Bug#930371: marked as done (unblock: dbus/1.12.16-1)

To: Paul Gevers <elbrus@debian.org>, 930371@bugs.debian.org
Subject: Bug#930371: marked as done (unblock: dbus/1.12.16-1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 15 Jun 2019 08:27:06 +0000
Message-id: <[🔎] handler.930371.D930371.15605871228033.ackdone@bugs.debian.org>
Reply-to: 930371@bugs.debian.org
References: <3e2879ef-9654-6948-7b39-bcfe1b144523@debian.org> <[🔎] 20190611152350.GA22024@espresso.pseudorandom.co.uk>

Your message dated Sat, 15 Jun 2019 10:25:18 +0200
with message-id <3e2879ef-9654-6948-7b39-bcfe1b144523@debian.org>
and subject line Re: Bug#930371: unblock: dbus/1.12.16-1
has caused the Debian Bug report #930371,
regarding unblock: dbus/1.12.16-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
930371: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930371
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: dbus/1.12.16-1
From: Simon McVittie <smcv@debian.org>
Date: Tue, 11 Jun 2019 16:23:50 +0100
Message-id: <[🔎] 20190611152350.GA22024@espresso.pseudorandom.co.uk>

Package: release.debian.org
Severity: normal
Tags: d-i
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package dbus to fix CVE-2019-12749. I forgot to set high
urgency, so you might want to adjust its age-days too.

Filtered and full diffs are attached (the former has Autotools noise
removed). As usual, I'm happy to revert anything that -release can't
accept, because the whole 1.12.x branch exists for the benefit of
distros with a bugfix-only policy (but having said that, everything
in this particular version is either CVE-2019-12749, tests for it,
or release preparation).

dbus builds udebs, so this will need an ack from debian-boot (although
from comments on #929132 it isn't clear to me whether the udebs are
actually used for anything).

unblock dbus/1.12.16-1

Breakdown of the diff:

> diffstat for dbus-1.12.14 dbus-1.12.16
>
>  dbus/dbus-auth.c                                |   32 ++++++++

CVE-2019-12749

>  dbus/dbus-auth-script.c                         |   87 +++++++++++++++++++++++-
>  dbus/dbus-sysdeps-util-unix.c                   |   40 +++++++++++
>  dbus/dbus-sysdeps-util-win.c                    |   25 ++++++
>  dbus/dbus-sysdeps.h                             |   10 ++
>  test/Makefile.am                                |    2 
>  test/data/auth/cookie-sha1-username.auth-script |   12 +++
>  test/data/auth/cookie-sha1.auth-script          |   11 +++

Regression tests for CVE-2019-12749 (these are #ifdef'd out and do
not affect the dbus binary package, although they do end up in the
special debug build in the dbus-tests package)

>  NEWS                                            |   18 ++++
>  configure.ac                                    |    4 -
>  debian/changelog                                |   15 ++++

Release preparation

>  Makefile.in                                     |    4 -
>  aminclude_static.am                             |    2 
>  bus/Makefile.in                                 |    2 
>  configure                                       |   26 +++----
>  dbus/Makefile.in                                |    2 
>  test/Makefile.in                                |    4 -

Autotools noise from doing the release

Thanks,
    smcv

filterdiff -p1 -xMakefile.in -x'*/Makefile.in' -xaminclude_static.am -xconfigure < dbus_1.12.16-1.diff > dbus_1.12.16-1-filtered.diff

diffstat for dbus-1.12.14 dbus-1.12.16

 Makefile.in                                     |    4 -
 NEWS                                            |   18 ++++
 aminclude_static.am                             |    2 
 bus/Makefile.in                                 |    2 
 configure                                       |   26 +++----
 configure.ac                                    |    4 -
 dbus/Makefile.in                                |    2 
 dbus/dbus-auth-script.c                         |   87 +++++++++++++++++++++++-
 dbus/dbus-auth.c                                |   32 ++++++++
 dbus/dbus-sysdeps-util-unix.c                   |   40 +++++++++++
 dbus/dbus-sysdeps-util-win.c                    |   25 ++++++
 dbus/dbus-sysdeps.h                             |   10 ++
 debian/changelog                                |   15 ++++
 test/Makefile.am                                |    2 
 test/Makefile.in                                |    4 -
 test/data/auth/cookie-sha1-username.auth-script |   12 +++
 test/data/auth/cookie-sha1.auth-script          |   11 +++
 17 files changed, 272 insertions(+), 24 deletions(-)

diff -Nru dbus-1.12.14/configure.ac dbus-1.12.16/configure.ac
--- dbus-1.12.14/configure.ac	2019-05-17 10:38:45.000000000 +0100
+++ dbus-1.12.16/configure.ac	2019-06-09 13:09:13.000000000 +0100
@@ -3,7 +3,7 @@
 
 m4_define([dbus_major_version], [1])
 m4_define([dbus_minor_version], [12])
-m4_define([dbus_micro_version], [14])
+m4_define([dbus_micro_version], [16])
 m4_define([dbus_version],
           [dbus_major_version.dbus_minor_version.dbus_micro_version])
 AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -42,7 +42,7 @@
 
 ## increment any time the source changes; set to
 ##  0 if you increment CURRENT
-LT_REVISION=10
+LT_REVISION=11
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has
diff -Nru dbus-1.12.14/dbus/dbus-auth.c dbus-1.12.16/dbus/dbus-auth.c
--- dbus-1.12.14/dbus/dbus-auth.c	2017-10-30 12:26:18.000000000 +0000
+++ dbus-1.12.16/dbus/dbus-auth.c	2019-06-09 13:08:12.000000000 +0100
@@ -529,6 +529,7 @@
   DBusString tmp2;
   dbus_bool_t retval = FALSE;
   DBusError error = DBUS_ERROR_INIT;
+  DBusCredentials *myself = NULL;
 
   _dbus_string_set_length (&auth->challenge, 0);
   
@@ -565,6 +566,34 @@
       return FALSE;
     }
 
+  myself = _dbus_credentials_new_from_current_process ();
+
+  if (myself == NULL)
+    goto out;
+
+  if (!_dbus_credentials_same_user (myself, auth->desired_identity))
+    {
+      /*
+       * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
+       * client is anyone other than the user owning the process
+       * containing the DBusServer: we probably aren't allowed to write
+       * to other users' home directories. Even if we can (for example
+       * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
+       * must not, because the other user controls their home directory,
+       * and could carry out symlink attacks to make us read from or
+       * write to unintended locations. It's difficult to avoid symlink
+       * attacks in a portable way, so we just don't try. This isn't a
+       * regression, because DBUS_COOKIE_SHA1 never worked for other
+       * users anyway.
+       */
+      _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
+                     "but that doesn't match this process",
+                     DBUS_AUTH_NAME (auth),
+                     _dbus_string_get_const_data (data));
+      retval = send_rejected (auth);
+      goto out;
+    }
+
   /* we cache the keyring for speed, so here we drop it if it's the
    * wrong one. FIXME caching the keyring here is useless since we use
    * a different DBusAuth for every connection.
@@ -679,6 +708,9 @@
   _dbus_string_zero (&tmp2);
   _dbus_string_free (&tmp2);
 
+  if (myself != NULL)
+    _dbus_credentials_unref (myself);
+
   return retval;
 }
 
diff -Nru dbus-1.12.14/dbus/dbus-auth-script.c dbus-1.12.16/dbus/dbus-auth-script.c
--- dbus-1.12.14/dbus/dbus-auth-script.c	2017-10-30 12:26:18.000000000 +0000
+++ dbus-1.12.16/dbus/dbus-auth-script.c	2019-06-09 13:08:49.000000000 +0100
@@ -34,6 +34,8 @@
 #include "dbus-credentials.h"
 #include "dbus-internals.h"
 
+#include "test/test-utils.h"
+
 /**
  * @defgroup DBusAuthScript code for running unit test scripts for DBusAuth
  * @ingroup  DBusInternals
@@ -518,9 +520,43 @@
           /* Replace USERID_HEX with our username in hex */
           {
             int where;
-            
-            if (_dbus_string_find (&to_send, 0,
-                                   "USERID_HEX", &where))
+
+            if (_dbus_string_find (&to_send, 0, "WRONG_USERID_HEX", &where))
+              {
+                /* This must be checked for before USERID_HEX, because
+                 * that's a substring. */
+                DBusString uid;
+
+                if (!_dbus_string_init (&uid))
+                  {
+                    _dbus_warn ("no memory for uid");
+                    _dbus_string_free (&to_send);
+                    goto out;
+                  }
+
+                if (!_dbus_test_append_different_uid (&uid))
+                  {
+                    _dbus_warn ("no memory for uid");
+                    _dbus_string_free (&to_send);
+                    _dbus_string_free (&uid);
+                    goto out;
+                  }
+
+                _dbus_string_delete (&to_send, where,
+                                     (int) strlen ("WRONG_USERID_HEX"));
+
+                if (!_dbus_string_hex_encode (&uid, 0, &to_send, where))
+                  {
+                    _dbus_warn ("no memory to subst WRONG_USERID_HEX");
+                    _dbus_string_free (&to_send);
+                    _dbus_string_free (&uid);
+                    goto out;
+                  }
+
+                _dbus_string_free (&uid);
+              }
+            else if (_dbus_string_find (&to_send, 0,
+                                        "USERID_HEX", &where))
               {
                 DBusString username;
 
@@ -553,6 +589,51 @@
                 _dbus_string_free (&username);
               }
             else if (_dbus_string_find (&to_send, 0,
+                                        "WRONG_USERNAME_HEX", &where))
+              {
+                /* This must be checked for before USERNAME_HEX, because
+                 * that's a substring. */
+#ifdef DBUS_UNIX
+                DBusString username;
+
+                if (!_dbus_string_init (&username))
+                  {
+                    _dbus_warn ("no memory for username");
+                    _dbus_string_free (&to_send);
+                    goto out;
+                  }
+
+                if (!_dbus_test_append_different_username (&username))
+                  {
+                    _dbus_warn ("no memory for username");
+                    _dbus_string_free (&to_send);
+                    _dbus_string_free (&username);
+                    goto out;
+                  }
+
+                _dbus_string_delete (&to_send, where,
+                                     (int) strlen ("WRONG_USERNAME_HEX"));
+
+                if (!_dbus_string_hex_encode (&username, 0,
+                                              &to_send, where))
+                  {
+                    _dbus_warn ("no memory to subst WRONG_USERNAME_HEX");
+                    _dbus_string_free (&to_send);
+                    _dbus_string_free (&username);
+                    goto out;
+                  }
+
+                _dbus_string_free (&username);
+#else
+                /* No authentication mechanism uses the login name on
+                 * Windows, so there's no point in it appearing in an
+                 * auth script that is not UNIX_ONLY. */
+                _dbus_warn ("WRONG_USERNAME_HEX cannot be used on Windows");
+                _dbus_string_free (&to_send);
+                goto out;
+#endif
+              }
+            else if (_dbus_string_find (&to_send, 0,
                                         "USERNAME_HEX", &where))
               {
                 DBusString username;
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps.h dbus-1.12.16/dbus/dbus-sysdeps.h
--- dbus-1.12.14/dbus/dbus-sysdeps.h	2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps.h	2019-06-09 13:08:49.000000000 +0100
@@ -703,6 +703,16 @@
                                                             DBusError    *error);
 void            _dbus_rlimit_free                          (DBusRLimit   *lim);
 
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+_DBUS_GNUC_WARN_UNUSED_RESULT
+dbus_bool_t _dbus_test_append_different_uid (DBusString *uid);
+
+#ifdef DBUS_UNIX
+_DBUS_GNUC_WARN_UNUSED_RESULT
+dbus_bool_t _dbus_test_append_different_username (DBusString *username);
+#endif
+#endif  /* DBUS_ENABLE_EMBEDDED_TESTS */
+
 /** @} */
 
 DBUS_END_DECLS
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c
--- dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c	2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c	2019-06-09 13:08:49.000000000 +0100
@@ -1524,3 +1524,43 @@
 
   return _dbus_string_append (str, DBUS_SESSION_CONFIG_FILE);
 }
+
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+
+/*
+ * Set uid to a machine-readable authentication identity (numeric Unix
+ * uid or ConvertSidToStringSid-style Windows SID) that is likely to exist,
+ * and differs from the identity of the current process.
+ *
+ * @param uid Populated with a machine-readable authentication identity
+ *    on success
+ * @returns #FALSE if no memory
+ */
+dbus_bool_t
+_dbus_test_append_different_uid (DBusString *uid)
+{
+  if (geteuid () == 0)
+    return _dbus_string_append (uid, "65534");
+  else
+    return _dbus_string_append (uid, "0");
+}
+
+/*
+ * Set uid to a human-readable authentication identity (login name)
+ * that is likely to exist, and differs from the identity of the current
+ * process. This function currently only exists on Unix platforms.
+ *
+ * @param uid Populated with a machine-readable authentication identity
+ *    on success
+ * @returns #FALSE if no memory
+ */
+dbus_bool_t
+_dbus_test_append_different_username (DBusString *username)
+{
+  if (geteuid () == 0)
+    return _dbus_string_append (username, "nobody");
+  else
+    return _dbus_string_append (username, "root");
+}
+
+#endif
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-win.c dbus-1.12.16/dbus/dbus-sysdeps-util-win.c
--- dbus-1.12.14/dbus/dbus-sysdeps-util-win.c	2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps-util-win.c	2019-06-09 13:08:49.000000000 +0100
@@ -1653,3 +1653,28 @@
 
   return _dbus_get_config_file_name(str, "session.conf");
 }
+
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+
+#define ANONYMOUS_SID "S-1-5-7"
+#define LOCAL_SYSTEM_SID "S-1-5-18"
+
+dbus_bool_t
+_dbus_test_append_different_uid (DBusString *uid)
+{
+  char *sid = NULL;
+  dbus_bool_t ret;
+
+  if (!_dbus_getsid (&sid, _dbus_getpid ()))
+    return FALSE;
+
+  if (strcmp (sid, ANONYMOUS_SID) == 0)
+    ret = _dbus_string_append (uid, LOCAL_SYSTEM_SID);
+  else
+    ret = _dbus_string_append (uid, ANONYMOUS_SID);
+
+  LocalFree (sid);
+  return ret;
+}
+
+#endif
diff -Nru dbus-1.12.14/debian/changelog dbus-1.12.16/debian/changelog
--- dbus-1.12.14/debian/changelog	2019-05-18 17:37:08.000000000 +0100
+++ dbus-1.12.16/debian/changelog	2019-06-09 21:34:34.000000000 +0100
@@ -1,3 +1,18 @@
+dbus (1.12.16-1) unstable; urgency=medium
+
+  * New upstream stable release
+    - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
+      authentication for identities that differ from the user running the
+      DBusServer. Previously, a local attacker could manipulate symbolic
+      links in their own home directory to bypass authentication and
+      connect to a DBusServer with elevated privileges. The standard
+      system and session dbus-daemons in their default configuration were
+      immune to this attack because they did not allow DBUS_COOKIE_SHA1,
+      but third-party users of DBusServer such as Upstart could be
+      vulnerable.
+
+ -- Simon McVittie <smcv@debian.org>  Sun, 09 Jun 2019 21:34:34 +0100
+
 dbus (1.12.14-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru dbus-1.12.14/NEWS dbus-1.12.16/NEWS
--- dbus-1.12.14/NEWS	2019-05-17 10:40:49.000000000 +0100
+++ dbus-1.12.16/NEWS	2019-06-09 13:09:13.000000000 +0100
@@ -1,3 +1,21 @@
+dbus 1.12.16 (2019-06-11)
+=========================
+
+The “tree cat” release.
+
+Security fixes:
+
+• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
+  authentication for identities that differ from the user running the
+  DBusServer. Previously, a local attacker could manipulate symbolic
+  links in their own home directory to bypass authentication and connect
+  to a DBusServer with elevated privileges. The standard system and
+  session dbus-daemons in their default configuration were immune to this
+  attack because they did not allow DBUS_COOKIE_SHA1, but third-party
+  users of DBusServer such as Upstart could be vulnerable.
+  Thanks to Joe Vennix of Apple Information Security.
+  (dbus#269, Simon McVittie)
+
 dbus 1.12.14 (2019-05-17)
 =========================
 
diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1.auth-script dbus-1.12.16/test/data/auth/cookie-sha1.auth-script
--- dbus-1.12.14/test/data/auth/cookie-sha1.auth-script	1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.12.16/test/data/auth/cookie-sha1.auth-script	2019-06-09 13:16:35.000000000 +0100
@@ -0,0 +1,11 @@
+SERVER
+SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERID_HEX'
+EXPECT_COMMAND REJECTED
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+SEND 'AUTH DBUS_COOKIE_SHA1 USERID_HEX'
+EXPECT_COMMAND DATA
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+# We don't actually complete DBUS_COOKIE_SHA1 authentication, because
+# it's non-trivial.
diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script
--- dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script	1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script	2019-06-09 13:16:35.000000000 +0100
@@ -0,0 +1,12 @@
+UNIX_ONLY
+SERVER
+SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERNAME_HEX'
+EXPECT_COMMAND REJECTED
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+SEND 'AUTH DBUS_COOKIE_SHA1 USERNAME_HEX'
+EXPECT_COMMAND DATA
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+# We don't actually complete DBUS_COOKIE_SHA1 authentication, because
+# it's non-trivial.
diff -Nru dbus-1.12.14/test/Makefile.am dbus-1.12.16/test/Makefile.am
--- dbus-1.12.14/test/Makefile.am	2019-05-13 10:33:56.000000000 +0100
+++ dbus-1.12.16/test/Makefile.am	2019-06-09 13:08:49.000000000 +0100
@@ -471,6 +471,8 @@
 	data/auth/anonymous-server-successful.auth-script \
 	data/auth/cancel.auth-script \
 	data/auth/client-out-of-mechanisms.auth-script \
+	data/auth/cookie-sha1-username.auth-script \
+	data/auth/cookie-sha1.auth-script \
 	data/auth/external-failed.auth-script \
 	data/auth/external-root.auth-script \
 	data/auth/external-silly.auth-script \

diffstat for dbus-1.12.14 dbus-1.12.16

 Makefile.in                                     |    4 -
 NEWS                                            |   18 ++++
 aminclude_static.am                             |    2 
 bus/Makefile.in                                 |    2 
 configure                                       |   26 +++----
 configure.ac                                    |    4 -
 dbus/Makefile.in                                |    2 
 dbus/dbus-auth-script.c                         |   87 +++++++++++++++++++++++-
 dbus/dbus-auth.c                                |   32 ++++++++
 dbus/dbus-sysdeps-util-unix.c                   |   40 +++++++++++
 dbus/dbus-sysdeps-util-win.c                    |   25 ++++++
 dbus/dbus-sysdeps.h                             |   10 ++
 debian/changelog                                |   15 ++++
 test/Makefile.am                                |    2 
 test/Makefile.in                                |    4 -
 test/data/auth/cookie-sha1-username.auth-script |   12 +++
 test/data/auth/cookie-sha1.auth-script          |   11 +++
 17 files changed, 272 insertions(+), 24 deletions(-)

diff -Nru dbus-1.12.14/aminclude_static.am dbus-1.12.16/aminclude_static.am
--- dbus-1.12.14/aminclude_static.am	2019-05-17 10:41:19.000000000 +0100
+++ dbus-1.12.16/aminclude_static.am	2019-06-09 13:09:33.000000000 +0100
@@ -1,6 +1,6 @@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019
+# from AX_AM_MACROS_STATIC on Sun Jun  9 13:09:33 BST 2019
 
 
 # Code coverage
diff -Nru dbus-1.12.14/bus/Makefile.in dbus-1.12.16/bus/Makefile.in
--- dbus-1.12.14/bus/Makefile.in	2019-05-17 10:41:19.000000000 +0100
+++ dbus-1.12.16/bus/Makefile.in	2019-06-09 13:09:33.000000000 +0100
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019
+# from AX_AM_MACROS_STATIC on Sun Jun  9 13:09:33 BST 2019
 
 
 VPATH = @srcdir@
diff -Nru dbus-1.12.14/configure dbus-1.12.16/configure
--- dbus-1.12.14/configure	2019-05-17 10:41:20.000000000 +0100
+++ dbus-1.12.16/configure	2019-06-09 13:09:33.000000000 +0100
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for dbus 1.12.14.
+# Generated by GNU Autoconf 2.69 for dbus 1.12.16.
 #
 # Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=dbus>.
 #
@@ -591,8 +591,8 @@
 # Identity of this package.
 PACKAGE_NAME='dbus'
 PACKAGE_TARNAME='dbus'
-PACKAGE_VERSION='1.12.14'
-PACKAGE_STRING='dbus 1.12.14'
+PACKAGE_VERSION='1.12.16'
+PACKAGE_STRING='dbus 1.12.16'
 PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus'
 PACKAGE_URL=''
 
@@ -1579,7 +1579,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures dbus 1.12.14 to adapt to many kinds of systems.
+\`configure' configures dbus 1.12.16 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1654,7 +1654,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of dbus 1.12.14:";;
+     short | recursive ) echo "Configuration of dbus 1.12.16:";;
    esac
   cat <<\_ACEOF
 
@@ -1881,7 +1881,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-dbus configure 1.12.14
+dbus configure 1.12.16
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2657,7 +2657,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by dbus $as_me 1.12.14, which was
+It was created by dbus $as_me 1.12.16, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3603,7 +3603,7 @@
 
 # Define the identity of the package.
  PACKAGE='dbus'
- VERSION='1.12.14'
+ VERSION='1.12.16'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3903,7 +3903,7 @@
 
 ## increment any time the source changes; set to
 ##  0 if you increment CURRENT
-LT_REVISION=10
+LT_REVISION=11
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has
@@ -3918,8 +3918,8 @@
 
 DBUS_MAJOR_VERSION=1
 DBUS_MINOR_VERSION=12
-DBUS_MICRO_VERSION=14
-DBUS_VERSION=1.12.14
+DBUS_MICRO_VERSION=16
+DBUS_VERSION=1.12.16
 
 
 
@@ -29013,7 +29013,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by dbus $as_me 1.12.14, which was
+This file was extended by dbus $as_me 1.12.16, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -29079,7 +29079,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-dbus config.status 1.12.14
+dbus config.status 1.12.16
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru dbus-1.12.14/configure.ac dbus-1.12.16/configure.ac
--- dbus-1.12.14/configure.ac	2019-05-17 10:38:45.000000000 +0100
+++ dbus-1.12.16/configure.ac	2019-06-09 13:09:13.000000000 +0100
@@ -3,7 +3,7 @@
 
 m4_define([dbus_major_version], [1])
 m4_define([dbus_minor_version], [12])
-m4_define([dbus_micro_version], [14])
+m4_define([dbus_micro_version], [16])
 m4_define([dbus_version],
           [dbus_major_version.dbus_minor_version.dbus_micro_version])
 AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -42,7 +42,7 @@
 
 ## increment any time the source changes; set to
 ##  0 if you increment CURRENT
-LT_REVISION=10
+LT_REVISION=11
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has
diff -Nru dbus-1.12.14/dbus/dbus-auth.c dbus-1.12.16/dbus/dbus-auth.c
--- dbus-1.12.14/dbus/dbus-auth.c	2017-10-30 12:26:18.000000000 +0000
+++ dbus-1.12.16/dbus/dbus-auth.c	2019-06-09 13:08:12.000000000 +0100
@@ -529,6 +529,7 @@
   DBusString tmp2;
   dbus_bool_t retval = FALSE;
   DBusError error = DBUS_ERROR_INIT;
+  DBusCredentials *myself = NULL;
 
   _dbus_string_set_length (&auth->challenge, 0);
   
@@ -565,6 +566,34 @@
       return FALSE;
     }
 
+  myself = _dbus_credentials_new_from_current_process ();
+
+  if (myself == NULL)
+    goto out;
+
+  if (!_dbus_credentials_same_user (myself, auth->desired_identity))
+    {
+      /*
+       * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
+       * client is anyone other than the user owning the process
+       * containing the DBusServer: we probably aren't allowed to write
+       * to other users' home directories. Even if we can (for example
+       * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
+       * must not, because the other user controls their home directory,
+       * and could carry out symlink attacks to make us read from or
+       * write to unintended locations. It's difficult to avoid symlink
+       * attacks in a portable way, so we just don't try. This isn't a
+       * regression, because DBUS_COOKIE_SHA1 never worked for other
+       * users anyway.
+       */
+      _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
+                     "but that doesn't match this process",
+                     DBUS_AUTH_NAME (auth),
+                     _dbus_string_get_const_data (data));
+      retval = send_rejected (auth);
+      goto out;
+    }
+
   /* we cache the keyring for speed, so here we drop it if it's the
    * wrong one. FIXME caching the keyring here is useless since we use
    * a different DBusAuth for every connection.
@@ -679,6 +708,9 @@
   _dbus_string_zero (&tmp2);
   _dbus_string_free (&tmp2);
 
+  if (myself != NULL)
+    _dbus_credentials_unref (myself);
+
   return retval;
 }
 
diff -Nru dbus-1.12.14/dbus/dbus-auth-script.c dbus-1.12.16/dbus/dbus-auth-script.c
--- dbus-1.12.14/dbus/dbus-auth-script.c	2017-10-30 12:26:18.000000000 +0000
+++ dbus-1.12.16/dbus/dbus-auth-script.c	2019-06-09 13:08:49.000000000 +0100
@@ -34,6 +34,8 @@
 #include "dbus-credentials.h"
 #include "dbus-internals.h"
 
+#include "test/test-utils.h"
+
 /**
  * @defgroup DBusAuthScript code for running unit test scripts for DBusAuth
  * @ingroup  DBusInternals
@@ -518,9 +520,43 @@
           /* Replace USERID_HEX with our username in hex */
           {
             int where;
-            
-            if (_dbus_string_find (&to_send, 0,
-                                   "USERID_HEX", &where))
+
+            if (_dbus_string_find (&to_send, 0, "WRONG_USERID_HEX", &where))
+              {
+                /* This must be checked for before USERID_HEX, because
+                 * that's a substring. */
+                DBusString uid;
+
+                if (!_dbus_string_init (&uid))
+                  {
+                    _dbus_warn ("no memory for uid");
+                    _dbus_string_free (&to_send);
+                    goto out;
+                  }
+
+                if (!_dbus_test_append_different_uid (&uid))
+                  {
+                    _dbus_warn ("no memory for uid");
+                    _dbus_string_free (&to_send);
+                    _dbus_string_free (&uid);
+                    goto out;
+                  }
+
+                _dbus_string_delete (&to_send, where,
+                                     (int) strlen ("WRONG_USERID_HEX"));
+
+                if (!_dbus_string_hex_encode (&uid, 0, &to_send, where))
+                  {
+                    _dbus_warn ("no memory to subst WRONG_USERID_HEX");
+                    _dbus_string_free (&to_send);
+                    _dbus_string_free (&uid);
+                    goto out;
+                  }
+
+                _dbus_string_free (&uid);
+              }
+            else if (_dbus_string_find (&to_send, 0,
+                                        "USERID_HEX", &where))
               {
                 DBusString username;
 
@@ -553,6 +589,51 @@
                 _dbus_string_free (&username);
               }
             else if (_dbus_string_find (&to_send, 0,
+                                        "WRONG_USERNAME_HEX", &where))
+              {
+                /* This must be checked for before USERNAME_HEX, because
+                 * that's a substring. */
+#ifdef DBUS_UNIX
+                DBusString username;
+
+                if (!_dbus_string_init (&username))
+                  {
+                    _dbus_warn ("no memory for username");
+                    _dbus_string_free (&to_send);
+                    goto out;
+                  }
+
+                if (!_dbus_test_append_different_username (&username))
+                  {
+                    _dbus_warn ("no memory for username");
+                    _dbus_string_free (&to_send);
+                    _dbus_string_free (&username);
+                    goto out;
+                  }
+
+                _dbus_string_delete (&to_send, where,
+                                     (int) strlen ("WRONG_USERNAME_HEX"));
+
+                if (!_dbus_string_hex_encode (&username, 0,
+                                              &to_send, where))
+                  {
+                    _dbus_warn ("no memory to subst WRONG_USERNAME_HEX");
+                    _dbus_string_free (&to_send);
+                    _dbus_string_free (&username);
+                    goto out;
+                  }
+
+                _dbus_string_free (&username);
+#else
+                /* No authentication mechanism uses the login name on
+                 * Windows, so there's no point in it appearing in an
+                 * auth script that is not UNIX_ONLY. */
+                _dbus_warn ("WRONG_USERNAME_HEX cannot be used on Windows");
+                _dbus_string_free (&to_send);
+                goto out;
+#endif
+              }
+            else if (_dbus_string_find (&to_send, 0,
                                         "USERNAME_HEX", &where))
               {
                 DBusString username;
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps.h dbus-1.12.16/dbus/dbus-sysdeps.h
--- dbus-1.12.14/dbus/dbus-sysdeps.h	2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps.h	2019-06-09 13:08:49.000000000 +0100
@@ -703,6 +703,16 @@
                                                             DBusError    *error);
 void            _dbus_rlimit_free                          (DBusRLimit   *lim);
 
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+_DBUS_GNUC_WARN_UNUSED_RESULT
+dbus_bool_t _dbus_test_append_different_uid (DBusString *uid);
+
+#ifdef DBUS_UNIX
+_DBUS_GNUC_WARN_UNUSED_RESULT
+dbus_bool_t _dbus_test_append_different_username (DBusString *username);
+#endif
+#endif  /* DBUS_ENABLE_EMBEDDED_TESTS */
+
 /** @} */
 
 DBUS_END_DECLS
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c
--- dbus-1.12.14/dbus/dbus-sysdeps-util-unix.c	2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps-util-unix.c	2019-06-09 13:08:49.000000000 +0100
@@ -1524,3 +1524,43 @@
 
   return _dbus_string_append (str, DBUS_SESSION_CONFIG_FILE);
 }
+
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+
+/*
+ * Set uid to a machine-readable authentication identity (numeric Unix
+ * uid or ConvertSidToStringSid-style Windows SID) that is likely to exist,
+ * and differs from the identity of the current process.
+ *
+ * @param uid Populated with a machine-readable authentication identity
+ *    on success
+ * @returns #FALSE if no memory
+ */
+dbus_bool_t
+_dbus_test_append_different_uid (DBusString *uid)
+{
+  if (geteuid () == 0)
+    return _dbus_string_append (uid, "65534");
+  else
+    return _dbus_string_append (uid, "0");
+}
+
+/*
+ * Set uid to a human-readable authentication identity (login name)
+ * that is likely to exist, and differs from the identity of the current
+ * process. This function currently only exists on Unix platforms.
+ *
+ * @param uid Populated with a machine-readable authentication identity
+ *    on success
+ * @returns #FALSE if no memory
+ */
+dbus_bool_t
+_dbus_test_append_different_username (DBusString *username)
+{
+  if (geteuid () == 0)
+    return _dbus_string_append (username, "nobody");
+  else
+    return _dbus_string_append (username, "root");
+}
+
+#endif
diff -Nru dbus-1.12.14/dbus/dbus-sysdeps-util-win.c dbus-1.12.16/dbus/dbus-sysdeps-util-win.c
--- dbus-1.12.14/dbus/dbus-sysdeps-util-win.c	2019-05-13 11:50:32.000000000 +0100
+++ dbus-1.12.16/dbus/dbus-sysdeps-util-win.c	2019-06-09 13:08:49.000000000 +0100
@@ -1653,3 +1653,28 @@
 
   return _dbus_get_config_file_name(str, "session.conf");
 }
+
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
+
+#define ANONYMOUS_SID "S-1-5-7"
+#define LOCAL_SYSTEM_SID "S-1-5-18"
+
+dbus_bool_t
+_dbus_test_append_different_uid (DBusString *uid)
+{
+  char *sid = NULL;
+  dbus_bool_t ret;
+
+  if (!_dbus_getsid (&sid, _dbus_getpid ()))
+    return FALSE;
+
+  if (strcmp (sid, ANONYMOUS_SID) == 0)
+    ret = _dbus_string_append (uid, LOCAL_SYSTEM_SID);
+  else
+    ret = _dbus_string_append (uid, ANONYMOUS_SID);
+
+  LocalFree (sid);
+  return ret;
+}
+
+#endif
diff -Nru dbus-1.12.14/dbus/Makefile.in dbus-1.12.16/dbus/Makefile.in
--- dbus-1.12.14/dbus/Makefile.in	2019-05-17 10:41:19.000000000 +0100
+++ dbus-1.12.16/dbus/Makefile.in	2019-06-09 13:09:34.000000000 +0100
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019
+# from AX_AM_MACROS_STATIC on Sun Jun  9 13:09:33 BST 2019
 
 
 
diff -Nru dbus-1.12.14/debian/changelog dbus-1.12.16/debian/changelog
--- dbus-1.12.14/debian/changelog	2019-05-18 17:37:08.000000000 +0100
+++ dbus-1.12.16/debian/changelog	2019-06-09 21:34:34.000000000 +0100
@@ -1,3 +1,18 @@
+dbus (1.12.16-1) unstable; urgency=medium
+
+  * New upstream stable release
+    - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
+      authentication for identities that differ from the user running the
+      DBusServer. Previously, a local attacker could manipulate symbolic
+      links in their own home directory to bypass authentication and
+      connect to a DBusServer with elevated privileges. The standard
+      system and session dbus-daemons in their default configuration were
+      immune to this attack because they did not allow DBUS_COOKIE_SHA1,
+      but third-party users of DBusServer such as Upstart could be
+      vulnerable.
+
+ -- Simon McVittie <smcv@debian.org>  Sun, 09 Jun 2019 21:34:34 +0100
+
 dbus (1.12.14-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru dbus-1.12.14/Makefile.in dbus-1.12.16/Makefile.in
--- dbus-1.12.14/Makefile.in	2019-05-17 10:41:19.000000000 +0100
+++ dbus-1.12.16/Makefile.in	2019-06-09 13:09:33.000000000 +0100
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019
+# from AX_AM_MACROS_STATIC on Sun Jun  9 13:09:33 BST 2019
 
 VPATH = @srcdir@
 am__is_gnu_make = { \
@@ -225,7 +225,7 @@
 	$(top_srcdir)/cmake/DBus1Config.pkgconfig.in \
 	$(top_srcdir)/cmake/DBus1ConfigVersion.cmake.in AUTHORS \
 	COPYING ChangeLog INSTALL NEWS README build-aux/compile \
-	build-aux/config.guess build-aux/config.sub \
+	build-aux/config.guess build-aux/config.sub build-aux/depcomp \
 	build-aux/install-sh build-aux/ltmain.sh build-aux/missing
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
diff -Nru dbus-1.12.14/NEWS dbus-1.12.16/NEWS
--- dbus-1.12.14/NEWS	2019-05-17 10:40:49.000000000 +0100
+++ dbus-1.12.16/NEWS	2019-06-09 13:09:13.000000000 +0100
@@ -1,3 +1,21 @@
+dbus 1.12.16 (2019-06-11)
+=========================
+
+The “tree cat” release.
+
+Security fixes:
+
+• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
+  authentication for identities that differ from the user running the
+  DBusServer. Previously, a local attacker could manipulate symbolic
+  links in their own home directory to bypass authentication and connect
+  to a DBusServer with elevated privileges. The standard system and
+  session dbus-daemons in their default configuration were immune to this
+  attack because they did not allow DBUS_COOKIE_SHA1, but third-party
+  users of DBusServer such as Upstart could be vulnerable.
+  Thanks to Joe Vennix of Apple Information Security.
+  (dbus#269, Simon McVittie)
+
 dbus 1.12.14 (2019-05-17)
 =========================
 
diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1.auth-script dbus-1.12.16/test/data/auth/cookie-sha1.auth-script
--- dbus-1.12.14/test/data/auth/cookie-sha1.auth-script	1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.12.16/test/data/auth/cookie-sha1.auth-script	2019-06-09 13:16:35.000000000 +0100
@@ -0,0 +1,11 @@
+SERVER
+SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERID_HEX'
+EXPECT_COMMAND REJECTED
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+SEND 'AUTH DBUS_COOKIE_SHA1 USERID_HEX'
+EXPECT_COMMAND DATA
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+# We don't actually complete DBUS_COOKIE_SHA1 authentication, because
+# it's non-trivial.
diff -Nru dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script
--- dbus-1.12.14/test/data/auth/cookie-sha1-username.auth-script	1970-01-01 01:00:00.000000000 +0100
+++ dbus-1.12.16/test/data/auth/cookie-sha1-username.auth-script	2019-06-09 13:16:35.000000000 +0100
@@ -0,0 +1,12 @@
+UNIX_ONLY
+SERVER
+SEND 'AUTH DBUS_COOKIE_SHA1 WRONG_USERNAME_HEX'
+EXPECT_COMMAND REJECTED
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+SEND 'AUTH DBUS_COOKIE_SHA1 USERNAME_HEX'
+EXPECT_COMMAND DATA
+EXPECT_STATE WAITING_FOR_INPUT
+EXPECT_HAVE_NO_CREDENTIALS
+# We don't actually complete DBUS_COOKIE_SHA1 authentication, because
+# it's non-trivial.
diff -Nru dbus-1.12.14/test/Makefile.am dbus-1.12.16/test/Makefile.am
--- dbus-1.12.14/test/Makefile.am	2019-05-13 10:33:56.000000000 +0100
+++ dbus-1.12.16/test/Makefile.am	2019-06-09 13:08:49.000000000 +0100
@@ -471,6 +471,8 @@
 	data/auth/anonymous-server-successful.auth-script \
 	data/auth/cancel.auth-script \
 	data/auth/client-out-of-mechanisms.auth-script \
+	data/auth/cookie-sha1-username.auth-script \
+	data/auth/cookie-sha1.auth-script \
 	data/auth/external-failed.auth-script \
 	data/auth/external-root.auth-script \
 	data/auth/external-silly.auth-script \
diff -Nru dbus-1.12.14/test/Makefile.in dbus-1.12.16/test/Makefile.in
--- dbus-1.12.14/test/Makefile.in	2019-05-17 10:41:20.000000000 +0100
+++ dbus-1.12.16/test/Makefile.in	2019-06-09 13:09:34.000000000 +0100
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Fri May 17 10:41:19 BST 2019
+# from AX_AM_MACROS_STATIC on Sun Jun  9 13:09:33 BST 2019
 
 
 
@@ -1267,6 +1267,8 @@
 	data/auth/anonymous-server-successful.auth-script \
 	data/auth/cancel.auth-script \
 	data/auth/client-out-of-mechanisms.auth-script \
+	data/auth/cookie-sha1-username.auth-script \
+	data/auth/cookie-sha1.auth-script \
 	data/auth/external-failed.auth-script \
 	data/auth/external-root.auth-script \
 	data/auth/external-silly.auth-script \

--- End Message ---

--- Begin Message ---

To: Simon McVittie <smcv@debian.org>, 930371-done@bugs.debian.org

Subject: Re: Bug#930371: unblock: dbus/1.12.16-1

From: Paul Gevers <elbrus@debian.org>

Date: Sat, 15 Jun 2019 10:25:18 +0200

Message-id: <3e2879ef-9654-6948-7b39-bcfe1b144523@debian.org>

Reply-to: Paul Gevers <elbrus@debian.org>, 930371@bugs.debian.org

In-reply-to: <[🔎] 7491e404-f405-0d76-9339-dabeeb3ac315@debian.org>

References: <[🔎] 20190611152350.GA22024@espresso.pseudorandom.co.uk> <[🔎] 20190611152350.GA22024@espresso.pseudorandom.co.uk> <[🔎] 7491e404-f405-0d76-9339-dabeeb3ac315@debian.org>
Hi,

On 13-06-2019 11:13, Paul Gevers wrote:
>> dbus builds udebs, so this will need an ack from debian-boot (although
>> from comments on #929132 it isn't clear to me whether the udebs are
>> actually used for anything).
> 
> As it isn't fully clear to me either, I'll wait for d-i anyways.

Fully unblocked, thanks.

Paul
Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

Reply to:

References:
- Bug#930371: unblock: dbus/1.12.16-1
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Bug#930194: marked as done (unblock: openssl/1.1.1c-1)
Next by Date: Bug#929908: marked as done (unblock: tomcat9/9.0.16-4)
Previous by thread: Processed: Re: Bug#930371: unblock: dbus/1.12.16-1
Next by thread: Bug#930374: stretch-pu: package node-url-parse/1.0.5-2+deb9u1
Index(es):
- Date
- Thread