aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJussi Kukkonen <jussi.kukkonen@intel.com>2015-06-24 23:06:46 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-07-20 20:53:08 +0100
commita8aa06b2405dec31a306fdf47bd1fdf740fde7bd (patch)
tree300596a2bc51c01d5bdcf2071648a3886d443cf5
parent429ab46f975c05f65120beddf50099c7cb0b2f86 (diff)
downloadopenembedded-core-contrib-a8aa06b2405dec31a306fdf47bd1fdf740fde7bd.tar.gz
dbus: CVE-2015-0245: prevent forged ActivationFailure
Fix CVE-2015-0245 by preventing non-root and non-systemd processes from fooling the dbus daemon into thinking systemd service activation failed. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-core/dbus/dbus.inc1
-rw-r--r--meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch48
2 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index d38ba7e1d2..971eabf82c 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
file://dbus-1.init \
file://os-test.patch \
file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+ file://CVE-2015-0245-prevent-forged-ActivationFailure.patch \
"
inherit useradd autotools pkgconfig gettext update-rc.d
diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
new file mode 100644
index 0000000000..59363b3e76
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
@@ -0,0 +1,48 @@
+CVE-2015-0245: prevent forged ActivationFailure from non-root processes
+
+Upstream has fixed this in code but suggests using this as a easily
+backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811
+
+Upstream-Status: Inappropriate
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+
+
+
+From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Date: Mon, 26 Jan 2015 20:09:56 +0000
+Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure from
+ non-root processes
+
+Without either this rule or better checking in dbus-daemon, non-systemd
+processes can make dbus-daemon think systemd failed to activate a system
+service, resulting in an error reply back to the requester.
+
+This is redundant with the fix in the C code (which I consider to be
+the real solution), but is likely to be easier to backport.
+---
+ bus/system.conf.in | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 92f4cc4..851b9e6 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -68,6 +68,14 @@
+ <deny send_destination="org.freedesktop.DBus"
+ send_interface="org.freedesktop.DBus"
+ send_member="UpdateActivationEnvironment"/>
++ <deny send_destination="org.freedesktop.DBus"
++ send_interface="org.freedesktop.systemd1.Activator"/>
++ </policy>
++
++ <!-- Only systemd, which runs as root, may report activation failures. -->
++ <policy user="root">
++ <allow send_destination="org.freedesktop.DBus"
++ send_interface="org.freedesktop.systemd1.Activator"/>
+ </policy>
+
+ <!-- Config files are placed here that among other things, punch
+--
+2.1.4
+