* [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 @ 2015-06-24 20:04 Jussi Kukkonen 2015-06-24 20:06 ` [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure Jussi Kukkonen 2015-06-28 13:24 ` [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 akuster808 0 siblings, 2 replies; 4+ messages in thread From: Jussi Kukkonen @ 2015-06-24 20:04 UTC (permalink / raw) To: openembedded-core This is for fido and possibly dizzy, not master. D-Bus 1.8.16 fixes CVE-2015-0245 "prevent forged ActivationFailure from non-root processes". This patch does not contain the same fix but a configuration change that upstream suggests as a easily backportable fix. The issue is only a local denial of service so not terribly dangerous, but should be worth fixing since the patch is not intrusive. I've only tested this on fido, so the [dizzy] is just a suggestion. Cheers, Jussi The following changes since commit eb4a134a60e3ac26a48379675ad6346a44010339: scripts/combo-layer: Fix exit codes and tty handling (2015-06-11 15:00:20 +0100) are available in the git repository at: git://git.yoctoproject.org/poky-contrib jku/dbus-fix-for-fido http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jku/dbus-fix-for-fido Jussi Kukkonen (1): dbus: CVE-2015-0245: prevent forged ActivationFailure meta/recipes-core/dbus/dbus.inc | 1 + ...015-0245-prevent-forged-ActivationFailure.patch | 48 ++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch -- 2.1.4 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure 2015-06-24 20:04 [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 Jussi Kukkonen @ 2015-06-24 20:06 ` Jussi Kukkonen 2015-06-26 14:30 ` Joshua Lock 2015-06-28 13:24 ` [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 akuster808 1 sibling, 1 reply; 4+ messages in thread From: Jussi Kukkonen @ 2015-06-24 20:06 UTC (permalink / raw) To: openembedded-core Fix CVE-2015-0245 by preventing non-root and non-systemd processes from fooling the dbus daemon into thinking systemd service activation failed. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> --- meta/recipes-core/dbus/dbus.inc | 1 + ...015-0245-prevent-forged-ActivationFailure.patch | 48 ++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc index fb5d017..f1744c8 100644 --- a/meta/recipes-core/dbus/dbus.inc +++ b/meta/recipes-core/dbus/dbus.inc @@ -17,6 +17,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ file://dbus-1.init \ file://os-test.patch \ file://clear-guid_from_server-if-send_negotiate_unix_f.patch \ + file://CVE-2015-0245-prevent-forged-ActivationFailure.patch \ " inherit useradd autotools pkgconfig gettext update-rc.d diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch new file mode 100644 index 0000000..59363b3 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch @@ -0,0 +1,48 @@ +CVE-2015-0245: prevent forged ActivationFailure from non-root processes + +Upstream has fixed this in code but suggests using this as a easily +backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811 + +Upstream-Status: Inappropriate +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> + + + +From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <simon.mcvittie@collabora.co.uk> +Date: Mon, 26 Jan 2015 20:09:56 +0000 +Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure from + non-root processes + +Without either this rule or better checking in dbus-daemon, non-systemd +processes can make dbus-daemon think systemd failed to activate a system +service, resulting in an error reply back to the requester. + +This is redundant with the fix in the C code (which I consider to be +the real solution), but is likely to be easier to backport. +--- + bus/system.conf.in | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bus/system.conf.in b/bus/system.conf.in +index 92f4cc4..851b9e6 100644 +--- a/bus/system.conf.in ++++ b/bus/system.conf.in +@@ -68,6 +68,14 @@ + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" + send_member="UpdateActivationEnvironment"/> ++ <deny send_destination="org.freedesktop.DBus" ++ send_interface="org.freedesktop.systemd1.Activator"/> ++ </policy> ++ ++ <!-- Only systemd, which runs as root, may report activation failures. --> ++ <policy user="root"> ++ <allow send_destination="org.freedesktop.DBus" ++ send_interface="org.freedesktop.systemd1.Activator"/> + </policy> + + <!-- Config files are placed here that among other things, punch +-- +2.1.4 + -- 2.1.4 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure 2015-06-24 20:06 ` [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure Jussi Kukkonen @ 2015-06-26 14:30 ` Joshua Lock 0 siblings, 0 replies; 4+ messages in thread From: Joshua Lock @ 2015-06-26 14:30 UTC (permalink / raw) To: openembedded-core On Wed, 2015-06-24 at 23:06 +0300, Jussi Kukkonen wrote: > Fix CVE-2015-0245 by preventing non-root and non-systemd processes > from fooling the dbus daemon into thinking systemd service activation > failed. Thanks Jussi, This is queued in my fido-next branch[1]. Regards, Joshua 1. http://cgit.openembedded.org/openembedded-core -contrib/log/?h=joshuagl/fido-next > Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> > --- > meta/recipes-core/dbus/dbus.inc | 1 + > ...015-0245-prevent-forged-ActivationFailure.patch | 48 > ++++++++++++++++++++++ > 2 files changed, 49 insertions(+) > create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent > -forged-ActivationFailure.patch > > diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes > -core/dbus/dbus.inc > index fb5d017..f1744c8 100644 > --- a/meta/recipes-core/dbus/dbus.inc > +++ b/meta/recipes-core/dbus/dbus.inc > @@ -17,6 +17,7 @@ SRC_URI = " > http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ > file://dbus-1.init \ > file://os-test.patch \ > file://clear-guid_from_server-if > -send_negotiate_unix_f.patch \ > + file://CVE-2015-0245-prevent-forged > -ActivationFailure.patch \ > " > > inherit useradd autotools pkgconfig gettext update-rc.d > diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged > -ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245 > -prevent-forged-ActivationFailure.patch > new file mode 100644 > index 0000000..59363b3 > --- /dev/null > +++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged > -ActivationFailure.patch > @@ -0,0 +1,48 @@ > +CVE-2015-0245: prevent forged ActivationFailure from non-root > processes > + > +Upstream has fixed this in code but suggests using this as a easily > +backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811 > + > +Upstream-Status: Inappropriate > +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> > + > + > + > +From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 > 2001 > +From: Simon McVittie <simon.mcvittie@collabora.co.uk> > +Date: Mon, 26 Jan 2015 20:09:56 +0000 > +Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure > from > + non-root processes > + > +Without either this rule or better checking in dbus-daemon, non > -systemd > +processes can make dbus-daemon think systemd failed to activate a > system > +service, resulting in an error reply back to the requester. > + > +This is redundant with the fix in the C code (which I consider to be > +the real solution), but is likely to be easier to backport. > +--- > + bus/system.conf.in | 8 ++++++++ > + 1 file changed, 8 insertions(+) > + > +diff --git a/bus/system.conf.in b/bus/system.conf.in > +index 92f4cc4..851b9e6 100644 > +--- a/bus/system.conf.in > ++++ b/bus/system.conf.in > +@@ -68,6 +68,14 @@ > + <deny send_destination="org.freedesktop.DBus" > + send_interface="org.freedesktop.DBus" > + send_member="UpdateActivationEnvironment"/> > ++ <deny send_destination="org.freedesktop.DBus" > ++ send_interface="org.freedesktop.systemd1.Activator"/> > ++ </policy> > ++ > ++ <!-- Only systemd, which runs as root, may report activation > failures. --> > ++ <policy user="root"> > ++ <allow send_destination="org.freedesktop.DBus" > ++ send_interface="org.freedesktop.systemd1.Activator"/> > + </policy> > + > + <!-- Config files are placed here that among other things, punch > +-- > +2.1.4 > + ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 2015-06-24 20:04 [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 Jussi Kukkonen 2015-06-24 20:06 ` [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure Jussi Kukkonen @ 2015-06-28 13:24 ` akuster808 1 sibling, 0 replies; 4+ messages in thread From: akuster808 @ 2015-06-28 13:24 UTC (permalink / raw) To: Jussi Kukkonen, openembedded-core merged to staging thanks, armin On 06/24/2015 01:04 PM, Jussi Kukkonen wrote: > This is for fido and possibly dizzy, not master. > > D-Bus 1.8.16 fixes CVE-2015-0245 "prevent forged ActivationFailure from > non-root processes". This patch does not contain the same fix but a > configuration change that upstream suggests as a easily backportable > fix. > > The issue is only a local denial of service so not terribly dangerous, > but should be worth fixing since the patch is not intrusive. > > I've only tested this on fido, so the [dizzy] is just a suggestion. > > Cheers, Jussi > > > > The following changes since commit eb4a134a60e3ac26a48379675ad6346a44010339: > > scripts/combo-layer: Fix exit codes and tty handling (2015-06-11 15:00:20 +0100) > > are available in the git repository at: > > git://git.yoctoproject.org/poky-contrib jku/dbus-fix-for-fido > http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jku/dbus-fix-for-fido > > Jussi Kukkonen (1): > dbus: CVE-2015-0245: prevent forged ActivationFailure > > meta/recipes-core/dbus/dbus.inc | 1 + > ...015-0245-prevent-forged-ActivationFailure.patch | 48 ++++++++++++++++++++++ > 2 files changed, 49 insertions(+) > create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-06-28 13:24 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-06-24 20:04 [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 Jussi Kukkonen 2015-06-24 20:06 ` [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure Jussi Kukkonen 2015-06-26 14:30 ` Joshua Lock 2015-06-28 13:24 ` [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 akuster808
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.