Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 513698 - <sys-apps/dbus-1.8.4: deliver activation errors correctly, fixing Denial of Service (CVE-2014-3477)
Summary: <sys-apps/dbus-1.8.4: deliver activation errors correctly, fixing Denial of S...
Status: RESOLVED DUPLICATE of bug 512940
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ?? [stable]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-18 14:38 UTC by Samuli Suominen
Modified: 2014-06-18 18:35 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen gentoo-dev 2014-06-18 14:38:33 UTC
See,

http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=24c590703ca47eb71ddef453de43126b90954567

Quoting the upstream commit message,

CVE-2014-3477: deliver activation errors correctly, fixing Denial of Service
How it should work: When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check whether the message can be delivered after the service has been activated. The service is considered activated when its well-known name is requested with org.freedesktop.DBus.RequestName. When the message delivery is denied, the service stays activated but should not receive the activating message (the message which triggered the activation). dbus-daemon is supposed to drop the activating message and reply to the sender with a D-Bus error message. However, it does not work as expected: 1. The error message is delivered to the service instead of being delivered to the sender. As an example, the error message could be something like: An SELinux policy prevents this sender from sending this message to this recipient, [...] member="MaliciousMethod" If the sender and the service are malicious confederates and agree on a protocol to insert information in the member name, the sender can leak information to the service, even though the LSM attempted to block the communication between the sender and the service. 2. The error message is delivered as a reply to the RequestName call from service. It means the activated service will believe it cannot request the name and might exit. The sender could activate the service frequently and systemd will give up activating it. Thus the denial of service. The following changes fix the bug: - bus_activation_send_pending_auto_activation_messages() only returns an error in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM (and its only caller sets the OOM error). - When a client is not allowed to talk to the service, a D-Bus error message is pre-allocated to be delivered to the client as part of the transaction. The error is not propagated to the caller so RequestName will not fail (except on OOM). [fixed a misleading comment -smcv] Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Colin Walters <walters@verbum.org>
Comment 1 Samuli Suominen gentoo-dev 2014-06-18 14:48:53 UTC
I was planning on 1.8.x stabilization anyway, so this is good time as any. Please test and stabilize:

=sys-apps/dbus-1.8.4
Comment 2 Agostino Sarubbo gentoo-dev 2014-06-18 16:24:28 UTC

*** This bug has been marked as a duplicate of bug 512940 ***
Comment 3 Samuli Suominen gentoo-dev 2014-06-18 18:18:32 UTC
(In reply to Agostino Sarubbo from comment #2)
> 
> *** This bug has been marked as a duplicate of bug 512940 ***

You forgot to update the bug you duplicated to, or put them in wrong order. I guess I'll leave it up to security@ to handle the rest then :(