Revert "1:1.6.8-3"

This reverts commit bb4913459e.
This commit is contained in:
Rex Dieter 2012-11-14 15:32:25 -06:00
parent 8423a29565
commit 7ddd4da9c5
4 changed files with 293 additions and 17 deletions

View File

@ -0,0 +1,234 @@
From 450d975046bbd54271da62ce5fcbe50113f2e453 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 22 Aug 2012 10:03:34 -0400
Subject: [PATCH] CVE-2012-3524: Don't access environment variables or run
dbus-launch when setuid
This matches a corresponding change in GLib. See
glib/gutils.c:g_check_setuid().
Some programs attempt to use libdbus when setuid; notably the X.org
server is shipped in such a configuration. libdbus never had an
explicit policy about its use in setuid programs.
I'm not sure whether we should advertise such support. However, given
that there are real-world programs that do this currently, we can make
them safer with not too much effort.
Better to fix a problem caused by an interaction between two
components in *both* places if possible.
How to determine whether or not we're running in a privilege-escalated
path is operating system specific. Note that GTK+'s code to check
euid versus uid worked historically on Unix, more modern systems have
filesystem capabilities and SELinux domain transitions, neither of
which are captured by the uid comparison.
On Linux/glibc, the way this works is that the kernel sets an
AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
startup. If found, then glibc sets a public-but-undocumented
__libc_enable_secure variable which we can use. Unfortunately, while
it *previously* worked to check this variable, a combination of newer
binutils and RPM break it:
http://www.openwall.com/lists/owl-dev/2012/08/14/1
So for now on Linux/glibc, we fall back to the historical Unix version
until we get glibc fixed.
On some BSD variants, there is a issetugid() function. On other Unix
variants, we fall back to what GTK+ has been doing.
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Colin Walters <walters@verbum.org>
---
configure.ac | 2 +-
dbus/dbus-keyring.c | 7 +++++
dbus/dbus-sysdeps-unix.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++
dbus/dbus-sysdeps-win.c | 6 ++++
dbus/dbus-sysdeps.c | 5 ++++
dbus/dbus-sysdeps.h | 1 +
6 files changed, 94 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index e2c9bdf..b0f2ec2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -595,7 +595,7 @@ AC_DEFINE_UNQUOTED([DBUS_USE_SYNC], [$have_sync], [Use the gcc __sync extension]
AC_SEARCH_LIBS(socket,[socket network])
AC_CHECK_FUNC(gethostbyname,,[AC_CHECK_LIB(nsl,gethostbyname)])
-AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull)
+AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull issetugid getresuid)
AC_CHECK_HEADERS([syslog.h])
if test "x$ac_cv_header_syslog_h" = "xyes"; then
diff --git a/dbus/dbus-keyring.c b/dbus/dbus-keyring.c
index 23b9df5..3b9ce31 100644
--- a/dbus/dbus-keyring.c
+++ b/dbus/dbus-keyring.c
@@ -717,6 +717,13 @@ _dbus_keyring_new_for_credentials (DBusCredentials *credentials,
DBusCredentials *our_credentials;
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
+
+ if (_dbus_check_setuid ())
+ {
+ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
+ "Unable to create DBus keyring when setuid");
+ return NULL;
+ }
keyring = NULL;
error_set = FALSE;
diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
index cef8bd3..b4ecc96 100644
--- a/dbus/dbus-sysdeps-unix.c
+++ b/dbus/dbus-sysdeps-unix.c
@@ -3434,6 +3434,13 @@ _dbus_get_autolaunch_address (const char *scope,
DBusString uuid;
dbus_bool_t retval;
+ if (_dbus_check_setuid ())
+ {
+ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
+ "Unable to autolaunch when setuid");
+ return FALSE;
+ }
+
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
retval = FALSE;
@@ -3551,6 +3558,13 @@ _dbus_lookup_launchd_socket (DBusString *socket_path,
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
+ if (_dbus_check_setuid ())
+ {
+ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
+ "Unable to find launchd socket when setuid");
+ return FALSE;
+ }
+
i = 0;
argv[i] = "launchctl";
++i;
@@ -3591,6 +3605,13 @@ _dbus_lookup_session_address_launchd (DBusString *address, DBusError *error)
dbus_bool_t valid_socket;
DBusString socket_path;
+ if (_dbus_check_setuid ())
+ {
+ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
+ "Unable to find launchd socket when setuid");
+ return FALSE;
+ }
+
if (!_dbus_string_init (&socket_path))
{
_DBUS_SET_OOM (error);
@@ -4086,4 +4107,57 @@ _dbus_close_all (void)
close (i);
}
+/**
+ * **NOTE**: If you modify this function, please also consider making
+ * the corresponding change in GLib. See
+ * glib/gutils.c:g_check_setuid().
+ *
+ * Returns TRUE if the current process was executed as setuid (or an
+ * equivalent __libc_enable_secure is available). See:
+ * http://osdir.com/ml/linux.lfs.hardened/2007-04/msg00032.html
+ */
+dbus_bool_t
+_dbus_check_setuid (void)
+{
+ /* TODO: get __libc_enable_secure exported from glibc.
+ * See http://www.openwall.com/lists/owl-dev/2012/08/14/1
+ */
+#if 0 && defined(HAVE_LIBC_ENABLE_SECURE)
+ {
+ /* See glibc/include/unistd.h */
+ extern int __libc_enable_secure;
+ return __libc_enable_secure;
+ }
+#elif defined(HAVE_ISSETUGID)
+ /* BSD: http://www.freebsd.org/cgi/man.cgi?query=issetugid&sektion=2 */
+ return issetugid ();
+#else
+ uid_t ruid, euid, suid; /* Real, effective and saved user ID's */
+ gid_t rgid, egid, sgid; /* Real, effective and saved group ID's */
+
+ static dbus_bool_t check_setuid_initialised;
+ static dbus_bool_t is_setuid;
+
+ if (_DBUS_UNLIKELY (!check_setuid_initialised))
+ {
+#ifdef HAVE_GETRESUID
+ if (getresuid (&ruid, &euid, &suid) != 0 ||
+ getresgid (&rgid, &egid, &sgid) != 0)
+#endif /* HAVE_GETRESUID */
+ {
+ suid = ruid = getuid ();
+ sgid = rgid = getgid ();
+ euid = geteuid ();
+ egid = getegid ();
+ }
+
+ check_setuid_initialised = TRUE;
+ is_setuid = (ruid != euid || ruid != suid ||
+ rgid != egid || rgid != sgid);
+
+ }
+ return is_setuid;
+#endif
+}
+
/* tests in dbus-sysdeps-util.c */
diff --git a/dbus/dbus-sysdeps-win.c b/dbus/dbus-sysdeps-win.c
index 397520a..bc4951b 100644
--- a/dbus/dbus-sysdeps-win.c
+++ b/dbus/dbus-sysdeps-win.c
@@ -3632,6 +3632,12 @@ _dbus_path_is_absolute (const DBusString *filename)
return FALSE;
}
+dbus_bool_t
+_dbus_check_setuid (void)
+{
+ return FALSE;
+}
+
/** @} end of sysdeps-win */
/* tests in dbus-sysdeps-util.c */
diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c
index 861bfec..04fb8d7 100644
--- a/dbus/dbus-sysdeps.c
+++ b/dbus/dbus-sysdeps.c
@@ -182,6 +182,11 @@ _dbus_setenv (const char *varname,
const char*
_dbus_getenv (const char *varname)
{
+ /* Don't respect any environment variables if the current process is
+ * setuid. This is the equivalent of glibc's __secure_getenv().
+ */
+ if (_dbus_check_setuid ())
+ return NULL;
return getenv (varname);
}
diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
index 4052cda..eee9160 100644
--- a/dbus/dbus-sysdeps.h
+++ b/dbus/dbus-sysdeps.h
@@ -87,6 +87,7 @@ typedef struct DBusPipe DBusPipe;
void _dbus_abort (void) _DBUS_GNUC_NORETURN;
+dbus_bool_t _dbus_check_setuid (void);
const char* _dbus_getenv (const char *varname);
dbus_bool_t _dbus_setenv (const char *varname,
const char *value);
--
1.7.11.4

View File

@ -0,0 +1,37 @@
From e1b83fb58eadfd02227673db9a7e2833d29b0c98 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 23 Apr 2012 00:32:43 +0200
Subject: [PATCH] selinux: when dropping capabilities only include AUDIT caps
if we have them
When we drop capabilities we shouldn't assume we can keep
CAP_AUDIT_WRITE unconditionally, since it will not be available when
running in containers.
This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
actually have it in the first place.
This makes audit/selinux enabled D-Bus work in a Linux container.
---
bus/selinux.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/bus/selinux.c b/bus/selinux.c
index 36287e9..1bfc791 100644
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -1053,8 +1053,9 @@ _dbus_change_to_daemon_user (const char *user,
int rc;
capng_clear (CAPNG_SELECT_BOTH);
- capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
- CAP_AUDIT_WRITE);
+ if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
+ capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+ CAP_AUDIT_WRITE);
rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
if (rc)
{
--
1.7.10

View File

@ -0,0 +1,11 @@
--- dbus-1.0.1/Doxyfile.in.generate-xml-docs 2006-11-25 23:42:59.000000000 -0500
+++ dbus-1.0.1/Doxyfile.in 2006-11-25 23:43:12.000000000 -0500
@@ -133,7 +133,7 @@
#---------------------------------------------------------------------------
# configuration options related to the XML output
#---------------------------------------------------------------------------
-GENERATE_XML = NO
+GENERATE_XML = YES
#---------------------------------------------------------------------------
# Configuration options related to the preprocessor
#---------------------------------------------------------------------------

View File

@ -9,7 +9,7 @@ Summary: D-BUS message bus
Name: dbus
Epoch: 1
Version: 1.6.8
Release: 3%{?dist}
Release: 2%{?dist}
URL: http://www.freedesktop.org/software/dbus/
#VCS: git:git://git.freedesktop.org/git/dbus/dbus
Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
@ -33,7 +33,7 @@ Requires(post): systemd-units chkconfig
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires: libselinux >= %{libselinux_version}
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: dbus-libs = %{epoch}:%{version}-%{release}
Requires(pre): /usr/sbin/useradd
# Conflict with cups prior to configuration file change, so that the
@ -59,7 +59,7 @@ This package contains lowlevel libraries for accessing D-BUS.
%package doc
Summary: Developer documentation for D-BUS
Group: Documentation
Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: %name = %{epoch}:%{version}-%{release}
BuildArch: noarch
%description doc
@ -69,7 +69,8 @@ other supporting documentation such as the introspect dtd file.
%package devel
Summary: Development files for D-BUS
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %name = %{epoch}:%{version}-%{release}
Requires: pkgconfig
%description devel
This package contains libraries and header files needed for
@ -78,7 +79,7 @@ developing software that uses D-BUS.
%package x11
Summary: X11-requiring add-ons for D-BUS
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %name = %{epoch}:%{version}-%{release}
%description x11
D-BUS contains some tools that require Xlib to be installed, those are
@ -101,7 +102,7 @@ COMMON_ARGS="--enable-libaudit --enable-selinux=yes --with-init-scripts=redhat -
# leave verbose mode so people can debug their apps but make sure to
# turn it off on stable releases with --disable-verbose-mode
%configure $COMMON_ARGS --disable-tests --disable-asserts --enable-doxygen-docs --enable-xml-docs --with-systemdsystemunitdir=/lib/systemd/system/
make %{?_smp_mflags} V=1
make
%install
rm -rf %{buildroot}
@ -200,7 +201,7 @@ fi
%files libs
%defattr(-,root,root,-)
/%{_lib}/libdbus-1.so.3*
/%{_lib}/*dbus-1*.so.*
%files x11
%defattr(-,root,root)
@ -217,20 +218,13 @@ fi
%files devel
%defattr(-,root,root)
/%{_lib}/libdbus-1.so
%dir %{_libdir}/dbus-1.0/
/%{_lib}/lib*.so
%dir %{_libdir}/dbus-1.0
%{_libdir}/dbus-1.0/include/
%{_libdir}/pkgconfig/dbus-1.pc
%{_includedir}/dbus-1.0/
%{_includedir}/*
%changelog
* Wed Nov 14 2012 Rex Dieter <rdieter@fedoraproject.org>
- 1:1.6.8-3
- %%build: verbose build, use %%_smp_mflags
- %%files: tighten up, use less globs
- tighten deps via %%_isa
- drop old/unused patches
* Wed Oct 3 2012 Bill Nottingham <notting@redhat.com> - 1:1.6.8-2
- Drop systemd-sysv-convert in trigger, and resulting dependency (#852822)