[PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245

[PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245

[Jussi Kukkonen]

This is for fido and possibly dizzy, not master.

D-Bus 1.8.16 fixes CVE-2015-0245 "prevent forged ActivationFailure from
non-root processes". This patch does not contain the same fix but a
configuration change that upstream suggests as a easily backportable
fix.

The issue is only a local denial of service so not terribly dangerous,
but should be worth fixing since the patch is not intrusive.

I've only tested this on fido, so the [dizzy] is just a suggestion.

Cheers, Jussi



The following changes since commit eb4a134a60e3ac26a48379675ad6346a44010339:

  scripts/combo-layer: Fix exit codes and tty handling (2015-06-11 15:00:20 +0100)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib jku/dbus-fix-for-fido
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jku/dbus-fix-for-fido

Jussi Kukkonen (1):
  dbus: CVE-2015-0245: prevent forged ActivationFailure

 meta/recipes-core/dbus/dbus.inc                    |  1 +
 ...015-0245-prevent-forged-ActivationFailure.patch | 48 ++++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch

-- 
2.1.4

[PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure

[Jussi Kukkonen]

Fix CVE-2015-0245 by preventing non-root and non-systemd processes
from fooling the dbus daemon into thinking systemd service activation
failed.

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 meta/recipes-core/dbus/dbus.inc                    |  1 +
 ...015-0245-prevent-forged-ActivationFailure.patch | 48 ++++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch

diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index fb5d017..f1744c8 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
            file://dbus-1.init \
            file://os-test.patch \
            file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+           file://CVE-2015-0245-prevent-forged-ActivationFailure.patch \
 "
 
 inherit useradd autotools pkgconfig gettext update-rc.d
diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
new file mode 100644
index 0000000..59363b3
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
@@ -0,0 +1,48 @@
+CVE-2015-0245: prevent forged ActivationFailure from non-root processes
+
+Upstream has fixed this in code but suggests using this as a easily
+backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811
+
+Upstream-Status: Inappropriate
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+
+
+
+From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Date: Mon, 26 Jan 2015 20:09:56 +0000
+Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure from
+ non-root processes
+
+Without either this rule or better checking in dbus-daemon, non-systemd
+processes can make dbus-daemon think systemd failed to activate a system
+service, resulting in an error reply back to the requester.
+
+This is redundant with the fix in the C code (which I consider to be
+the real solution), but is likely to be easier to backport.
+---
+ bus/system.conf.in | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 92f4cc4..851b9e6 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -68,6 +68,14 @@
+     <deny send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus"
+           send_member="UpdateActivationEnvironment"/>
++    <deny send_destination="org.freedesktop.DBus"
++          send_interface="org.freedesktop.systemd1.Activator"/>
++  </policy>
++
++  <!-- Only systemd, which runs as root, may report activation failures. -->
++  <policy user="root">
++    <allow send_destination="org.freedesktop.DBus"
++           send_interface="org.freedesktop.systemd1.Activator"/>
+   </policy>
+ 
+   <!-- Config files are placed here that among other things, punch 
+-- 
+2.1.4
+
-- 
2.1.4

Re: [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure

[Joshua Lock]

On Wed, 2015-06-24 at 23:06 +0300, Jussi Kukkonen wrote:
> Fix CVE-2015-0245 by preventing non-root and non-systemd processes
> from fooling the dbus daemon into thinking systemd service activation
> failed.

Thanks Jussi,

This is queued in my fido-next branch[1].

Regards,

Joshua

1. http://cgit.openembedded.org/openembedded-core
-contrib/log/?h=joshuagl/fido-next

> Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
> ---
>  meta/recipes-core/dbus/dbus.inc                    |  1 +
>  ...015-0245-prevent-forged-ActivationFailure.patch | 48 
> ++++++++++++++++++++++
>  2 files changed, 49 insertions(+)
>  create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent
> -forged-ActivationFailure.patch
> 
> diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes
> -core/dbus/dbus.inc
> index fb5d017..f1744c8 100644
> --- a/meta/recipes-core/dbus/dbus.inc
> +++ b/meta/recipes-core/dbus/dbus.inc
> @@ -17,6 +17,7 @@ SRC_URI = "
> http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
>             file://dbus-1.init \
>             file://os-test.patch \
>             file://clear-guid_from_server-if
> -send_negotiate_unix_f.patch \
> +           file://CVE-2015-0245-prevent-forged
> -ActivationFailure.patch \
>  "
>  
>  inherit useradd autotools pkgconfig gettext update-rc.d
> diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged
> -ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245
> -prevent-forged-ActivationFailure.patch
> new file mode 100644
> index 0000000..59363b3
> --- /dev/null
> +++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged
> -ActivationFailure.patch
> @@ -0,0 +1,48 @@
> +CVE-2015-0245: prevent forged ActivationFailure from non-root 
> processes
> +
> +Upstream has fixed this in code but suggests using this as a easily
> +backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811
> +
> +Upstream-Status: Inappropriate
> +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
> +
> +
> +
> +From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 
> 2001
> +From: Simon McVittie <simon.mcvittie@collabora.co.uk>
> +Date: Mon, 26 Jan 2015 20:09:56 +0000
> +Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure 
> from
> + non-root processes
> +
> +Without either this rule or better checking in dbus-daemon, non
> -systemd
> +processes can make dbus-daemon think systemd failed to activate a 
> system
> +service, resulting in an error reply back to the requester.
> +
> +This is redundant with the fix in the C code (which I consider to be
> +the real solution), but is likely to be easier to backport.
> +---
> + bus/system.conf.in | 8 ++++++++
> + 1 file changed, 8 insertions(+)
> +
> +diff --git a/bus/system.conf.in b/bus/system.conf.in
> +index 92f4cc4..851b9e6 100644
> +--- a/bus/system.conf.in
> ++++ b/bus/system.conf.in
> +@@ -68,6 +68,14 @@
> +     <deny send_destination="org.freedesktop.DBus"
> +           send_interface="org.freedesktop.DBus"
> +           send_member="UpdateActivationEnvironment"/>
> ++    <deny send_destination="org.freedesktop.DBus"
> ++          send_interface="org.freedesktop.systemd1.Activator"/>
> ++  </policy>
> ++
> ++  <!-- Only systemd, which runs as root, may report activation 
> failures. -->
> ++  <policy user="root">
> ++    <allow send_destination="org.freedesktop.DBus"
> ++           send_interface="org.freedesktop.systemd1.Activator"/>
> +   </policy>
> + 
> +   <!-- Config files are placed here that among other things, punch 
> +-- 
> +2.1.4
> +

Re: [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245

[akuster808]

merged to staging

thanks,
armin

On 06/24/2015 01:04 PM, Jussi Kukkonen wrote:
> This is for fido and possibly dizzy, not master.
>
> D-Bus 1.8.16 fixes CVE-2015-0245 "prevent forged ActivationFailure from
> non-root processes". This patch does not contain the same fix but a
> configuration change that upstream suggests as a easily backportable
> fix.
>
> The issue is only a local denial of service so not terribly dangerous,
> but should be worth fixing since the patch is not intrusive.
>
> I've only tested this on fido, so the [dizzy] is just a suggestion.
>
> Cheers, Jussi
>
>
>
> The following changes since commit eb4a134a60e3ac26a48379675ad6346a44010339:
>
>    scripts/combo-layer: Fix exit codes and tty handling (2015-06-11 15:00:20 +0100)
>
> are available in the git repository at:
>
>    git://git.yoctoproject.org/poky-contrib jku/dbus-fix-for-fido
>    http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jku/dbus-fix-for-fido
>
> Jussi Kukkonen (1):
>    dbus: CVE-2015-0245: prevent forged ActivationFailure
>
>   meta/recipes-core/dbus/dbus.inc                    |  1 +
>   ...015-0245-prevent-forged-ActivationFailure.patch | 48 ++++++++++++++++++++++
>   2 files changed, 49 insertions(+)
>   create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
>