summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2014-3477: deliver activation errors correctly, fixing Denial of Servicedbus-1.2Alban Crequy2014-06-053-12/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | How it should work: When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check whether the message can be delivered after the service has been activated. The service is considered activated when its well-known name is requested with org.freedesktop.DBus.RequestName. When the message delivery is denied, the service stays activated but should not receive the activating message (the message which triggered the activation). dbus-daemon is supposed to drop the activating message and reply to the sender with a D-Bus error message. However, it does not work as expected: 1. The error message is delivered to the service instead of being delivered to the sender. As an example, the error message could be something like: An SELinux policy prevents this sender from sending this message to this recipient, [...] member="MaliciousMethod" If the sender and the service are malicious confederates and agree on a protocol to insert information in the member name, the sender can leak information to the service, even though the LSM attempted to block the communication between the sender and the service. 2. The error message is delivered as a reply to the RequestName call from service. It means the activated service will believe it cannot request the name and might exit. The sender could activate the service frequently and systemd will give up activating it. Thus the denial of service. The following changes fix the bug: - bus_activation_send_pending_auto_activation_messages() only returns an error in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM (and its only caller sets the OOM error). - When a client is not allowed to talk to the service, a D-Bus error message is pre-allocated to be delivered to the client as part of the transaction. The error is not propagated to the caller so RequestName will not fail (except on OOM). [fixed a misleading comment -smcv] Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Colin Walters <walters@verbum.org> Backported: to dbus-1.2, whitespace conflicts in bus/activation.c
* bump versionSimon McVittie2012-10-042-1/+6
|
* Prepare 1.2.30dbus-1.2.30Simon McVittie2012-10-042-3/+6
|
* activation helper: when compiled for tests, do not reset system bus addressSimon McVittie2012-10-041-1/+1
| | | | | | | | | | Otherwise, the tests try to connect to the real system bus, which will often fail - particularly if you run the tests configured for the default /usr/local (with no intention of installing the result), in which case the tests would try to connect to /usr/local/var/run/dbus/system_bus_socket. Reviewed-by: Colin Walters <walters@verbum.org> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=52202
* activation-helper: Ensure DBUS_STARTER_ADDRESS is set correctlyGeoffrey Thomas2012-10-021-11/+5
| | | | | | | | | | | | | | | | The fix for CVE-2012-3524 filters out all environment variables if libdbus is used from a setuid program, to prevent various spoofing attacks. Unfortunately, the activation helper is a setuid program linking libdbus, and this creates a regression for launched programs using DBUS_STARTER_ADDRESS, since it will no longer exist. Fix this by hardcoding the starter address to the default system bus address. Signed-off-by: Geoffrey Thomas <gthomas@mokafive.com> Signed-off-by: Colin Walters <walters@verbum.org>
* hardening: Remove activation helper handling for DBUS_VERBOSEColin Walters2012-10-021-13/+1
| | | | | | | | | It's not really useful. See https://bugs.freedesktop.org/show_bug.cgi?id=52202#c17 Conflicts: bus/activation-helper.c
* hardening: Ensure _dbus_check_setuid() is initialized threadsafe mannerColin Walters2012-10-021-0/+5
| | | | | | | | | This is a highly theoretical concern, but we might as well. https://bugs.freedesktop.org/show_bug.cgi?id=52202 Conflicts: dbus/dbus-sysdeps-pthread.c
* CVE-2012-3524: Don't access environment variables or run dbus-launch when setuidColin Walters2012-10-026-2/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This matches a corresponding change in GLib. See glib/gutils.c:g_check_setuid(). Some programs attempt to use libdbus when setuid; notably the X.org server is shipped in such a configuration. libdbus never had an explicit policy about its use in setuid programs. I'm not sure whether we should advertise such support. However, given that there are real-world programs that do this currently, we can make them safer with not too much effort. Better to fix a problem caused by an interaction between two components in *both* places if possible. How to determine whether or not we're running in a privilege-escalated path is operating system specific. Note that GTK+'s code to check euid versus uid worked historically on Unix, more modern systems have filesystem capabilities and SELinux domain transitions, neither of which are captured by the uid comparison. On Linux/glibc, the way this works is that the kernel sets an AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on startup. If found, then glibc sets a public-but-undocumented __libc_enable_secure variable which we can use. Unfortunately, while it *previously* worked to check this variable, a combination of newer binutils and RPM break it: http://www.openwall.com/lists/owl-dev/2012/08/14/1 So for now on Linux/glibc, we fall back to the historical Unix version until we get glibc fixed. On some BSD variants, there is a issetugid() function. On other Unix variants, we fall back to what GTK+ has been doing. Reported-by: Sebastian Krahmer <krahmer@suse.de> Signed-off-by: Colin Walters <walters@verbum.org> [backported to 1.2 -smcv]
* Belatedly reference CVE-2011-2200Simon McVittie2011-09-211-1/+1
|
* bump versionSimon McVittie2011-06-102-1/+4
|
* 1.2.28dbus-1.2.28Simon McVittie2011-06-102-3/+3
|
* _dbus_header_byteswap: change the first byte of the message, not just the ↵Simon McVittie2011-06-102-0/+16
| | | | | | | | | | | | struct member This has been wrong approximately forever, for instance see: http://lists.freedesktop.org/archives/dbus/2007-March/007357.html Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38120 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938 Reviewed-by: Will Thompson <will.thompson@collabora.co.uk> Backported: from dbus-1.4, c3223ba6c401ba81df1305851312a47c485e6cd7
* configure.in: use AC_TRY_COMPILE to avoid a symlink attack in /tmp during ↵Simon McVittie2011-01-141-11/+7
| | | | compilation
* Post-release version bump to 1.2.27Will Thompson2010-12-211-1/+1
|
* Version 1.2.26dbus-1.2.26Will Thompson2010-12-211-2/+2
|
* NEWS for 1.2.26Will Thompson2010-12-211-0/+11
|
* CVE 2010-4352: Reject deeply nested variantsColin Walters2010-12-214-11/+99
| | | | | | | | | | | | | | | | | | | | | | Add DBUS_INVALID_NESTED_TOO_DEEPLY validity problem and a test that should generate it. Previously, we rejected deep nesting in the signature, but variants allow dynamic message nesting, conditional only on the depth of the message body. The nesting limit is 64, which was also the limit in static signatures. Empirically, dynamic nesting depth observed on my Fedora 14 system doesn't exceed 2; 64 is really a huge limit. https://bugs.freedesktop.org/show_bug.cgi?id=32321 Signed-Off-By: Colin Walters <walters@verbum.org> Signed-off-by: Will Thompson <will.thompson@collabora.co.uk> Conflicts: dbus/dbus-marshal-validate.h
* Fix configure doc: libxml may be named libxml2 on some systems.Ralf Habacker2010-12-211-1/+1
|
* Fix use of $servicename in statusColin Walters2010-07-091-1/+1
| | | | | | | | See https://bugzilla.redhat.com/show_bug.cgi?id=521797 We have two init scripts, and commit 05283235632bc8891aaa3047563cb4 patched the "wrong" (i.e. slackware) one. Patch one that ships with real operating systems too.
* sysdeps-unix: enable address reuse on TCP socketsSledz2010-07-081-1/+19
| | | | | | | This helps to avoid 'Address already in use' problems if server has been shut down, and then restarted while sockets are still active on its port. Signed-off-by: Steffen Sledz <sledz@dresearch.de>
* Implement doctype check in the trivial parserChristian Dywan2010-06-222-0/+22
| | | | This is needed for the libxml parser backend.
* Corrected thread problem causing some calls to hang for 25sJohannes Carlsson2010-06-112-2/+59
| | | | | | | | | Since the connection lock is released for a short while in _dbus_connection_acquire_io_path there can already be a method return received by another thread. The fix is to do an extra check after the I/O path has been aquired both. Approved-by: Thiago Macieira
* kqueue set_watched_dirs: fix termination conditionWill Thompson2010-05-211-1/+1
| | | | | | | | | | | num_fds is the number of elements of dirs currently in use. This bug meant that encountering a previously un-watched directory would cause j to increment forever, and so dirs[j] would eventually segfault. (I've checked the corresponding code for inotify, and it's correct. I wonder if some of the duplication could be eliminated.) Thanks to Pablo Martí Gamboa <pmarti@warp.es> for reporting this issue!
* [legacy init script] Fix the use of $servicenameTomas Pelka2010-04-231-1/+1
|
* Post-release version bumpColin Walters2010-03-231-1/+1
|
* Release 1.2.24dbus-1.2.24Colin Walters2010-03-231-1/+1
|
* [bus] Don't install a SIGTERM handlerColin Walters2010-03-231-4/+0
| | | | | | | Really we don't have any interesting cleanup to do, so just let the process die. https://bugs.freedesktop.org/show_bug.cgi?id=26303
* [64 bit printf] Update to use DBUS_PID_FORMAT, print (omitted)Colin Walters2010-03-222-4/+8
| | | | | | | There were already defines for formatting pids and uids, so use those. In the case where we don't have a format specifier for 64 bit, print (omitted) in dbus-monitor.
* Add DBUS_INT64_MODIFIER define, turn on -WformatColin Walters2010-03-226-21/+53
| | | | | | | | | | | | | https://bugs.freedesktop.org/show_bug.cgi?id=19195 We were previously using -Wno-format because we didn't have a #define for DBUS_INT64_MODIFIER, which was really lame because it easily hid problems. For now, just define it if we're on glibc; this is obviously not strictly correct but it's safe, because the formatting is only used in DBUS_VERBOSE mode, and in tools/dbus-monitor. Ideally we get the the glib code relicensed.
* Add DBUS_GNUC_PRINTF checks to new formatting functionsColin Walters2010-03-222-1/+4
| | | | Otherwise we don't get GCC warnings.
* [bus] While creating a syslog, correctly get pointer data from DBusStringColin Walters2010-03-211-1/+1
|
* Dispatch post-activation messages to anyone interestedWill Thompson2010-03-191-14/+6
| | | | | | | | Previously, if a method call activated a service, it would only be delivered to that service, and not to other services with match rules which should match. This patch replaces the improperly-duplicated dispatch code in activation.c with a call back into the normal dispatch code, fixing this bug (fd.o#26427).
* Move dispatching to destination to bus_dispatch_matches()Will Thompson2010-03-191-17/+23
|
* Post-release version bumpColin Walters2010-03-171-1/+1
|
* Release 1.2.22dbus-1.2.22Colin Walters2010-03-161-1/+1
|
* Delete name-test/test-namesColin Walters2010-03-163-575/+1
| | | | | | | This test, while extensive, has the serious flaw of effectively spinning on _dbus_connection_do_iteration_unlocked. Any tests like this should be using the internal DBus mainloop, which I don't have time to port it to before doing a release.
* Don't send an reply for driver messages if one isn't requestedColin Walters2010-03-161-0/+4
| | | | | | Basically honor the no_reply flag; a binding is likely to want to set this so it doesn't have to process extra traffic for match rules.
* Make SELinux initialization failure fatalColin Walters2010-03-161-2/+2
| | | | | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=572769 Previously we'd just continue if AVC initialization failed, but that didn't really work because then we'd later crash in avc_has_perm. Simply treat initialization failures as fatal, and hopefully we can get data from the system log.
* Add a prefix to our syslog messagesColin Walters2010-03-161-46/+87
| | | | | | | | | Previously we were simply logging as "dbus", and it was unclear whether it was the system bus, or a session bus. And if the latter, which user? This patch adds a prefix to the log message with the bus type and the userid.
* Add _dbus_credentials_to_string_appendColin Walters2010-03-162-1/+45
| | | | Convert the credentials to a string; useful for logging.
* Add DBUS_SYSTEM_LOG_FATAL severityColin Walters2010-03-162-1/+10
| | | | | This severity is useful for when we encounter a fatal problem; we get a log message out, then exit.
* Refactor _dbus_log_info, _dbus_log_security into _dbus_log_systemColin Walters2010-03-164-43/+53
| | | | | In preparation for a future patch which introduces a fatal logging level, don't duplicate the API here.
* [dbus-spawn] Use correct sign values for variablesKimmo Hämäläinen2010-03-161-5/+5
| | | | | | read() returns a signed value, whereas the byte count is unsigned. Signed-off-by: Colin Walters <walters@verbum.org>
* [dbus] Add missing va_end in dbus-errors.cKimmo Hämäläinen2010-03-161-0/+1
|
* [main] Handle OOM in reload watchColin Walters2010-03-161-1/+4
| | | | | | | | http://bugs.freedesktop.org/show_bug.cgi?id=12953 Wait for memory if we can't init the string. Based on an original patch by Kimmo Hämäläinen <kimmo.hamalainen@nokia.com>
* [doc/dbus-specification.xml] Explicitly specify lower-case hex must be usedSimon McVittie2010-03-161-0/+5
| | | | | | | https://bugs.freedesktop.org/show_bug.cgi?id=9486 When describing DBUS_COOKIE_SHA1, specify that lower-case hex encoding must be used.
* Support inotify on older kernelsColin Walters2010-03-161-0/+5
| | | | | | | | https://bugs.freedesktop.org/show_bug.cgi?id=23957 Previously we detected glibc support at compile time and used it unconditionally; better to try it and fall back, this way we continue to run on older kernels when compiled for newer ones.
* Fix double-free in error case.Marcus Brinkmann2010-03-151-3/+1
| | | | Signed-off-by: Thiago Macieira <thiago@kde.org>
* [configure.in] Use AM_SILENT_RULES if availableColin Walters2010-03-121-0/+2
| | | | | | By rough consensus, and to keep up with the cool kids. Note to builders: you need to use V=1 to enable verbose mode.
* [DBusConnection] When handling a watch, return if another thread is doing I/OMichael Meeks2010-03-121-1/+8
| | | | | | | | | | | | | http://lists.freedesktop.org/archives/dbus/2010-March/012337.html Previously, the watch handler would block until the I/O path was available. However, if another non-main thread was doing a synchronous call, this would cause the main thread to block on that thread, a highly undesirable thing because it's important for the main thread to remain responsive for user interfaces. Signed-off-by: Colin Walters <walters@verbum.org> Signed-off-by: Thiago Macieira <thiago@kde.org>
View Lorry Controller Status