diff options
author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2016-10-07 19:13:01 +0100 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2016-10-10 11:59:31 +0100 |
commit | 67a0d647e88a35f47f46c4f87d74e215eeb1b203 (patch) | |
tree | 29153c7f7c63c8a20e176b40421a4a8385fbe5e1 | |
parent | f32bf2b8b8ad24d1c83b8dcb95d1d77b6b1f4aa0 (diff) | |
download | dbus-67a0d647e88a35f47f46c4f87d74e215eeb1b203.tar.gz |
dbus_activation_systemd_failure: do not use non-literal format string
In principle this could lead to arbitrary memory overwrite via
a format string attack in the message received from systemd,
resulting in arbitrary code execution.
This is not believed to be an exploitable security vulnerability on the
system bus in practice: it can only be exploited by the owner of the
org.freedesktop.systemd1 bus name, which is restricted to uid 0, so
if systemd is attacker-controlled then the system is already doomed.
Similarly, if a systemd system unit mentioned in the activation failure
message has an attacker-controlled name, then the attacker likely already
has sufficient access to execute arbitrary code as root in any case.
However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for
systemd's identity, unprivileged processes could forge activation
failure messages which would have gone through this code path.
We thought at the time that this was a denial of service vulnerability
(CVE-2015-0245); this bug means that it was in fact potentially an
arbitrary code execution vulnerability.
Bug found using -Wsuggest-attribute=format and -Wformat-security.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
-rw-r--r-- | bus/activation.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/bus/activation.c b/bus/activation.c index b636868d..e1b63455 100644 --- a/bus/activation.c +++ b/bus/activation.c @@ -2242,7 +2242,7 @@ dbus_activation_systemd_failure (BusActivation *activation, DBUS_TYPE_STRING, &code, DBUS_TYPE_STRING, &str, DBUS_TYPE_INVALID)) - dbus_set_error(&error, code, str); + dbus_set_error (&error, code, "%s", str); if (unit) |