1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 8 Mar 2024 19:53:22 +0000
Subject: tests: Add a test for signal filtering by well-known name
The vulnerability reported as GNOME/glib#3268 can be characterized
as: these signals from an attacker should not be delivered to either
the GDBusConnection or the GDBusProxy, but in fact they are (in at
least some scenarios).
Reproduces: https://gitlab.gnome.org/GNOME/glib/-/issues/3268
Signed-off-by: Simon McVittie <smcv@collabora.com>
Origin: upstream, https://gitlab.gnome.org/GNOME/glib/-/issues/3268
---
gio/tests/gdbus-subscribe.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/gio/tests/gdbus-subscribe.c b/gio/tests/gdbus-subscribe.c
index 171d610..5406ba7 100644
--- a/gio/tests/gdbus-subscribe.c
+++ b/gio/tests/gdbus-subscribe.c
@@ -440,6 +440,33 @@ static const TestPlan plan_limit_by_well_known_name =
.iface = EXAMPLE_INTERFACE,
},
},
+ {
+ /* Attacker wants to trick subscriber into thinking that service
+ * sent a signal */
+ .action = TEST_ACTION_EMIT_SIGNAL,
+ .u.signal = {
+ .sender = TEST_CONN_ATTACKER,
+ .path = EXAMPLE_PATH,
+ .iface = EXAMPLE_INTERFACE,
+ .member = FOO_SIGNAL,
+ .received_by_conn = 0,
+ .received_by_proxy = 0
+ },
+ },
+ {
+ /* Attacker tries harder, by sending a signal unicast directly to
+ * the subscriber */
+ .action = TEST_ACTION_EMIT_SIGNAL,
+ .u.signal = {
+ .sender = TEST_CONN_ATTACKER,
+ .unicast_to = TEST_CONN_SUBSCRIBER,
+ .path = EXAMPLE_PATH,
+ .iface = EXAMPLE_INTERFACE,
+ .member = FOO_SIGNAL,
+ .received_by_conn = 0,
+ .received_by_proxy = 0
+ },
+ },
{
/* When the service sends a signal with the name it already owns,
* it should get through */
|
