Bug#930364: marked as done (unblock: gvfs/1.38.1-5)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#930364: marked as done (unblock: gvfs/1.38.1-5)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 12 Jun 2019 14:18:04 +0000
Message-id: <[🔎] handler.930364.D930364.156034896029196.ackdone@bugs.debian.org>
Reply-to: 930364@bugs.debian.org
References: <E1hb42f-000140-SW@respighi.debian.org> <[🔎] 20190611133025.GA7065@espresso.pseudorandom.co.uk>

Your message dated Wed, 12 Jun 2019 14:15:57 +0000
with message-id <E1hb42f-000140-SW@respighi.debian.org>
and subject line unblock gvfs
has caused the Debian Bug report #930364,
regarding unblock: gvfs/1.38.1-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
930364: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930364
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: gvfs/1.38.1-5
From: Simon McVittie <smcv@debian.org>
Date: Tue, 11 Jun 2019 14:30:25 +0100
Message-id: <[🔎] 20190611133025.GA7065@espresso.pseudorandom.co.uk>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package gvfs to fix a missing authorization check on a
private D-Bus socket (no CVE ID yet).

This also adds some security hardening that was applied upstream at the
same time (restricting D-Bus authentication mechanisms on the private
socket to only accept EXTERNAL, which is the simplest and most robust
mechanism available).

unblock gvfs/1.38.1-5

diffstat for gvfs-1.38.1 gvfs-1.38.1

 changelog                                                               |   13 +
 patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch |   89 ++++++++++
 patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch            |   51 +++++
 patches/ref-jobs-in-thread.patch                                        |    8 
 patches/series                                                          |    2 
 5 files changed, 159 insertions(+), 4 deletions(-)

diff -Nru gvfs-1.38.1/debian/changelog gvfs-1.38.1/debian/changelog
--- gvfs-1.38.1/debian/changelog	2019-06-05 08:34:17.000000000 +0100
+++ gvfs-1.38.1/debian/changelog	2019-06-11 12:28:34.000000000 +0100
@@ -1,3 +1,16 @@
+gvfs (1.38.1-5) unstable; urgency=high
+
+  * Team upload
+  * d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
+    Add missing authentication, preventing a local attacker from connecting
+    to an abstract socket address learned from netstat(8) and issuing
+    arbitrary D-Bus method calls
+  * d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
+    Harden private D-Bus connection by rejecting the more complicated
+    DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL.
+
+ -- Simon McVittie <smcv@debian.org>  Tue, 11 Jun 2019 12:28:34 +0100
+
 gvfs (1.38.1-4) unstable; urgency=high
 
   * Team upload
diff -Nru gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch
--- gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch	1970-01-01 01:00:00.000000000 +0100
+++ gvfs-1.38.1/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch	2019-06-11 12:28:34.000000000 +0100
@@ -0,0 +1,89 @@
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 5 Jun 2019 13:33:38 +0100
+Subject: gvfsdaemon: Check that the connecting client is the same user
+
+Otherwise, an attacker who learns the abstract socket address from
+netstat(8) or similar could connect to it and issue D-Bus method
+calls.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Applied-upstream: 1.38.3, commit:e3808a1b4042761055b1d975333a8243d67b8bfe
+---
+ daemon/gvfsdaemon.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
+index 406d4f8..be148a7 100644
+--- a/daemon/gvfsdaemon.c
++++ b/daemon/gvfsdaemon.c
+@@ -79,6 +79,7 @@ struct _GVfsDaemon
+   
+   gint mount_counter;
+   
++  GDBusAuthObserver *auth_observer;
+   GDBusConnection *conn;
+   GVfsDBusDaemon *daemon_skeleton;
+   GVfsDBusMountable *mountable_skeleton;
+@@ -171,6 +172,8 @@ g_vfs_daemon_finalize (GObject *object)
+     }
+   if (daemon->conn != NULL)
+     g_object_unref (daemon->conn);
++  if (daemon->auth_observer != NULL)
++    g_object_unref (daemon->auth_observer);
+   
+   g_hash_table_destroy (daemon->registered_paths);
+   g_hash_table_destroy (daemon->client_connections);
+@@ -236,6 +239,35 @@ name_vanished_handler (GDBusConnection *connection,
+   daemon->lost_main_daemon = TRUE;
+ }
+ 
++/*
++ * Authentication observer signal handler that authorizes connections
++ * from the same uid as this process. This matches the behaviour of a
++ * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction
++ * has been set, but is not the default in GDBus.
++ */
++static gboolean
++authorize_authenticated_peer_cb (GDBusAuthObserver *observer,
++                                 G_GNUC_UNUSED GIOStream *stream,
++                                 GCredentials *credentials,
++                                 G_GNUC_UNUSED gpointer user_data)
++{
++  gboolean authorized = FALSE;
++
++  if (credentials != NULL)
++    {
++      GCredentials *own_credentials;
++
++      own_credentials = g_credentials_new ();
++
++      if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++        authorized = TRUE;
++
++      g_object_unref (own_credentials);
++    }
++
++  return authorized;
++}
++
+ static void
+ g_vfs_daemon_init (GVfsDaemon *daemon)
+ {
+@@ -265,6 +297,8 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
+ 
+   daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
+   g_assert (daemon->conn != NULL);
++  daemon->auth_observer = g_dbus_auth_observer_new ();
++  g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
+ 
+   daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();
+   g_signal_connect (daemon->daemon_skeleton, "handle-get-connection", G_CALLBACK (handle_get_connection), daemon);
+@@ -876,7 +910,7 @@ handle_get_connection (GVfsDBusDaemon *object,
+   server = g_dbus_server_new_sync (address1,
+                                    G_DBUS_SERVER_FLAGS_NONE,
+                                    guid,
+-                                   NULL, /* GDBusAuthObserver */
++                                   daemon->auth_observer,
+                                    NULL, /* GCancellable */
+                                    &error);
+   g_free (guid);
diff -Nru gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch
--- gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch	1970-01-01 01:00:00.000000000 +0100
+++ gvfs-1.38.1/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch	2019-06-11 12:28:34.000000000 +0100
@@ -0,0 +1,51 @@
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 5 Jun 2019 13:36:52 +0100
+Subject: gvfsdaemon: Only accept EXTERNAL authentication
+
+EXTERNAL is the mechanism recommended in the D-Bus Specification for
+all platforms where it is supported (including Linux, *BSD, Solaris
+and Hurd), and is the only mechanism allowed by the session or system
+dbus-daemon in their default configurations. It is considerably simpler
+than DBUS_COOKIE_SHA1 and relies on fewer assumptions.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Applied-upstream: 1.38.3, commit:756edf6692aa245faedc9573bf88bfe78af3ead3
+---
+ daemon/gvfsdaemon.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
+index be148a7..0946f41 100644
+--- a/daemon/gvfsdaemon.c
++++ b/daemon/gvfsdaemon.c
+@@ -239,6 +239,22 @@ name_vanished_handler (GDBusConnection *connection,
+   daemon->lost_main_daemon = TRUE;
+ }
+ 
++/*
++ * Authentication observer signal handler that rejects all authentication
++ * mechanisms except for EXTERNAL (credentials-passing), which is the
++ * recommended authentication mechanism for AF_UNIX sockets.
++ */
++static gboolean
++allow_mechanism_cb (GDBusAuthObserver *observer,
++                    const gchar *mechanism,
++                    G_GNUC_UNUSED gpointer user_data)
++{
++  if (g_strcmp0 (mechanism, "EXTERNAL") == 0)
++    return TRUE;
++
++  return FALSE;
++}
++
+ /*
+  * Authentication observer signal handler that authorizes connections
+  * from the same uid as this process. This matches the behaviour of a
+@@ -298,6 +314,7 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
+   daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
+   g_assert (daemon->conn != NULL);
+   daemon->auth_observer = g_dbus_auth_observer_new ();
++  g_signal_connect (daemon->auth_observer, "allow-mechanism", G_CALLBACK (allow_mechanism_cb), NULL);
+   g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
+ 
+   daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();
diff -Nru gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch
--- gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch	2019-06-05 08:34:17.000000000 +0100
+++ gvfs-1.38.1/debian/patches/ref-jobs-in-thread.patch	2019-06-11 12:28:34.000000000 +0100
@@ -39,10 +39,10 @@
  }
  
 diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
-index 406d4f8..61e5904 100644
+index 0946f41..e35d7f7 100644
 --- a/daemon/gvfsdaemon.c
 +++ b/daemon/gvfsdaemon.c
-@@ -206,6 +206,7 @@ job_handler_callback (gpointer       data,
+@@ -209,6 +209,7 @@ job_handler_callback (gpointer       data,
    GVfsJob *job = G_VFS_JOB (data);
  
    g_vfs_job_run (job);
@@ -50,7 +50,7 @@
  }
  
  static void
-@@ -597,7 +598,8 @@ g_vfs_daemon_queue_job (GVfsDaemon *daemon,
+@@ -648,7 +649,8 @@ g_vfs_daemon_queue_job (GVfsDaemon *daemon,
    if (!g_vfs_job_try (job))
      {
        /* Couldn't finish / run async, queue worker thread */
@@ -60,7 +60,7 @@
      }
  }
  
-@@ -1118,7 +1120,8 @@ void
+@@ -1169,7 +1171,8 @@ void
  g_vfs_daemon_run_job_in_thread (GVfsDaemon *daemon,
  				GVfsJob    *job)
  {
diff -Nru gvfs-1.38.1/debian/patches/series gvfs-1.38.1/debian/patches/series
--- gvfs-1.38.1/debian/patches/series	2019-06-05 08:34:17.000000000 +0100
+++ gvfs-1.38.1/debian/patches/series	2019-06-11 12:28:34.000000000 +0100
@@ -10,6 +10,8 @@
 admin-Allow-changing-file-owner.patch
 admin-Use-fsuid-to-ensure-correct-file-ownership.patch
 admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
+gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch
+gvfsdaemon-Only-accept-EXTERNAL-authentication.patch
 02_polkit_sudo_group.patch
 metadata-nuke-junk-data.patch
 dont-crash-on-null-job.patch

--- End Message ---

--- Begin Message ---

To: 930364-done@bugs.debian.org

Subject: unblock gvfs

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Wed, 12 Jun 2019 14:15:57 +0000

Message-id: <E1hb42f-000140-SW@respighi.debian.org>
Unblocked gvfs.
--- End Message ---

Reply to:

References:
- Bug#930364: unblock: gvfs/1.38.1-5
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Bug#930425: marked as done (unblock: d3-format/1:1.0.2-3.1)
Next by Date: Bug#930418: marked as done (unblock: libdmtx)
Previous by thread: Bug#930364: unblock: gvfs/1.38.1-5
Next by thread: Bug#930371: unblock: dbus/1.12.16-1
Index(es):
- Date
- Thread