Bug#1000707: bullseye-pu: package keepalived/1:2.1.5-0.2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1000707: bullseye-pu: package keepalived/1:2.1.5-0.2
From: Vincent Bernat <bernat@debian.org>
Date: Sat, 27 Nov 2021 15:58:52 +0100
Message-id: <[🔎] 163802513201.582555.8419920865860557600.reportbug@neo.luffy.cx>
Reply-to: Vincent Bernat <bernat@debian.org>, 1000707@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

[ Reason ]
Keepalived ships a DBus policy allowing anyone to access and write any
properties. We want to restrict this policy to only impact the
properties owned by Keepalived.

[ Impact ]
Any user can read any DBus property and write any writable property.

[ Tests ]
Tested manually with:

    dbus-send --print-reply --system --dest=org.freedesktop.nm_dispatcher \
        / org.freedesktop.DBus.Properties.Set \
        string:com.example.Nope string:Nope variant:string:foo

Thanks to Simon McVittie for its help on this.

[ Risks ]
Very low. I think most people don't enable DBus support, so we are
unlikely to break anything.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Restrict allowed properties to org.keepalived.Vrrp1 destination.

[ Other info ]
- - Real impact seems small as most properties are already readable and
  are not writable.
- - Security team is OK to use a point release to fix this.

9b4813899b1b

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmGiR6sSHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5S/gP/ipz9T9W02SEl2QOVw3falS9pQx4JUaV
NYbwqbd+nocTjRTjk093QbtpfsGIxldwOBNy5cdZhEBQr+v4P+sj6zzBnP5s75mG
foWBRviSQhD3XvwS9kZ5+4yhULdhv9iiSJE22nDmIRCOQ/zYvxeoaMxbjSoEetvE
4CzSNtVXP3uPmC+/FmdmdyoYxtbZTgnSkBv5bNNHtpMt9bl3jjRlLTx9vp1gbkzg
nJUulyvv63wIm6pAiKbjrvW0gwutKlvlfNchlREgS4k8kAvuT/nUsZnsoMYw6m/B
B8aR8z2HRTUYI/PmIqOG+UXvnL5M69SR5EB3bTGJfhgPhjDVG/M5yIdbBBBYHRdH
4/F42o5krlMPHSc96LRhaX8E1H5xcIGh3rwRq7EvP9i5C5O6Ox9cSRj+9kindvkR
hBbjtdqXu4idmf9+unSk/NN+I2T+lOLKWeqhF00Wu8TtD9+JIEJbLnqcBoXc9QC7
d6qG3fuqKPyqrplliYgMEWb/GzQXvFnwx+JleBwFZ0nXXl5lGOLzOAVliYDowkZv
a0w3qmdC0o46QfLzilGBPbFRLuoGCJ1ptQO9p/cK3esYEkxwicxgkhsAoSFqaWLT
tvSt2KC9nC6FmuBpLrhUwK63zZOanHFwuTkVqsP+vQu+uHnDpnxaT4kvo78ckdhX
e3DXALjBZLhd
=uiHe
-----END PGP SIGNATURE-----

>From 9b4813899b1bd0ba9b719f458d794534e9989d22 Mon Sep 17 00:00:00 2001
From: Vincent Bernat <bernat@debian.org>
Date: Sat, 27 Nov 2021 15:53:33 +0100
Subject: [PATCH] Fix shipped too broad DBus policy. CVE-2021-44225

---
 debian/changelog          |  6 ++++++
 debian/patches/2063.patch | 38 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series     |  1 +
 3 files changed, 45 insertions(+)
 create mode 100644 debian/patches/2063.patch

diff --git a/debian/changelog b/debian/changelog
index 51ee7b25efc1..2491770e8103 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+keepalived (1:2.1.5-0.2+deb11u1) bullseye; urgency=medium
+
+  * Fix shipped too broad DBus policy. CVE-2021-44225.
+
+ -- Vincent Bernat <bernat@debian.org>  Sat, 27 Nov 2021 15:51:39 +0100
+
 keepalived (1:2.1.5-0.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/patches/2063.patch b/debian/patches/2063.patch
new file mode 100644
index 000000000000..ea9d40ec2115
--- /dev/null
+++ b/debian/patches/2063.patch
@@ -0,0 +1,38 @@
+From 7977fec0be89ae6fe87405b3f8da2f0b5e415e3d Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.ch>
+Date: Tue, 23 Nov 2021 06:50:59 +0100
+Subject: [PATCH] dbus: fix policy to not be overly broad
+
+The DBus policy did not restrict the message destination, allowing any
+user to inspect and manipulate any property.
+
+Signed-off-by: Vincent Bernat <vincent@bernat.ch>
+---
+ keepalived/dbus/org.keepalived.Vrrp1.conf | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/keepalived/dbus/org.keepalived.Vrrp1.conf b/keepalived/dbus/org.keepalived.Vrrp1.conf
+index 2b78a575c..b5ced6085 100644
+--- a/keepalived/dbus/org.keepalived.Vrrp1.conf
++++ b/keepalived/dbus/org.keepalived.Vrrp1.conf
+@@ -3,12 +3,15 @@
+  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";>
+ <busconfig>
+ 	<policy user="root">
+-		<allow own="org.keepalived.Vrrp1"/>
+-		<allow send_destination="org.keepalived.Vrrp1"/>
++		<allow own="org.keepalived.Vrrp1" />
++		<allow send_destination="org.keepalived.Vrrp1" />
+ 	</policy>
+ 	<policy context="default">
+-		<allow send_interface="org.freedesktop.DBus.Introspectable" />
+-		<allow send_interface="org.freedesktop.DBus.Peer" />
+-		<allow send_interface="org.freedesktop.DBus.Properties" />
++		<allow send_destination="org.keepalived.Vrrp1"
++		       send_interface="org.freedesktop.DBus.Introspectable" />
++		<allow send_destination="org.keepalived.Vrrp1"
++		       send_interface="org.freedesktop.DBus.Peer" />
++		<allow send_destination="org.keepalived.Vrrp1"
++		       send_interface="org.freedesktop.DBus.Properties" />
+ 	</policy>
+ </busconfig>
diff --git a/debian/patches/series b/debian/patches/series
index e69de29bb2d1..c6683cd1715d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -0,0 +1 @@
+2063.patch
-- 
2.34.0

Reply to:

Prev by Date: Bug#999673: bullseye-pu: package lldpd/1.0.11-1
Next by Date: Bug#999673: bullseye-pu: package lldpd/1.0.11-1
Previous by thread: Processed: buster-pu, bullseye-pu
Next by thread: Bug#1000736: bullseye-pu: package poco/1.10.0-6
Index(es):
- Date
- Thread