From a9a78d8bfbabcd306115684c99d3b2aa8fc75be8 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 20 Jun 2019 23:40:52 +0200 Subject: [PATCH] gnu: dbus: Update to 1.12.16. * gnu/packages/patches/dbus-CVE-2019-12749.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/glib.scm (dbus): Update to 1.12.16. [replacement]: Remove. (dbus/fixed): Remove variable. --- gnu/local.mk | 1 - gnu/packages/glib.scm | 13 +- .../patches/dbus-CVE-2019-12749.patch | 116 ------------------ 3 files changed, 2 insertions(+), 128 deletions(-) delete mode 100644 gnu/packages/patches/dbus-CVE-2019-12749.patch diff --git a/gnu/local.mk b/gnu/local.mk index 3be9c9d60e..42b34ab90e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -740,7 +740,6 @@ dist_patch_DATA = \ %D%/packages/patches/cursynth-wave-rand.patch \ %D%/packages/patches/cvs-2017-12836.patch \ %D%/packages/patches/dbus-helper-search-path.patch \ - %D%/packages/patches/dbus-CVE-2019-12749.patch \ %D%/packages/patches/dealii-mpi-deprecations.patch \ %D%/packages/patches/deja-dup-use-ref-keyword-for-iter.patch \ %D%/packages/patches/dfu-programmer-fix-libusb.patch \ diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm index d93a928c20..9fba2310d6 100644 --- a/gnu/packages/glib.scm +++ b/gnu/packages/glib.scm @@ -82,8 +82,7 @@ (define-module (gnu packages glib) (define dbus (package (name "dbus") - (version "1.12.14") - (replacement dbus/fixed) + (version "1.12.16") (source (origin (method url-fetch) (uri (string-append @@ -91,7 +90,7 @@ (define dbus version ".tar.gz")) (sha256 (base32 - "13aca7gzgl7z1dfdipfs23773w8n6z01d4rj5kmssv4gms8c5ya4")) + "107ckxaff1cv4q6kmfdi2fb1nlsv03312a7kf6lb4biglhpjv8jl")) (patches (search-patches "dbus-helper-search-path.patch")))) (build-system gnu-build-system) (arguments @@ -157,14 +156,6 @@ (define dbus shared NFS home directories.") (license license:gpl2+))) ; or Academic Free License 2.1 -(define dbus/fixed - (package - (inherit dbus) - (source (origin - (inherit (package-source dbus)) - (patches (append (search-patches "dbus-CVE-2019-12749.patch") - (origin-patches (package-source dbus)))))))) - (define glib (package (name "glib") diff --git a/gnu/packages/patches/dbus-CVE-2019-12749.patch b/gnu/packages/patches/dbus-CVE-2019-12749.patch deleted file mode 100644 index 12106f4589..0000000000 --- a/gnu/packages/patches/dbus-CVE-2019-12749.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 47b1a4c41004bf494b87370987b222c934b19016 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Thu, 30 May 2019 12:53:03 +0100 -Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server - owner - -The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership -of a shared home directory by having the server write a secret "cookie" -into a .dbus-keyrings subdirectory of the desired identity's home -directory with 0700 permissions, and having the client prove that it can -read the cookie. This never actually worked for non-malicious clients in -the case where server uid != client uid (unless the server and client -both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional -Unix uid 0) because an unprivileged server would fail to write out the -cookie, and an unprivileged client would be unable to read the resulting -file owned by the server. - -Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings -is owned by the uid of the server (a side-effect of a check added to -harden our use of XDG_RUNTIME_DIR), further ruling out successful use -by a non-malicious client with a uid differing from the server's. - -Joe Vennix of Apple Information Security discovered that the -implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link -attack: a malicious client with write access to its own home directory -could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to -read and write in unintended locations. In the worst case this could -result in the DBusServer reusing a cookie that is known to the -malicious client, and treating that cookie as evidence that a subsequent -client connection came from an attacker-chosen uid, allowing -authentication bypass. - -This is mitigated by the fact that by default, the well-known system -dbus-daemon (since 2003) and the well-known session dbus-daemon (in -stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL -authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1 -at an early stage, before manipulating cookies. As a result, this -vulnerability only applies to: - -* system or session dbus-daemons with non-standard configuration -* third-party dbus-daemon invocations such as at-spi2-core (although - in practice at-spi2-core also only accepts EXTERNAL by default) -* third-party uses of DBusServer such as the one in Upstart - -Avoiding symlink attacks in a portable way is difficult, because APIs -like openat() and Linux /proc/self/fd are not universally available. -However, because DBUS_COOKIE_SHA1 already doesn't work in practice for -a non-matching uid, we can solve this vulnerability in an easier way -without regressions, by rejecting it early (before looking at -~/.dbus-keyrings) whenever the requested identity doesn't match the -identity of the process hosting the DBusServer. - -Signed-off-by: Simon McVittie -Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269 -Closes: CVE-2019-12749 ---- - dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++ - 1 file changed, 32 insertions(+) - -diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c -index 37d8d4c9..7390a9d5 100644 ---- a/dbus/dbus-auth.c -+++ b/dbus/dbus-auth.c -@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth *auth, - DBusString tmp2; - dbus_bool_t retval = FALSE; - DBusError error = DBUS_ERROR_INIT; -+ DBusCredentials *myself = NULL; - - _dbus_string_set_length (&auth->challenge, 0); - -@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth *auth, - return FALSE; - } - -+ myself = _dbus_credentials_new_from_current_process (); -+ -+ if (myself == NULL) -+ goto out; -+ -+ if (!_dbus_credentials_same_user (myself, auth->desired_identity)) -+ { -+ /* -+ * DBUS_COOKIE_SHA1 is not suitable for authenticating that the -+ * client is anyone other than the user owning the process -+ * containing the DBusServer: we probably aren't allowed to write -+ * to other users' home directories. Even if we can (for example -+ * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we -+ * must not, because the other user controls their home directory, -+ * and could carry out symlink attacks to make us read from or -+ * write to unintended locations. It's difficult to avoid symlink -+ * attacks in a portable way, so we just don't try. This isn't a -+ * regression, because DBUS_COOKIE_SHA1 never worked for other -+ * users anyway. -+ */ -+ _dbus_verbose ("%s: client tried to authenticate as \"%s\", " -+ "but that doesn't match this process", -+ DBUS_AUTH_NAME (auth), -+ _dbus_string_get_const_data (data)); -+ retval = send_rejected (auth); -+ goto out; -+ } -+ - /* we cache the keyring for speed, so here we drop it if it's the - * wrong one. FIXME caching the keyring here is useless since we use - * a different DBusAuth for every connection. -@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth *auth, - _dbus_string_zero (&tmp2); - _dbus_string_free (&tmp2); - -+ if (myself != NULL) -+ _dbus_credentials_unref (myself); -+ - return retval; - } -