[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#930364: unblock: gvfs/1.38.1-5

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package gvfs to fix a missing authorization check on a
private D-Bus socket (no CVE ID yet).

This also adds some security hardening that was applied upstream at the
same time (restricting D-Bus authentication mechanisms on the private
socket to only accept EXTERNAL, which is the simplest and most robust
mechanism available).

unblock gvfs/1.38.1-5



diffstat for gvfs-1.38.1 gvfs-1.38.1

 changelog                                                               |   13 +
 patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch |   89 ++++++++++
 patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch            |   51 +++++
 patches/ref-jobs-in-thread.patch                                        |    8 
 patches/series                                                          |    2 
 5 files changed, 159 insertions(+), 4 deletions(-)

diff -Nru gvfs-1.38.1/debian/changelog gvfs-1.38.1/debian/changelog
--- gvfs-1.38.1/debian/changelog	2019-06-05 08:34:17.000000000 +0100
+++ gvfs-1.38.1/debian/changelog	2019-06-11 12:28:34.000000000 +0100
@@ -1,3 +1,16 @@
+gvfs (1.38.1-5) unstable; urgency=high
+
+  * Team upload
+  * d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
+    Add missing authentication, preventing a local attacker from connecting
+    to an abstract socket address learned from netstat(8) and issuing
+    arbitrary D-Bus method calls
+  * d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
+    Harden private D-Bus connection by rejecting the more complicated
+    DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL.
+
+ -- Simon McVittie <smcv@debian.org>  Tue, 11 Jun 2019 12:28:34 +0100
+
 gvfs (1.38.1-4) unstable; urgency=high
 
   * Team upload
diff -Nru gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch
--- gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch	1970-01-01 01:00:00.000000000 +0100
+++ gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch	2019-06-11 12:28:34.000000000 +0100
@@ -0,0 +1,89 @@
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 5 Jun 2019 13:33:38 +0100
+Subject: gvfsdaemon: Check that the connecting client is the same user
+
+Otherwise, an attacker who learns the abstract socket address from
+netstat(8) or similar could connect to it and issue D-Bus method
+calls.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Applied-upstream: 1.38.3, commit:e3808a1b4042761055b1d975333a8243d67b8bfe
+---
+ daemon/gvfsdaemon.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
+index 406d4f8..be148a7 100644
+--- a/daemon/gvfsdaemon.c
++++ b/daemon/gvfsdaemon.c
+@@ -79,6 +79,7 @@ struct _GVfsDaemon
+   
+   gint mount_counter;
+   
++  GDBusAuthObserver *auth_observer;
+   GDBusConnection *conn;
+   GVfsDBusDaemon *daemon_skeleton;
+   GVfsDBusMountable *mountable_skeleton;
+@@ -171,6 +172,8 @@ g_vfs_daemon_finalize (GObject *object)
+     }
+   if (daemon->conn != NULL)
+     g_object_unref (daemon->conn);
++  if (daemon->auth_observer != NULL)
++    g_object_unref (daemon->auth_observer);
+   
+   g_hash_table_destroy (daemon->registered_paths);
+   g_hash_table_destroy (daemon->client_connections);
+@@ -236,6 +239,35 @@ name_vanished_handler (GDBusConnection *connection,
+   daemon->lost_main_daemon = TRUE;
+ }
+ 
++/*
++ * Authentication observer signal handler that authorizes connections
++ * from the same uid as this process. This matches the behaviour of a
++ * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction
++ * has been set, but is not the default in GDBus.
++ */
++static gboolean
++authorize_authenticated_peer_cb (GDBusAuthObserver *observer,
++                                 G_GNUC_UNUSED GIOStream *stream,
++                                 GCredentials *credentials,
++                                 G_GNUC_UNUSED gpointer user_data)
++{
++  gboolean authorized = FALSE;
++
++  if (credentials != NULL)
++    {
++      GCredentials *own_credentials;
++
++      own_credentials = g_credentials_new ();
++
++      if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++        authorized = TRUE;
++
++      g_object_unref (own_credentials);
++    }
++
++  return authorized;
++}
++
+ static void
+ g_vfs_daemon_init (GVfsDaemon *daemon)
+ {
+@@ -265,6 +297,8 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
+ 
+   daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
+   g_assert (daemon->conn != NULL);
++  daemon->auth_observer = g_dbus_auth_observer_new ();
++  g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
+ 
+   daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();
+   g_signal_connect (daemon->daemon_skeleton, "handle-get-connection", G_CALLBACK (handle_get_connection), daemon);
+@@ -876,7 +910,7 @@ handle_get_connection (GVfsDBusDaemon *object,
+   server = g_dbus_server_new_sync (address1,
+                                    G_DBUS_SERVER_FLAGS_NONE,
+                                    guid,
+-                                   NULL, /* GDBusAuthObserver */
++                                   daemon->auth_observer,
+                                    NULL, /* GCancellable */
+                                    &error);
+   g_free (guid);
diff -Nru gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch
--- gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch	1970-01-01 01:00:00.000000000 +0100
+++ gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch	2019-06-11 12:28:34.000000000 +0100
@@ -0,0 +1,51 @@
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 5 Jun 2019 13:36:52 +0100
+Subject: gvfsdaemon: Only accept EXTERNAL authentication
+
+EXTERNAL is the mechanism recommended in the D-Bus Specification for
+all platforms where it is supported (including Linux, *BSD, Solaris
+and Hurd), and is the only mechanism allowed by the session or system
+dbus-daemon in their default configurations. It is considerably simpler
+than DBUS_COOKIE_SHA1 and relies on fewer assumptions.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Applied-upstream: 1.38.3, commit:756edf6692aa245faedc9573bf88bfe78af3ead3
+---
+ daemon/gvfsdaemon.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
+index be148a7..0946f41 100644
+--- a/daemon/gvfsdaemon.c
++++ b/daemon/gvfsdaemon.c
+@@ -239,6 +239,22 @@ name_vanished_handler (GDBusConnection *connection,
+   daemon->lost_main_daemon = TRUE;
+ }
+ 
++/*
++ * Authentication observer signal handler that rejects all authentication
++ * mechanisms except for EXTERNAL (credentials-passing), which is the
++ * recommended authentication mechanism for AF_UNIX sockets.
++ */
++static gboolean
++allow_mechanism_cb (GDBusAuthObserver *observer,
++                    const gchar *mechanism,
++                    G_GNUC_UNUSED gpointer user_data)
++{
++  if (g_strcmp0 (mechanism, "EXTERNAL") == 0)
++    return TRUE;
++
++  return FALSE;
++}
++
+ /*
+  * Authentication observer signal handler that authorizes connections
+  * from the same uid as this process. This matches the behaviour of a
+@@ -298,6 +314,7 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
+   daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
+   g_assert (daemon->conn != NULL);
+   daemon->auth_observer = g_dbus_auth_observer_new ();
++  g_signal_connect (daemon->auth_observer, "allow-mechanism", G_CALLBACK (allow_mechanism_cb), NULL);
+   g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
+ 
+   daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();
diff -Nru gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch
--- gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch	2019-06-05 08:34:17.000000000 +0100
+++ gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch	2019-06-11 12:28:34.000000000 +0100
@@ -39,10 +39,10 @@
  }
  
 diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
-index 406d4f8..61e5904 100644
+index 0946f41..e35d7f7 100644
 --- a/daemon/gvfsdaemon.c
 +++ b/daemon/gvfsdaemon.c
-@@ -206,6 +206,7 @@ job_handler_callback (gpointer       data,
+@@ -209,6 +209,7 @@ job_handler_callback (gpointer       data,
    GVfsJob *job = G_VFS_JOB (data);
  
    g_vfs_job_run (job);
@@ -50,7 +50,7 @@
  }
  
  static void
-@@ -597,7 +598,8 @@ g_vfs_daemon_queue_job (GVfsDaemon *daemon,
+@@ -648,7 +649,8 @@ g_vfs_daemon_queue_job (GVfsDaemon *daemon,
    if (!g_vfs_job_try (job))
      {
        /* Couldn't finish / run async, queue worker thread */
@@ -60,7 +60,7 @@
      }
  }
  
-@@ -1118,7 +1120,8 @@ void
+@@ -1169,7 +1171,8 @@ void
  g_vfs_daemon_run_job_in_thread (GVfsDaemon *daemon,
  				GVfsJob    *job)
  {
diff -Nru gvfs-1.38.1/debian/patches/series gvfs-1.38.1/debian/patches/series
--- gvfs-1.38.1/debian/patches/series	2019-06-05 08:34:17.000000000 +0100
+++ gvfs-1.38.1/debian/patches/series	2019-06-11 12:28:34.000000000 +0100
@@ -10,6 +10,8 @@
 admin-Allow-changing-file-owner.patch
 admin-Use-fsuid-to-ensure-correct-file-ownership.patch
 admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
+gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch
+gvfsdaemon-Only-accept-EXTERNAL-authentication.patch
 02_polkit_sudo_group.patch
 metadata-nuke-junk-data.patch
 dont-crash-on-null-job.patch
Reply to: