summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* DBusMessage: add support for custom marshalingbaserock/genivi/J-1.0baserock/dbus-1.8.16-1-g3c05557/genivi/J-1.0Aleksandar Kanchev2015-04-124-44/+132
| | | | | | | Add functions to support querying and manipulating the message body and signature. This is useful for code generators, which can generate custom marshaling functions based on a given IDL. Those functions tend to be optimized and faster than the generic iterator based marshaling.
* Prepare embargoed 1.8.16 releasedbus-1.8.16Simon McVittie2015-02-042-4/+18
|
* CVE-2015-0245: prevent forged ActivationFailure from non-root processesSimon McVittie2015-02-041-0/+8
| | | | | | | | | | | | | | Without either this rule or better checking in dbus-daemon, non-systemd processes can make dbus-daemon think systemd failed to activate a system service, resulting in an error reply back to the requester. This is redundant with the fix in the C code (which I consider to be the real solution), but is likely to be easier to backport. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88811 Reviewed-by: Alban Crequy Reviewed-by: David King Reviewed-by: Philip Withnall
* NEWS for 1.8 branchSimon McVittie2015-02-041-1/+7
|
* 1.8.15Simon McVittie2015-01-052-1/+6
|
* Merge tag 'dbus-1.8.14' into dbus-1.8Simon McVittie2015-01-056-6/+196
|\ | | | | | | dbus-1.8.14
| * Prepare release for Mondaydbus-1.8.14Simon McVittie2015-01-012-4/+30
| |
| * Hardening: only accept Stats function calls at the canonical object pathSimon McVittie2015-01-011-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These function calls are not a privilege escalation risk like UpdateActivationEnvironment, but they might provide sensitive information or be enhanced to provide sensitive information in future, so the default system.conf locks them down to root-only. Apply the same canonical-object-path hardening as for UpdateActivationEnvironment. We do not apply the uid check here because they are less dangerous than UpdateActivationEnvironment, and because the ability to unlock these function calls for specific uids is a documented configuration for developers. Reviewed-by: Thiago Macieira <thiago@kde.org> [added missing #include; extended commit message -smcv]
| * Add a regression test for path-based UpdateActivationEnvironment hardeningSimon McVittie2015-01-011-0/+87
| | | | | | | | Reviewed-by: Thiago Macieira <thiago@kde.org>
| * Hardening: only allow the uid of the dbus-daemon to call ↵Simon McVittie2015-01-011-0/+35
| | | | | | | | | | | | | | | | | | | | | | UpdateActivationEnvironment As with the previous commit, this is probably not actually privilege escalation due to the use of an activation helper that cleans up its environment, but let's be extra-careful here. Reviewed-by: Thiago Macieira <thiago@kde.org> [adjusted commit message -smcv]
| * Hardening: reject UpdateActivationEnvironment on non-canonical pathSimon McVittie2015-01-012-2/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | UpdateActivationEnvironment is the one dbus-daemon API call that is obviously dangerous (it is intended for the session bus), so the default system.conf does not allow anyone to call it. It has recently come to the D-Bus maintainers' attention that some system services incorrectly install D-Bus policy rules that allow arbitrary method calls to any destination as long as they have a "safe" object path. This is not actually safe: some system services that use low-level D-Bus bindings like libdbus, including dbus-daemon itself, provide the same API on all object paths. Unauthorized calls to UpdateActivationEnvironment are probably just resource consumption rather than privilege escalation, because on the system bus, the modified environment is only used to execute a setuid wrapper that avoids LD_PRELOAD etc. via normal setuid handling, and sanitizes its own environment before executing the real service. However, it's safest to assume the worst and treat it as a potential privilege escalation. Accordingly, as a hardening measure to avoid privilege escalation on systems with these faulty services, stop allowing calls to ("/com/example/Whatever", "org.freedesktop.DBus.UpdateActivationEnvironment") and only allow ("/org/freedesktop/DBus", "org.freedesktop.DBus.UpdateActivationEnvironment"). We deliberately continue to provide read-only APIs like GetConnectionUnixUser at all object paths, for backwards compatibility. Reviewed-by: Thiago Macieira <thiago@kde.org> [adjusted commit message to note that this is probably only DoS -smcv]
* | Windows cmake cross compile fixRalf Habacker2015-01-051-1/+1
| | | | | | | | | | | | | | We need to include 'test' subdir in any case not only when using glib. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88009 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* | Fix of 'dbus-daemon can only handle 64 simultaneous connections on Windows'.Ralf Habacker2015-01-051-0/+4
|/ | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=71297 Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
* Fix GetExtendedTcpTable crash on vista sp0.Илья А. Ткаченко2014-12-231-1/+1
| | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=77008 Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
* 1.8.13Simon McVittie2014-11-242-1/+6
|
* 1.8.12dbus-1.8.12Simon McVittie2014-11-242-3/+23
|
* Revert "config: change default auth_timeout to 5 seconds"Simon McVittie2014-11-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 54d26df52b6a394bea175651d1d7ad2ab3f87dea. It appears this change may cause intermittent slow or failed boot, more commonly on slower/older machines, in at least Mageia and possibly also Debian. This would indicate that while the system is under load, system services are not completing authentication within 5 seconds. This change was not the main part of fixing CVE-2014-3639, but does help to mitigate that attack. As such, increasing this timeout makes the denial of service attack described by CVE-2014-3639 somewhat more effective: a local user connecting to the system bus repeatedly from many parallel processes can cause other users' attempts to connect to take longer. If your machine boots reliably with the shorter timeout, and resilience against local denial of service attacks is important to you, putting this in /etc/dbus-1/system-local.conf or a file matching /etc/dbus-1/system.d/*.conf can restore the lower limit: <busconfig> <limit name="auth_timeout">5000</limit> </busconfig> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
* Log to syslog when auth_timeout drops an incomplete connectionSimon McVittie2014-11-221-0/+8
| | | | | | | This is a symptom of either a denial of service attack, or a serious performance problem. Either way, sysadmins should know. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
* README, HACKING: add some brief notes on reporting security vulnerabilitiesSimon McVittie2014-11-142-0/+24
| | | | We now have a private mailing list that can be the security contact.
* NEWSSimon McVittie2014-11-141-1/+5
|
* Set error when message delivery is denied due to receive ruleJacek Bukarewicz2014-11-141-1/+1
| | | | | | | | | | | | | This makes bus_context_check_security_policy follow convention of setting errors if function indicates failure and has error parameter. Notable implication is that AccessDenied error will be sent if sending message to addressed recipient is denied due to receive rule. Previously, message was silently dropped. This also fixes assertion failure when message is denied at addressed recipient while sending pending auto activation messages. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86194
* next version number will be 1.8.12Simon McVittie2014-11-101-1/+1
|
* 1.8.11Simon McVittie2014-11-102-1/+6
|
* Embargoed security release for Mondaydbus-1.8.10Simon McVittie2014-11-062-4/+11
|
* CVE-2014-7824: set fd rlimit to 64k for the system dbus-daemonSimon McVittie2014-11-066-43/+227
| | | | | | | | | | | | | | | This ensures that our rlimit is actually high enough to avoid the denial of service described in CVE-2014-3636 part A. CVE-2014-7824 has been allocated for this incomplete fix. Restore the original rlimit for activated services, to avoid them getting undesired higher limits. (Thanks to Alban Crequy for various adjustments which have been included in this commit.) Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
* 1.8.9Simon McVittie2014-09-162-1/+6
|
* Prepare 1.8.8 (embargoed until tomorrow)dbus-1.8.8Simon McVittie2014-09-152-4/+42
|
* _dbus_read_socket_with_unix_fds: do not accept extra fds in cmsg paddingSimon McVittie2014-09-151-6/+43
| | | | | | | | | | | | | | | | | | | | This addresses CVE-2014-3635. If (*n_fds * sizeof (int) % sizeof (size_t)) is nonzero, then CMSG_SPACE (*n_fds * sizeof (int)) > CMSG_LEN (*n_fds * sizeof (int) because the SPACE includes padding to a size_t boundary, whereas the LEN does not. We have to allocate the SPACE. Previously, we told the kernel that the buffer size we wanted was the SPACE, not the LEN, which meant it was free to fill the padding with additional fds: on a 64-bit platform with 32-bit int, that's one extra fd, if *n_fds happens to be odd. This meant that a malicious sender could send exactly 1 fd too many, which would make us fail an assertion if enabled, or overrun a buffer by 1 fd otherwise. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83622 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
* Add _DBUS_GNUC_UNUSED, and use it in _DBUS_STATIC_ASSERTSimon McVittie2014-09-152-1/+4
| | | | | | | | | This means we can use _DBUS_STATIC_ASSERT at non-global scope without tripping -Wunused-local-typedefs. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83767 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk> (cherry picked from commit 0e3d08d45cb9a9ceb2c077875eeb38306dad37b8)
* bus: enforce pending_fd_timeoutAlban Crequy2014-09-151-0/+71
| | | | | | | | | | | | This is one of four commits needed to address CVE-2014-3637. The bus uses _dbus_connection_set_pending_fds_function and _dbus_connection_get_pending_fds_count to be notified when there are pending file descriptors. A timeout per connection is armed and disarmed when the file descriptor list is used and emptied. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* DBusConnection: implements _dbus_connection_set_pending_fds_functionAlban Crequy2014-09-157-0/+70
| | | | | | | | | | This is one of four commits needed to address CVE-2014-3637. This will allow the bus to be notified whenever a file descriptor is added or removed from a DBusConnection's DBusMessageLoader. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* DBusConnection: implements _dbus_connection_get_pending_fds_countAlban Crequy2014-09-156-0/+40
| | | | | | | | | | | | This is one of four commits needed to address CVE-2014-3637. This will allow the bus to know whether there are pending file descriptors in a DBusConnection's DBusMessageLoader. https://bugs.freedesktop.org/show_bug.cgi?id=80559 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk> [fix compilation on platforms that do not HAVE_UNIX_FD_PASSING -smcv] Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* config: add new limit: pending_fd_timeoutAlban Crequy2014-09-155-0/+25
| | | | | | | | | | | | | | | | | This is one of four commits needed to address CVE-2014-3637. When a file descriptor is passed to dbus-daemon, the associated D-Bus message might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file descriptor in the DBusMessageLoader of the connection, waiting for the rest of the message. If the client stops sending the remaining bytes, dbus-daemon will wait forever and keep that file descriptor. This patch adds pending_fd_timeout (milliseconds) in the configuration to disconnect a connection after a timeout when a file descriptor was sent but not the remaining message. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* Stop listening on DBusServer sockets when reaching max_incomplete_connectionsAlban Crequy2014-09-158-42/+88
| | | | | | | | | This addresses the parts of CVE-2014-3639 not already addressed by reducing the default authentication timeout. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80851 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* config: change default auth_timeout to 5 secondsAlban Crequy2014-09-151-1/+1
| | | | | | | | | | | | This partially addresses CVE-2014-3639. This will change the default on the system bus where the limit <limit name="auth_timeout">...</limit> is not specified. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919 Reviewed-by: Thiago Macieira <thiago@kde.org> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* config: change DEFAULT_MESSAGE_UNIX_FDS to 16Simon McVittie2014-09-156-18/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This addresses CVE-2014-3636. Based on a patch by Alban Crequy. Now that it's the same on all platforms, there's little point in it being set by configure/cmake. This change fixes two distinct denials of service: fd.o#82820, part A ------------------ Before this patch, the system bus had the following default configuration: - max_connections_per_user: 256 - DBUS_DEFAULT_MESSAGE_UNIX_FDS: usually 1024 (or 256 on QNX, see fd.o#61176) as defined by configure.ac - max_incoming_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096 - max_outgoing_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096 - max_message_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS = usually 1024 This means that a single user could create 256 connections and transmit 256*4096 = 1048576 file descriptors. The file descriptors stay attached to the dbus-daemon process while they are in the message loader, in the outgoing queue or waiting to be dispatched before D-Bus activation. dbus-daemon is usually limited to 65536 file descriptors (ulimit -n). If the limit is reached and dbus-daemon needs to receive a message with a file descriptor attached, this is signalled by recvfrom with the flag MSG_CTRUNC. Dbus-daemon cannot recover from that error because the kernel does not have any API to retrieve a file descriptor which has been discarded with MSG_CTRUNC. Therefore, it closes the connection of the sender. This is not necessarily the connection which generated the most file descriptors so it can lead to denial-of-service attacks. In order to prevent DoS issues, this patch reduces DEFAULT_MESSAGE_UNIX_FDS to 16: max_connections_per_user * max_incoming_unix_fds = 256 * 64 = 16384 This is less than the usual "ulimit -n" (65536) with a good margin to accomodate the other sources of file descriptors (stdin/stdout/stderr, listening sockets, message loader, etc.). Distributors on non-Linux may need to configure a smaller limit in system.conf, if their limit on the number of fds is smaller than Linux's. fd.o#82820, part B ------------------ On Linux, it's not possible to send more than 253 fds in a single sendmsg() call: sendmsg() would return -EINVAL. #define SCM_MAX_FD 253 SCM_MAX_FD changed value during Linux history: - it used to be (OPEN_MAX-1) - commit c09edd6eb (Jul 2007) changed it to 255 - commit bba14de98 (Nov 2010) changed it to 253 Libdbus always sends all of a message's fds, and the beginning of the message itself, in a single sendmsg() call. Combining these two, a malicious sender could split a message across two or more sendmsg() calls to construct a composite message with 254 or more fds. When dbus-daemon attempted to relay that message to its recipient in a single sendmsg() call, it would receive EINVAL, interpret that as a fatal socket error and disconnect the recipient, resulting in denial of service. This is fixed by keeping max_message_unix_fds <= SCM_MAX_FD. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=82820 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
* system bus limit: use max_replies_per_connection=128 by defaultAlban Crequy2014-09-151-1/+1
| | | | | | | This addresses CVE-2014-3638. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=81053 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* NEWS for 1.8Simon McVittie2014-09-151-0/+4
|
* On Linux, call prctl to disable core dumpsSimon McVittie2014-09-152-1/+21
| | | | | | | | Whenever I forget to turn off corekeeper, the regression tests take ages to record all test-segfault's crashes. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83772 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
* NEWS for 1.8.xSimon McVittie2014-09-121-0/+7
|
* enable build support without systemd compatibility librariesUmut Tezduyar Lindskog2014-09-121-4/+7
| | | | | | | | | | | | systemd 209 merged all the libraries to libsystemd. Old libraries can still be enabled with --enable-compat-libs switch in systemd but this increases the binary size. Implement a fallback library check in case compat libraries dont exist. [Fixed underquoting; switched priority so we try libsystemd first -smcv] Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* Fix windows doc for running tests.Ralf Habacker2014-09-071-4/+9
| | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=41252 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* NEWS for 1.8Simon McVittie2014-09-051-1/+4
|
* Stats: fix compilation issueAlban Crequy2014-09-041-1/+3
| | | | | | Bug-Gentoo: https://bugs.gentoo.org/show_bug.cgi?id=507232 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=81043 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* start 1.8.7Simon McVittie2014-07-022-1/+6
|
* Prepare 1.8.6 in advancedbus-1.8.6Simon McVittie2014-06-302-4/+19
|
* Handle ETOOMANYREFS when sending recursive fds (SCM_RIGHTS)Alban Crequy2014-06-303-1/+48
| | | | | | | | | | | | | | | | | | Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() on Unix sockets returns -1 errno=ETOOMANYREFS ("Too many references: cannot splice") when the passfd mechanism (SCM_RIGHTS) is "abusively" used recursively by applications. A malicious client could use this to force a victim system service to be disconnected from the system bus; the victim would likely respond by exiting. This is a denial of service (fd.o #80163, CVE-2014-3532). This patch silently drops the D-Bus message on ETOOMANYREFS and does not close the connection. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80163 Reviewed-by: Thiago Macieira <thiago@kde.org> [altered commit message to explain DoS significance -smcv] Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* If loader contains two messages with fds, don't corrupt the secondSimon McVittie2014-06-301-1/+1
| | | | | | | | | | | | | | | | | There were two bugs here: we would previously overwrite the unused fds with the already-used fds instead of the other way round, and we would copy n bytes where we should have copied n ints. Additionally, sending crafted messages in a chosen sequence to a victim system service could cause an invalid file descriptor to be present when dbus-daemon tries to forward one of those crafted messages to the victim, causing sendmsg() to fail with EBADF, which resulted in disconnecting the victim service, which would likely respond to that by exiting. This is a denial of service (fd.o #80469, CVE-2014-3533). Bug: https://bugs.freedesktop.org/show_bug.cgi?id=79694 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80469 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
* NEWSSimon McVittie2014-06-111-1/+5
|
* dbus-launch: kill bus if we can't attach to a session when requestedРоман Донченко2014-06-111-1/+1
| | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=74698 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
View Lorry Controller Status