* [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245
@ 2015-06-24 20:04 Jussi Kukkonen
2015-06-24 20:06 ` [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure Jussi Kukkonen
2015-06-28 13:24 ` [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 akuster808
0 siblings, 2 replies; 4+ messages in thread
From: Jussi Kukkonen @ 2015-06-24 20:04 UTC (permalink / raw)
To: openembedded-core
This is for fido and possibly dizzy, not master.
D-Bus 1.8.16 fixes CVE-2015-0245 "prevent forged ActivationFailure from
non-root processes". This patch does not contain the same fix but a
configuration change that upstream suggests as a easily backportable
fix.
The issue is only a local denial of service so not terribly dangerous,
but should be worth fixing since the patch is not intrusive.
I've only tested this on fido, so the [dizzy] is just a suggestion.
Cheers, Jussi
The following changes since commit eb4a134a60e3ac26a48379675ad6346a44010339:
scripts/combo-layer: Fix exit codes and tty handling (2015-06-11 15:00:20 +0100)
are available in the git repository at:
git://git.yoctoproject.org/poky-contrib jku/dbus-fix-for-fido
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jku/dbus-fix-for-fido
Jussi Kukkonen (1):
dbus: CVE-2015-0245: prevent forged ActivationFailure
meta/recipes-core/dbus/dbus.inc | 1 +
...015-0245-prevent-forged-ActivationFailure.patch | 48 ++++++++++++++++++++++
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
--
2.1.4
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure
2015-06-24 20:04 [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 Jussi Kukkonen
@ 2015-06-24 20:06 ` Jussi Kukkonen
2015-06-26 14:30 ` Joshua Lock
2015-06-28 13:24 ` [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 akuster808
1 sibling, 1 reply; 4+ messages in thread
From: Jussi Kukkonen @ 2015-06-24 20:06 UTC (permalink / raw)
To: openembedded-core
Fix CVE-2015-0245 by preventing non-root and non-systemd processes
from fooling the dbus daemon into thinking systemd service activation
failed.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
meta/recipes-core/dbus/dbus.inc | 1 +
...015-0245-prevent-forged-ActivationFailure.patch | 48 ++++++++++++++++++++++
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index fb5d017..f1744c8 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
file://dbus-1.init \
file://os-test.patch \
file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+ file://CVE-2015-0245-prevent-forged-ActivationFailure.patch \
"
inherit useradd autotools pkgconfig gettext update-rc.d
diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
new file mode 100644
index 0000000..59363b3
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
@@ -0,0 +1,48 @@
+CVE-2015-0245: prevent forged ActivationFailure from non-root processes
+
+Upstream has fixed this in code but suggests using this as a easily
+backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811
+
+Upstream-Status: Inappropriate
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+
+
+
+From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Date: Mon, 26 Jan 2015 20:09:56 +0000
+Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure from
+ non-root processes
+
+Without either this rule or better checking in dbus-daemon, non-systemd
+processes can make dbus-daemon think systemd failed to activate a system
+service, resulting in an error reply back to the requester.
+
+This is redundant with the fix in the C code (which I consider to be
+the real solution), but is likely to be easier to backport.
+---
+ bus/system.conf.in | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 92f4cc4..851b9e6 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -68,6 +68,14 @@
+ <deny send_destination="org.freedesktop.DBus"
+ send_interface="org.freedesktop.DBus"
+ send_member="UpdateActivationEnvironment"/>
++ <deny send_destination="org.freedesktop.DBus"
++ send_interface="org.freedesktop.systemd1.Activator"/>
++ </policy>
++
++ <!-- Only systemd, which runs as root, may report activation failures. -->
++ <policy user="root">
++ <allow send_destination="org.freedesktop.DBus"
++ send_interface="org.freedesktop.systemd1.Activator"/>
+ </policy>
+
+ <!-- Config files are placed here that among other things, punch
+--
+2.1.4
+
--
2.1.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure
2015-06-24 20:06 ` [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure Jussi Kukkonen
@ 2015-06-26 14:30 ` Joshua Lock
0 siblings, 0 replies; 4+ messages in thread
From: Joshua Lock @ 2015-06-26 14:30 UTC (permalink / raw)
To: openembedded-core
On Wed, 2015-06-24 at 23:06 +0300, Jussi Kukkonen wrote:
> Fix CVE-2015-0245 by preventing non-root and non-systemd processes
> from fooling the dbus daemon into thinking systemd service activation
> failed.
Thanks Jussi,
This is queued in my fido-next branch[1].
Regards,
Joshua
1. http://cgit.openembedded.org/openembedded-core
-contrib/log/?h=joshuagl/fido-next
> Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
> ---
> meta/recipes-core/dbus/dbus.inc | 1 +
> ...015-0245-prevent-forged-ActivationFailure.patch | 48
> ++++++++++++++++++++++
> 2 files changed, 49 insertions(+)
> create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent
> -forged-ActivationFailure.patch
>
> diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes
> -core/dbus/dbus.inc
> index fb5d017..f1744c8 100644
> --- a/meta/recipes-core/dbus/dbus.inc
> +++ b/meta/recipes-core/dbus/dbus.inc
> @@ -17,6 +17,7 @@ SRC_URI = "
> http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
> file://dbus-1.init \
> file://os-test.patch \
> file://clear-guid_from_server-if
> -send_negotiate_unix_f.patch \
> + file://CVE-2015-0245-prevent-forged
> -ActivationFailure.patch \
> "
>
> inherit useradd autotools pkgconfig gettext update-rc.d
> diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged
> -ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245
> -prevent-forged-ActivationFailure.patch
> new file mode 100644
> index 0000000..59363b3
> --- /dev/null
> +++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged
> -ActivationFailure.patch
> @@ -0,0 +1,48 @@
> +CVE-2015-0245: prevent forged ActivationFailure from non-root
> processes
> +
> +Upstream has fixed this in code but suggests using this as a easily
> +backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811
> +
> +Upstream-Status: Inappropriate
> +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
> +
> +
> +
> +From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00
> 2001
> +From: Simon McVittie <simon.mcvittie@collabora.co.uk>
> +Date: Mon, 26 Jan 2015 20:09:56 +0000
> +Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure
> from
> + non-root processes
> +
> +Without either this rule or better checking in dbus-daemon, non
> -systemd
> +processes can make dbus-daemon think systemd failed to activate a
> system
> +service, resulting in an error reply back to the requester.
> +
> +This is redundant with the fix in the C code (which I consider to be
> +the real solution), but is likely to be easier to backport.
> +---
> + bus/system.conf.in | 8 ++++++++
> + 1 file changed, 8 insertions(+)
> +
> +diff --git a/bus/system.conf.in b/bus/system.conf.in
> +index 92f4cc4..851b9e6 100644
> +--- a/bus/system.conf.in
> ++++ b/bus/system.conf.in
> +@@ -68,6 +68,14 @@
> + <deny send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.DBus"
> + send_member="UpdateActivationEnvironment"/>
> ++ <deny send_destination="org.freedesktop.DBus"
> ++ send_interface="org.freedesktop.systemd1.Activator"/>
> ++ </policy>
> ++
> ++ <!-- Only systemd, which runs as root, may report activation
> failures. -->
> ++ <policy user="root">
> ++ <allow send_destination="org.freedesktop.DBus"
> ++ send_interface="org.freedesktop.systemd1.Activator"/>
> + </policy>
> +
> + <!-- Config files are placed here that among other things, punch
> +--
> +2.1.4
> +
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245
2015-06-24 20:04 [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 Jussi Kukkonen
2015-06-24 20:06 ` [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure Jussi Kukkonen
@ 2015-06-28 13:24 ` akuster808
1 sibling, 0 replies; 4+ messages in thread
From: akuster808 @ 2015-06-28 13:24 UTC (permalink / raw)
To: Jussi Kukkonen, openembedded-core
merged to staging
thanks,
armin
On 06/24/2015 01:04 PM, Jussi Kukkonen wrote:
> This is for fido and possibly dizzy, not master.
>
> D-Bus 1.8.16 fixes CVE-2015-0245 "prevent forged ActivationFailure from
> non-root processes". This patch does not contain the same fix but a
> configuration change that upstream suggests as a easily backportable
> fix.
>
> The issue is only a local denial of service so not terribly dangerous,
> but should be worth fixing since the patch is not intrusive.
>
> I've only tested this on fido, so the [dizzy] is just a suggestion.
>
> Cheers, Jussi
>
>
>
> The following changes since commit eb4a134a60e3ac26a48379675ad6346a44010339:
>
> scripts/combo-layer: Fix exit codes and tty handling (2015-06-11 15:00:20 +0100)
>
> are available in the git repository at:
>
> git://git.yoctoproject.org/poky-contrib jku/dbus-fix-for-fido
> http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jku/dbus-fix-for-fido
>
> Jussi Kukkonen (1):
> dbus: CVE-2015-0245: prevent forged ActivationFailure
>
> meta/recipes-core/dbus/dbus.inc | 1 +
> ...015-0245-prevent-forged-ActivationFailure.patch | 48 ++++++++++++++++++++++
> 2 files changed, 49 insertions(+)
> create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-06-28 13:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-06-24 20:04 [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 Jussi Kukkonen
2015-06-24 20:06 ` [PATCH 1/1] dbus: CVE-2015-0245: prevent forged ActivationFailure Jussi Kukkonen
2015-06-26 14:30 ` Joshua Lock
2015-06-28 13:24 ` [PATCH 0/1][fido][dizzy] dbus: Fix CVE-2015-0245 akuster808
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.