-with\-session gnome\-session"
+
+.B "dbus\-launch \-\-exit\-with\-session openbox"
+
+.B "dbus\-launch \-\-exit\-with\-session ~/.xsession"
+.RE
+
+If your distribution does not do this, you can achieve similar results
+by running your session or window manager in the same way in a script
+run by your X session, such as
+.BR ~/.xsession ,
+.B ~/.xinitrc
+or
+.BR ~/.Xclients .
+
+To start a D-Bus session within a text-mode session, you can run
+dbus-launch in the background. For instance, in a sh-compatible shell:
+.nf
## test for an existing bus daemon, just to be safe
if test \-z "$DBUS_SESSION_BUS_ADDRESS" ; then
## if not found, launch a new one
- eval `dbus\-launch \-\-sh\-syntax \-\-exit\-with\-session`
+ eval `dbus\-launch \-\-sh\-syntax`
echo "D\-Bus per\-session daemon address is: $DBUS_SESSION_BUS_ADDRESS"
fi
-
-.fi
-You might run something like that in your login scripts.
-
-.PP
-Another way to use \fIdbus\-launch\fP is to run your main session
-program, like so:
-.nf
-
-dbus\-launch gnome\-session
-
.fi
-The above would likely be appropriate for ~/.xsession or ~/.Xclients.
+Note that in this case, dbus-launch will exit, and dbus-daemon will not be
+terminated automatically on logout.
.SH AUTOMATIC LAUNCHING
@@ -175,6 +190,19 @@
.I "\-\-version"
Print the version of dbus\-launch
+.SH NOTES
+
+If you run
+.B "dbus\-launch myapp"
+(with any other options), dbus\-daemon will
+.I not
+exit when
+.B myapp
+terminates: this is because
+.B myapp
+is assumed to be part of a larger session, rather than a session in its
+own right.
+
.SH AUTHOR
See http://www.freedesktop.org/software/dbus/doc/AUTHORS
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/NEWS dbus-1.6.8/NEWS
--- dbus-1.6.0/NEWS 2012-06-05 13:07:15.000000000 +0100
+++ dbus-1.6.8/NEWS 2012-09-28 20:44:13.000000000 +0100
@@ -1,3 +1,68 @@
+D-Bus 1.6.8 (2012-09-28)
+==
+
+The "Fix one thing, break another" release.
+
+• Follow up to CVE-2012-3524: The additional hardening
+ work to use __secure_getenv() as a followup to bug #52202
+ broke certain configurations of gnome-keyring. Given
+ the difficulty of making this work without extensive
+ changes to gnome-keyring, use of __secure_getenv() is
+ deferred.
+
+D-Bus 1.6.6 (2012-09-28)
+==
+
+The "Clear the environment in your setuid binaries, please" release.
+
+• CVE-2012-3524: Don't access environment variables (fd.o #52202)
+ Thanks to work and input from Colin Walters, Simon McVittie,
+ Geoffrey Thomas, and others.
+• Unix-specific:
+ · Fix compilation on Solaris (fd.o #53286, Jonathan Perkin)
+ · Work around interdependent headers on OpenBSD by including sys/types.h
+ before each use of sys/socket.h (fd.o #54418, Brad Smith)
+
+D-Bus 1.6.4 (2012-07-18)
+==
+
+• Detect that users are "at the console" correctly when configured with
+ a non-default path such as --enable-console-auth-dir=/run/console
+ (fd.o #51521, Dave Reisner)
+
+• Remove an incorrect assertion from DBusTransport (fd.o #51657,
+ Simon McVittie)
+
+• Make --enable-developer default to "no" (regression in 1.6.2;
+ fd.o #51657, Simon McVittie)
+
+• Windows-specific:
+ · Launch dbus-daemon correctly if its path contains a space
+ (fd.o #49450, Wolfgang Baron)
+
+D-Bus 1.6.2 (2012-06-27)
+==
+
+The "Ice Cabbage" release.
+
+• Change how we create /var/lib/dbus so it works under Automake >= 1.11.4
+ (fd.o #51406, Simon McVittie)
+
+• Don't return from dbus_pending_call_set_notify with a lock held on OOM
+ (fd.o #51032, Simon McVittie)
+
+• Disconnect "developer mode" (assertions, verbose mode etc.) from
+ Automake maintainer mode. D-Bus developers should now configure with
+ --enable-developer. Automake maintainer mode is now on by default;
+ distributions can disable it with --disable-maintainer-mode.
+ (fd.o #34671, Simon McVittie)
+
+• Automatically define DBUS_STATIC_BUILD in static-only Autotools builds,
+ fixing linking when targeting Windows (fd.o #33973; william, Simon McVittie)
+
+• Unix-specific:
+ · Check for libpthread under CMake on Unix (fd.o #47237, Simon McVittie)
+
D-Bus 1.6.0 (2012-06-05)
==
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/test/Makefile.am dbus-1.6.8/test/Makefile.am
--- dbus-1.6.0/test/Makefile.am 2012-06-05 13:26:39.000000000 +0100
+++ dbus-1.6.8/test/Makefile.am 2012-09-28 20:17:25.000000000 +0100
@@ -4,8 +4,10 @@
SUBDIRS= . name-test
DIST_SUBDIRS=name-test
+# CPPFLAGS for binaries that are normally dynamic
AM_CPPFLAGS = \
-I$(top_srcdir) \
+ $(DBUS_STATIC_BUILD_CPPFLAGS) \
$(GLIB_CFLAGS) \
$(DBUS_GLIB_CFLAGS) \
$(NULL)
@@ -13,6 +15,7 @@
# improve backtraces from test stuff
AM_LDFLAGS = @R_DYNAMIC_LDFLAG@
+# CPPFLAGS for binaries that are always static
static_cppflags = \
$(AM_CPPFLAGS) \
-DDBUS_STATIC_BUILD \
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/tools/dbus-launch.c dbus-1.6.8/tools/dbus-launch.c
--- dbus-1.6.0/tools/dbus-launch.c 2012-03-27 12:08:13.000000000 +0100
+++ dbus-1.6.8/tools/dbus-launch.c 2012-09-28 20:17:26.000000000 +0100
@@ -43,6 +43,47 @@
extern Display *xdisplay;
#endif
+/* PROCESSES
+ *
+ * If you are in a shell and run "dbus-launch myapp", here is what happens:
+ *
+ * shell [*]
+ * \- main() --exec--> myapp[*]
+ * \- "intermediate parent"
+ * \- bus-runner --exec--> dbus-daemon --fork
+ * \- babysitter[*] \- final dbus-daemon[*]
+ *
+ * Processes marked [*] survive the initial flurry of activity.
+ *
+ * If you run "dbus-launch --sh-syntax" then the diagram is the same, except
+ * that main() prints variables and exits 0 instead of exec'ing myapp.
+ *
+ * PIPES
+ *
+ * dbus-daemon --print-pid -> bus_pid_to_launcher_pipe -> main
+ * dbus-daemon --print-address -> bus_address_to_launcher_pipe -> main
+ * main -> bus_pid_to_babysitter_pipe -> babysitter
+ *
+ * The intermediate parent looks pretty useless at first glance. Its purpose
+ * is to avoid the bus-runner becoming a zombie: when the intermediate parent
+ * terminates, the bus-runner and babysitter are reparented to init, which
+ * reaps them if they have finished. We can't rely on main() to reap arbitrary
+ * children because it might exec myapp, after which it can't be relied on to
+ * reap its children. We *can* rely on main() to reap the intermediate parent,
+ * because that happens before it execs myapp.
+ *
+ * It's unclear why dbus-daemon needs to fork, but we explicitly tell it to
+ * for some reason, then wait for it. If we left it undefined, a forking
+ * dbus-daemon would get the parent process reparented to init and reaped
+ * when the intermediate parent terminated, and a non-forking dbus-daemon
+ * would get reparented to init and carry on there.
+ *
+ * myapp is exec'd by the process that initially ran main() so that it's
+ * the shell's child, so the shell knows how to do job control and stuff.
+ * This is desirable for the "dbus-launch an application" use-case, less so
+ * for the "dbus-launch a test suite in an isolated session" use-case.
+ */
+
static char* machine_uuid = NULL;
const char*
@@ -451,11 +492,20 @@
else
tty_fd = -1;
- if (tty_fd >= 0)
- verbose ("stdin isatty(), monitoring it\n");
+ if (x_fd >= 0)
+ {
+ verbose ("session lifetime is defined by X, not monitoring stdin\n");
+ tty_fd = -1;
+ }
+ else if (tty_fd >= 0)
+ {
+ verbose ("stdin isatty(), monitoring it\n");
+ }
else
- verbose ("stdin was not a TTY, not monitoring it\n");
-
+ {
+ verbose ("stdin was not a TTY, not monitoring it\n");
+ }
+
if (tty_fd < 0 && x_fd < 0)
{
fprintf (stderr, "No terminal on standard input and no X display; cannot attach message bus to session lifetime\n");
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/tools/dbus-launch-win.c dbus-1.6.8/tools/dbus-launch-win.c
--- dbus-1.6.0/tools/dbus-launch-win.c 2012-02-10 17:35:38.000000000 +0000
+++ dbus-1.6.8/tools/dbus-launch-win.c 2012-09-28 20:17:26.000000000 +0100
@@ -130,9 +130,10 @@
fprintf (stderr, "%ls %ls\n", dbusDaemonPath, command);
#else
command[0] = L'\0';
- /* Windows CE has a different interpretation of cmdline: Start with argv[1]. */
- wcscpy_s (command, sizeof (command), dbusDaemonPath);
- wcscat_s (command, sizeof (command), L" --session");
+ /* Windows cmdline starts with path, which can contain spaces. */
+ wcscpy_s (command, sizeof (command), L"\"");
+ wcscat_s (command, sizeof (command), dbusDaemonPath);
+ wcscat_s (command, sizeof (command), L"\" --session");
if (verbose)
fprintf (stderr, "%ls\n", command);
#endif
diff -Nru --exclude Makefile.in --exclude aclocal.m4 --exclude CMakeLists.txt --exclude compile --exclude config.h.in --exclude configure --exclude depcomp --exclude dbus-faq.html --exclude dbus-specification.html --exclude dbus-test-plan.html --exclude ltmain.sh --exclude libtool.m4 dbus-1.6.0/tools/Makefile.am dbus-1.6.8/tools/Makefile.am
--- dbus-1.6.0/tools/Makefile.am 2012-06-05 12:17:45.000000000 +0100
+++ dbus-1.6.8/tools/Makefile.am 2012-09-28 20:17:25.000000000 +0100
@@ -2,6 +2,7 @@
AM_CPPFLAGS = \
-I$(top_srcdir) \
+ $(DBUS_STATIC_BUILD_CPPFLAGS) \
$(DBUS_X_CFLAGS) \
-DDBUS_COMPILATION \
-DDBUS_MACHINE_UUID_FILE=\""$(localstatedir)/lib/dbus/machine-id"\" \
@@ -71,6 +72,9 @@
CLEANFILES = \
run-with-tmp-session-bus.conf
-#create the /var/lib/data directory for dbus-uuidgen
-localstatelibdir = $(localstatedir)/lib/dbus
-localstatelib_DATA =
+# create the /var/lib/dbus directory for dbus-uuidgen
+install-data-local:
+ $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/dbus
+
+installcheck-local:
+ test -d $(DESTDIR)$(localstatedir)/lib/dbus
diffstat for dbus-1.6.0 dbus-1.6.0
changelog | 12
patches/0001-CVE-2012-3524-Don-t-access-environment-variables-or-.patch | 234 ++++++++++
patches/0003-hardening-Ensure-_dbus_check_setuid-is-initialized-t.patch | 32 +
patches/0005-hardening-Remove-activation-helper-handling-for-DBUS.patch | 52 ++
patches/0006-activation-helper-Ensure-DBUS_STARTER_ADDRESS-is-set.patch | 63 ++
patches/series | 4
6 files changed, 397 insertions(+)
diff -Nru dbus-1.6.0/debian/changelog dbus-1.6.0/debian/changelog
--- dbus-1.6.0/debian/changelog 2012-06-05 14:23:50.000000000 +0100
+++ dbus-1.6.0/debian/changelog 2012-09-29 13:47:46.000000000 +0100
@@ -1,3 +1,15 @@
+dbus (1.6.0-2) testing-proposed-updates; urgency=low
+
+ * CVE-2012-3524: apply patches from upstream 1.6.6 to avoid arbitrary
+ code execution in setuid/setgid binaries that incorrectly use libdbus
+ without first sanitizing the environment variables inherited from
+ their less-privileged caller (Closes: #689070).
+ - As per upstream 1.6.8, do not check filesystem capabilities for now,
+ only setuid/setgid, fixing regressions in certain configurations of
+ gnome-keyring
+
+ -- Simon McVittie <smcv@debian.org> Sat, 29 Sep 2012 13:33:07 +0100
+
dbus (1.6.0-1) unstable; urgency=low
* Merge from "experimental" (1.5.12 was accidentally uploaded to unstable)
diff -Nru dbus-1.6.0/debian/patches/0001-CVE-2012-3524-Don-t-access-environment-variables-or-.patch dbus-1.6.0/debian/patches/0001-CVE-2012-3524-Don-t-access-environment-variables-or-.patch
--- dbus-1.6.0/debian/patches/0001-CVE-2012-3524-Don-t-access-environment-variables-or-.patch 1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.6.0/debian/patches/0001-CVE-2012-3524-Don-t-access-environment-variables-or-.patch 2012-09-29 13:47:46.000000000 +0100
@@ -0,0 +1,234 @@
+From a52319bc294d05445fd8aa8f4a7f759c34558b5d Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Wed, 22 Aug 2012 10:03:34 -0400
+Subject: [PATCH 1/6] CVE-2012-3524: Don't access environment variables or run
+ dbus-launch when setuid
+
+This matches a corresponding change in GLib. See
+glib/gutils.c:g_check_setuid().
+
+Some programs attempt to use libdbus when setuid; notably the X.org
+server is shipped in such a configuration. libdbus never had an
+explicit policy about its use in setuid programs.
+
+I'm not sure whether we should advertise such support. However, given
+that there are real-world programs that do this currently, we can make
+them safer with not too much effort.
+
+Better to fix a problem caused by an interaction between two
+components in *both* places if possible.
+
+How to determine whether or not we're running in a privilege-escalated
+path is operating system specific. Note that GTK+'s code to check
+euid versus uid worked historically on Unix, more modern systems have
+filesystem capabilities and SELinux domain transitions, neither of
+which are captured by the uid comparison.
+
+On Linux/glibc, the way this works is that the kernel sets an
+AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
+startup. If found, then glibc sets a public-but-undocumented
+__libc_enable_secure variable which we can use. Unfortunately, while
+it *previously* worked to check this variable, a combination of newer
+binutils and RPM break it:
+http://www.openwall.com/lists/owl-dev/2012/08/14/1
+
+So for now on Linux/glibc, we fall back to the historical Unix version
+until we get glibc fixed.
+
+On some BSD variants, there is a issetugid() function. On other Unix
+variants, we fall back to what GTK+ has been doing.
+
+Reported-by: Sebastian Krahmer <krahmer@suse.de>
+Signed-off-by: Colin Walters <walters@verbum.org>
+---
+ configure.ac | 2 +-
+ dbus/dbus-keyring.c | 7 +++++
+ dbus/dbus-sysdeps-unix.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++
+ dbus/dbus-sysdeps-win.c | 6 ++++
+ dbus/dbus-sysdeps.c | 5 ++++
+ dbus/dbus-sysdeps.h | 1 +
+ 6 files changed, 94 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 2e34f56..df90985 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -596,7 +596,7 @@ AC_DEFINE_UNQUOTED([DBUS_USE_SYNC], [$have_sync], [Use the gcc __sync extension]
+ AC_SEARCH_LIBS(socket,[socket network])
+ AC_CHECK_FUNC(gethostbyname,,[AC_CHECK_LIB(nsl,gethostbyname)])
+
+-AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull)
++AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull issetugid getresuid)
+
+ AC_CHECK_HEADERS([syslog.h])
+ if test "x$ac_cv_header_syslog_h" = "xyes"; then
+diff --git a/dbus/dbus-keyring.c b/dbus/dbus-keyring.c
+index 23b9df5..3b9ce31 100644
+--- a/dbus/dbus-keyring.c
++++ b/dbus/dbus-keyring.c
+@@ -717,6 +717,13 @@ _dbus_keyring_new_for_credentials (DBusCredentials *credentials,
+ DBusCredentials *our_credentials;
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
++
++ if (_dbus_check_setuid ())
++ {
++ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
++ "Unable to create DBus keyring when setuid");
++ return NULL;
++ }
+
+ keyring = NULL;
+ error_set = FALSE;
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+index cef8bd3..b4ecc96 100644
+--- a/dbus/dbus-sysdeps-unix.c
++++ b/dbus/dbus-sysdeps-unix.c
+@@ -3434,6 +3434,13 @@ _dbus_get_autolaunch_address (const char *scope,
+ DBusString uuid;
+ dbus_bool_t retval;
+
++ if (_dbus_check_setuid ())
++ {
++ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
++ "Unable to autolaunch when setuid");
++ return FALSE;
++ }
++
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+ retval = FALSE;
+
+@@ -3551,6 +3558,13 @@ _dbus_lookup_launchd_socket (DBusString *socket_path,
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+
++ if (_dbus_check_setuid ())
++ {
++ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
++ "Unable to find launchd socket when setuid");
++ return FALSE;
++ }
++
+ i = 0;
+ argv[i] = "launchctl";
+ ++i;
+@@ -3591,6 +3605,13 @@ _dbus_lookup_session_address_launchd (DBusString *address, DBusError *error)
+ dbus_bool_t valid_socket;
+ DBusString socket_path;
+
++ if (_dbus_check_setuid ())
++ {
++ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
++ "Unable to find launchd socket when setuid");
++ return FALSE;
++ }
++
+ if (!_dbus_string_init (&socket_path))
+ {
+ _DBUS_SET_OOM (error);
+@@ -4086,4 +4107,57 @@ _dbus_close_all (void)
+ close (i);
+ }
+
++/**
++ * **NOTE**: If you modify this function, please also consider making
++ * the corresponding change in GLib. See
++ * glib/gutils.c:g_check_setuid().
++ *
++ * Returns TRUE if the current process was executed as setuid (or an
++ * equivalent __libc_enable_secure is available). See:
++ * http://osdir.com/ml/linux.lfs.hardened/2007-04/msg00032.html
++ */
++dbus_bool_t
++_dbus_check_setuid (void)
++{
++ /* TODO: get __libc_enable_secure exported from glibc.
++ * See http://www.openwall.com/lists/owl-dev/2012/08/14/1
++ */
++#if 0 && defined(HAVE_LIBC_ENABLE_SECURE)
++ {
++ /* See glibc/include/unistd.h */
++ extern int __libc_enable_secure;
++ return __libc_enable_secure;
++ }
++#elif defined(HAVE_ISSETUGID)
++ /* BSD: http://www.freebsd.org/cgi/man.cgi?query=issetugid&sektion=2 */
++ return issetugid ();
++#else
++ uid_t ruid, euid, suid; /* Real, effective and saved user ID's */
++ gid_t rgid, egid, sgid; /* Real, effective and saved group ID's */
++
++ static dbus_bool_t check_setuid_initialised;
++ static dbus_bool_t is_setuid;
++
++ if (_DBUS_UNLIKELY (!check_setuid_initialised))
++ {
++#ifdef HAVE_GETRESUID
++ if (getresuid (&ruid, &euid, &suid) != 0 ||
++ getresgid (&rgid, &egid, &sgid) != 0)
++#endif /* HAVE_GETRESUID */
++ {
++ suid = ruid = getuid ();
++ sgid = rgid = getgid ();
++ euid = geteuid ();
++ egid = getegid ();
++ }
++
++ check_setuid_initialised = TRUE;
++ is_setuid = (ruid != euid || ruid != suid ||
++ rgid != egid || rgid != sgid);
++
++ }
++ return is_setuid;
++#endif
++}
++
+ /* tests in dbus-sysdeps-util.c */
+diff --git a/dbus/dbus-sysdeps-win.c b/dbus/dbus-sysdeps-win.c
+index 397520a..bc4951b 100644
+--- a/dbus/dbus-sysdeps-win.c
++++ b/dbus/dbus-sysdeps-win.c
+@@ -3632,6 +3632,12 @@ _dbus_path_is_absolute (const DBusString *filename)
+ return FALSE;
+ }
+
++dbus_bool_t
++_dbus_check_setuid (void)
++{
++ return FALSE;
++}
++
+ /** @} end of sysdeps-win */
+ /* tests in dbus-sysdeps-util.c */
+
+diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c
+index 861bfec..04fb8d7 100644
+--- a/dbus/dbus-sysdeps.c
++++ b/dbus/dbus-sysdeps.c
+@@ -182,6 +182,11 @@ _dbus_setenv (const char *varname,
+ const char*
+ _dbus_getenv (const char *varname)
+ {
++ /* Don't respect any environment variables if the current process is
++ * setuid. This is the equivalent of glibc's __secure_getenv().
++ */
++ if (_dbus_check_setuid ())
++ return NULL;
+ return getenv (varname);
+ }
+
+diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
+index 4052cda..eee9160 100644
+--- a/dbus/dbus-sysdeps.h
++++ b/dbus/dbus-sysdeps.h
+@@ -87,6 +87,7 @@ typedef struct DBusPipe DBusPipe;
+
+ void _dbus_abort (void) _DBUS_GNUC_NORETURN;
+
++dbus_bool_t _dbus_check_setuid (void);
+ const char* _dbus_getenv (const char *varname);
+ dbus_bool_t _dbus_setenv (const char *varname,
+ const char *value);
+--
+1.7.10.4
+
diff -Nru dbus-1.6.0/debian/patches/0003-hardening-Ensure-_dbus_check_setuid-is-initialized-t.patch dbus-1.6.0/debian/patches/0003-hardening-Ensure-_dbus_check_setuid-is-initialized-t.patch
--- dbus-1.6.0/debian/patches/0003-hardening-Ensure-_dbus_check_setuid-is-initialized-t.patch 1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.6.0/debian/patches/0003-hardening-Ensure-_dbus_check_setuid-is-initialized-t.patch 2012-09-29 13:47:46.000000000 +0100
@@ -0,0 +1,32 @@
+From c27c5004132e597a8f386be6f9e4235519096398 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Thu, 27 Sep 2012 21:35:22 -0400
+Subject: [PATCH 3/6] hardening: Ensure _dbus_check_setuid() is initialized
+ threadsafe manner
+
+This is a highly theoretical concern, but we might as well.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=52202
+---
+ dbus/dbus-sysdeps-pthread.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/dbus/dbus-sysdeps-pthread.c b/dbus/dbus-sysdeps-pthread.c
+index c9ec9e5..c60457b 100644
+--- a/dbus/dbus-sysdeps-pthread.c
++++ b/dbus/dbus-sysdeps-pthread.c
+@@ -275,6 +275,11 @@ check_monotonic_clock (void)
+ dbus_bool_t
+ _dbus_threads_init_platform_specific (void)
+ {
++ /* These have static variables, and we need to handle both the case
++ * where dbus_threads_init() has been called and when it hasn't;
++ * so initialize them before any threads are allowed to enter.
++ */
+ check_monotonic_clock ();
++ (void) _dbus_check_setuid ();
+ return dbus_threads_init (NULL);
+ }
+--
+1.7.10.4
+
diff -Nru dbus-1.6.0/debian/patches/0005-hardening-Remove-activation-helper-handling-for-DBUS.patch dbus-1.6.0/debian/patches/0005-hardening-Remove-activation-helper-handling-for-DBUS.patch
--- dbus-1.6.0/debian/patches/0005-hardening-Remove-activation-helper-handling-for-DBUS.patch 1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.6.0/debian/patches/0005-hardening-Remove-activation-helper-handling-for-DBUS.patch 2012-09-29 13:47:46.000000000 +0100
@@ -0,0 +1,52 @@
+From 9a0c289be67735870d208e2dca2b679da0c31c41 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Fri, 28 Sep 2012 12:01:56 -0400
+Subject: [PATCH 5/6] hardening: Remove activation helper handling for
+ DBUS_VERBOSE
+
+It's not really useful.
+
+See https://bugs.freedesktop.org/show_bug.cgi?id=52202#c17
+---
+ bus/activation-helper.c | 14 +-------------
+ 1 file changed, 1 insertion(+), 13 deletions(-)
+
+diff --git a/bus/activation-helper.c b/bus/activation-helper.c
+index ab9d601..7864e0f 100644
+--- a/bus/activation-helper.c
++++ b/bus/activation-helper.c
+@@ -140,17 +140,11 @@ out_all:
+ return desktop_file;
+ }
+
+-/* Cleares the environment, except for DBUS_VERBOSE and DBUS_STARTER_x */
++/* Clears the environment, except for DBUS_STARTER_x */
+ static dbus_bool_t
+ clear_environment (DBusError *error)
+ {
+ const char *starter_env = NULL;
+-#ifdef DBUS_ENABLE_VERBOSE_MODE
+- const char *debug_env = NULL;
+-
+- /* are we debugging */
+- debug_env = _dbus_getenv ("DBUS_VERBOSE");
+-#endif
+
+ /* we save the starter */
+ starter_env = _dbus_getenv ("DBUS_STARTER_ADDRESS");
+@@ -165,12 +159,6 @@ clear_environment (DBusError *error)
+ }
+ #endif
+
+-#ifdef DBUS_ENABLE_VERBOSE_MODE
+- /* restore the debugging environment setting if set */
+- if (debug_env)
+- _dbus_setenv ("DBUS_VERBOSE", debug_env);
+-#endif
+-
+ /* restore the starter */
+ if (starter_env)
+ _dbus_setenv ("DBUS_STARTER_ADDRESS", starter_env);
+--
+1.7.10.4
+
diff -Nru dbus-1.6.0/debian/patches/0006-activation-helper-Ensure-DBUS_STARTER_ADDRESS-is-set.patch dbus-1.6.0/debian/patches/0006-activation-helper-Ensure-DBUS_STARTER_ADDRESS-is-set.patch
--- dbus-1.6.0/debian/patches/0006-activation-helper-Ensure-DBUS_STARTER_ADDRESS-is-set.patch 1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.6.0/debian/patches/0006-activation-helper-Ensure-DBUS_STARTER_ADDRESS-is-set.patch 2012-09-29 13:47:46.000000000 +0100
@@ -0,0 +1,63 @@
+From fc4547fe089136f119b49dd067a3cb876d487893 Mon Sep 17 00:00:00 2001
+From: Geoffrey Thomas <gthomas@mokafive.com>
+Date: Thu, 27 Sep 2012 22:02:06 -0700
+Subject: [PATCH 6/6] activation-helper: Ensure DBUS_STARTER_ADDRESS is set
+ correctly
+
+The fix for CVE-2012-3524 filters out all environment variables if
+libdbus is used from a setuid program, to prevent various spoofing
+attacks.
+
+Unfortunately, the activation helper is a setuid program linking
+libdbus, and this creates a regression for launched programs using
+DBUS_STARTER_ADDRESS, since it will no longer exist.
+
+Fix this by hardcoding the starter address to the default system bus
+address.
+
+Signed-off-by: Geoffrey Thomas <gthomas@mokafive.com>
+Signed-off-by: Colin Walters <walters@verbum.org>
+---
+ bus/activation-helper.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/bus/activation-helper.c b/bus/activation-helper.c
+index 7864e0f..cbc00d2 100644
+--- a/bus/activation-helper.c
++++ b/bus/activation-helper.c
+@@ -140,15 +140,12 @@ out_all:
+ return desktop_file;
+ }
+
+-/* Clears the environment, except for DBUS_STARTER_x */
++/* Clears the environment, except for DBUS_STARTER_x,
++ * which we hardcode to the system bus.
++ */
+ static dbus_bool_t
+ clear_environment (DBusError *error)
+ {
+- const char *starter_env = NULL;
+-
+- /* we save the starter */
+- starter_env = _dbus_getenv ("DBUS_STARTER_ADDRESS");
+-
+ #ifndef ACTIVATION_LAUNCHER_TEST
+ /* totally clear the environment */
+ if (!_dbus_clearenv ())
+@@ -159,11 +156,8 @@ clear_environment (DBusError *error)
+ }
+ #endif
+
+- /* restore the starter */
+- if (starter_env)
+- _dbus_setenv ("DBUS_STARTER_ADDRESS", starter_env);
+-
+- /* set the type, which must be system if we got this far */
++ /* Ensure the bus is set to system */
++ _dbus_setenv ("DBUS_STARTER_ADDRESS", DBUS_SYSTEM_BUS_DEFAULT_ADDRESS);
+ _dbus_setenv ("DBUS_STARTER_BUS_TYPE", "system");
+
+ return TRUE;
+--
+1.7.10.4
+
diff -Nru dbus-1.6.0/debian/patches/series dbus-1.6.0/debian/patches/series
--- dbus-1.6.0/debian/patches/series 2012-06-05 14:23:50.000000000 +0100
+++ dbus-1.6.0/debian/patches/series 2012-09-29 13:47:46.000000000 +0100
@@ -1 +1,5 @@
01_no-fatal-warnings.patch
+0001-CVE-2012-3524-Don-t-access-environment-variables-or-.patch
+0003-hardening-Ensure-_dbus_check_setuid-is-initialized-t.patch
+0005-hardening-Remove-activation-helper-handling-for-DBUS.patch
+0006-activation-helper-Ensure-DBUS_STARTER_ADDRESS-is-set.patch
--- End Message ---