dbus/dbus-internals.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 don't abort on fatal warnings by default
Date: 2006-11-14 15:35:00 +0100

This behaviour can be controlled by the DBUS_FATAL_WARNINGS enviroment
variable. This will be set to upstream default again at some point so
if you have an application that prints a DBus warning get it fixed.

dbus/dbus-sysdeps-unix.c | 16 13 + 3 - 0 !
dbus/dbus-sysdeps-win.c | 9 7 + 2 - 0 !
2 files changed, 20 insertions(+), 5 deletions(-)

 cve-2013-2168: _dbus_printf_string_upper_bound: copy the
 va_list for each use

Using a va_list more than once is non-portable: it happens to work
under the ABI of (for instance) x86 Linux, but not x86-64 Linux.

This led to _dbus_printf_string_upper_bound() crashing if it should
have returned exactly 1024 bytes. Many system services can be induced
to process a caller-controlled string in ways that
end up using _dbus_printf_string_upper_bound(), so this is a denial of
service.

bus/activation.c | 27 20 + 7 - 0 !
bus/activation.h | 3 1 + 2 - 0 !
bus/services.c | 5 3 + 2 - 0 !
3 files changed, 24 insertions(+), 11 deletions(-)

 [patch] cve-2014-3477: deliver activation errors correctly, fixing
 Denial of Service

How it should work:

When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check
whether the message can be delivered after the service has been activated. The
service is considered activated when its well-known name is requested with
org.freedesktop.DBus.RequestName. When the message delivery is denied, the
service stays activated but should not receive the activating message (the
message which triggered the activation). dbus-daemon is supposed to drop the
activating message and reply to the sender with a D-Bus error message.

However, it does not work as expected:

1. The error message is delivered to the service instead of being delivered to
   the sender. As an example, the error message could be something like:

     An SELinux policy prevents this sender from sending this
     message to this recipient, [...] member="MaliciousMethod"

   If the sender and the service are malicious confederates and agree on a
   protocol to insert information in the member name, the sender can leak
   information to the service, even though the LSM attempted to block the
   communication between the sender and the service.

2. The error message is delivered as a reply to the RequestName call from
   service. It means the activated service will believe it cannot request the
   name and might exit. The sender could activate the service frequently and
   systemd will give up activating it. Thus the denial of service.

The following changes fix the bug:
- bus_activation_send_pending_auto_activation_messages() only returns an error
  in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM
  (and its only caller sets the OOM error).
- When a client is not allowed to talk to the service, a D-Bus error message
  is pre-allocated to be delivered to the client as part of the transaction.
  The error is not propagated to the caller so RequestName will not fail
  (except on OOM).

[fixed a misleading comment -smcv]

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979

dbus/dbus-sysdeps.c | 14 14 + 0 - 0 !
dbus/dbus-sysdeps.h | 1 1 + 0 - 0 !
dbus/dbus-transport-socket.c | 34 33 + 1 - 0 !
3 files changed, 48 insertions(+), 1 deletion(-)

 [patch 2/2] handle etoomanyrefs when sending recursive fds
 (SCM_RIGHTS)

Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() on Unix
sockets returns -1 errno=ETOOMANYREFS ("Too many references: cannot splice")
when the passfd mechanism (SCM_RIGHTS) is "abusively" used recursively by
applications. A malicious client could use this to force a victim system
service to be disconnected from the system bus; the victim would likely
respond by exiting. This is a denial of service (fd.o #80163,
CVE-2014-3532).

This patch silently drops the D-Bus message on ETOOMANYREFS and does not close
the connection.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80163

dbus/dbus-message.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 1/2] if loader contains two messages with fds, don't corrupt
 the second

There were two bugs here: we would previously overwrite the unused
fds with the already-used fds instead of the other way round, and
we would copy n bytes where we should have copied n ints.

Additionally, sending crafted messages in a chosen sequence to a victim
system service could cause an invalid file descriptor to be present
when dbus-daemon tries to forward one of those crafted messages to the
victim, causing sendmsg() to fail with EBADF, which resulted in
disconnecting the victim service, which would likely respond to that
by exiting. This is a denial of service (fd.o #80469, CVE-2014-3533).

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=79694
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80469

bus/config-parser.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 01/10] system bus limit: use max_replies_per_connection=128 by
 default

This addresses CVE-2014-3638.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=81053

bus/config-parser.c | 6 3 + 3 - 0 !
bus/session.conf.in | 3 2 + 1 - 0 !
dbus/dbus-message.c | 3 2 + 1 - 0 !
dbus/dbus-sysdeps.h | 8 8 + 0 - 0 !
4 files changed, 15 insertions(+), 5 deletions(-)

 [patch 02/11] config: change default_message_unix_fds to 16

Based on a patch by Alban Crequy. Now that it's the same on all
platforms, there's little point in it being set by configure/cmake.

This change fixes two distinct denials of service:

fd.o#82820, part A

bus/config-parser.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 03/10] config: change default auth_timeout to 5 seconds

This partially addresses CVE-2014-3639.

This will change the default on the system bus where the limit
  <limit name="auth_timeout">...</limit>
is not specified.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919

bus/bus.c | 37 37 + 0 - 0 !
bus/bus.h | 1 1 + 0 - 0 !
bus/connection.c | 42 18 + 24 - 0 !
bus/connection.h | 3 2 + 1 - 0 !
dbus/dbus-server-protected.h | 5 2 + 3 - 0 !
dbus/dbus-server.c | 19 5 + 14 - 0 !
dbus/dbus-watch.c | 21 21 + 0 - 0 !
dbus/dbus-watch.h | 2 2 + 0 - 0 !
8 files changed, 88 insertions(+), 42 deletions(-)

 [patch 04/10] stop listening on dbusserver sockets when reaching
 max_incomplete_connections

This addresses the parts of CVE-2014-3639 not already addressed by
reducing the default authentication timeout.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80851
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919

bus/bus.c | 6 6 + 0 - 0 !
bus/bus.h | 2 2 + 0 - 0 !
bus/config-parser.c | 12 12 + 0 - 0 !
bus/session.conf.in | 1 1 + 0 - 0 !
cmake/bus/dbus-daemon.xml | 6 5 + 1 - 0 !
5 files changed, 26 insertions(+), 1 deletion(-)

 [patch 05/10] config: add new limit: pending_fd_timeout

This is one of four commits needed to address CVE-2014-3637.

When a file descriptor is passed to dbus-daemon, the associated D-Bus message
might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file
descriptor in the DBusMessageLoader of the connection, waiting for the rest of
the message. If the client stops sending the remaining bytes, dbus-daemon will
wait forever and keep that file descriptor.

This patch adds pending_fd_timeout (milliseconds) in the configuration to
disconnect a connection after a timeout when a file descriptor was sent but not
the remaining message.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559

dbus/dbus-connection-internal.h | 1 1 + 0 - 0 !
dbus/dbus-connection.c | 11 11 + 0 - 0 !
dbus/dbus-message-internal.h | 1 1 + 0 - 0 !
dbus/dbus-message.c | 15 15 + 0 - 0 !
dbus/dbus-transport.c | 11 11 + 0 - 0 !
dbus/dbus-transport.h | 1 1 + 0 - 0 !
6 files changed, 40 insertions(+)

 [patch 06/10] dbusconnection: implements
 _dbus_connection_get_pending_fds_count

This is one of four commits needed to address CVE-2014-3637.

This will allow the bus to know whether there are pending file descriptors in a
DBusConnection's DBusMessageLoader.

https://bugs.freedesktop.org/show_bug.cgi?id=80559

dbus/dbus-connection-internal.h | 5 5 + 0 - 0 !
dbus/dbus-connection.c | 16 16 + 0 - 0 !
dbus/dbus-message-internal.h | 3 3 + 0 - 0 !
dbus/dbus-message-private.h | 2 2 + 0 - 0 !
dbus/dbus-message.c | 25 25 + 0 - 0 !
dbus/dbus-transport.c | 16 16 + 0 - 0 !
dbus/dbus-transport.h | 3 3 + 0 - 0 !
7 files changed, 70 insertions(+)

 [patch 07/10] dbusconnection: implements
 _dbus_connection_set_pending_fds_function

This is one of four commits needed to address CVE-2014-3637.

This will allow the bus to be notified whenever a file descriptor is added or
removed from a DBusConnection's DBusMessageLoader.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559

bus/connection.c | 71 71 + 0 - 0 !
1 file changed, 71 insertions(+)

 [patch 08/10] bus: enforce pending_fd_timeout

This is one of four commits needed to address CVE-2014-3637.

The bus uses _dbus_connection_set_pending_fds_function and
_dbus_connection_get_pending_fds_count to be notified when there are pending
file descriptors. A timeout per connection is armed and disarmed when the file
descriptor list is used and emptied.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559

dbus/dbus-sysdeps-unix.c | 49 43 + 6 - 0 !
1 file changed, 43 insertions(+), 6 deletions(-)

 [patch 10/10] _dbus_read_socket_with_unix_fds: do not accept extra
 fds in cmsg padding

This addresses CVE-2014-3635.

If (*n_fds * sizeof (int) % sizeof (size_t)) is nonzero,
then CMSG_SPACE (*n_fds * sizeof (int)) > CMSG_LEN (*n_fds * sizeof (int)
because the SPACE includes padding to a size_t boundary, whereas the LEN
does not. We have to allocate the SPACE. Previously, we told the kernel
that the buffer size we wanted was the SPACE, not the LEN, which meant
it was free to fill the padding with additional fds: on a 64-bit
platform with 32-bit int, that's one extra fd, if *n_fds happens
to be odd.

This meant that a malicious sender could send exactly 1 fd too many,
which would make us fail an assertion if enabled, or overrun a buffer
by 1 fd otherwise.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83622

bus/activation.c | 28 27 + 1 - 0 !
bus/bus.c | 50 40 + 10 - 0 !
bus/bus.h | 1 1 + 0 - 0 !
dbus/dbus-sysdeps-util-unix.c | 145 116 + 29 - 0 !
dbus/dbus-sysdeps-util-win.c | 35 34 + 1 - 0 !
dbus/dbus-sysdeps.h | 11 9 + 2 - 0 !
6 files changed, 227 insertions(+), 43 deletions(-)

 [patch] cve-2014-7824: set fd rlimit to 64k for the system
 dbus-daemon

This ensures that our rlimit is actually high enough to avoid the
denial of service described in CVE-2014-3636 part A.
CVE-2014-7824 has been allocated for this incomplete fix.

Restore the original rlimit for activated services, to avoid
them getting undesired higher limits.

(Thanks to Alban Crequy for various adjustments which have been
included in this commit.)

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105

bus/connection.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 [patch 1/2] log to syslog when auth_timeout drops an incomplete
 connection

This is a symptom of either a denial of service attack, or a
serious performance problem. Either way, sysadmins should know.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431

bus/config-parser.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 2/2] revert "config: change default auth_timeout to 5 seconds"

This reverts commit 54d26df52b6a394bea175651d1d7ad2ab3f87dea.

It appears this change may cause intermittent slow or failed boot,
more commonly on slower/older machines, in at least Mageia and
possibly also Debian. This would indicate that while the system
is under load, system services are not completing authentication
within 5 seconds.

This change was not the main part of fixing CVE-2014-3639, but does
help to mitigate that attack. As such, increasing this timeout makes
the denial of service attack described by CVE-2014-3639 somewhat
more effective: a local user connecting to the system bus repeatedly
from many parallel processes can cause other users' attempts to
connect to take longer.

If your machine boots reliably with the shorter timeout, and
resilience against local denial of service attacks is important
to you, putting this in /etc/dbus-1/system-local.conf
or a file matching /etc/dbus-1/system.d/*.conf can restore
the lower limit:

    <busconfig>
      <limit name="auth_timeout">5000</limit>
    </busconfig>

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431

bus/system.conf.in | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 [patch] cve-2015-0245: prevent forged activationfailure from non-root
 processes

Without either this rule or better checking in dbus-daemon, non-systemd
processes can make dbus-daemon think systemd failed to activate a system
service, resulting in an error reply back to the requester.

This is redundant with the fix in the C code (which I consider to be
the real solution), but is likely to be easier to backport.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88811