core: work around dbus-glib property access bug (CVE-2010-1172) (rh #585394)

More info: https://bugzilla.redhat.com/show_bug.cgi?id=585394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1172 dbus-glib was not properly enforcing the 'access' permissions on object properties exported using its API. There were 2 specific bugs: 1) dbus-glib did not enforce the introspection read/write property permissions, so if the GObject property definition allowed write access (which is sometimes desirable), D-Bus clients could modify that value even if the introspection said it was read-only 2) dbus-glib was not filtering out GObject properties that were not listed in the introspection XML. Thus, if the GObject defined more properties than were listed in the introspection XML (which is also often useful, and NM uses this quite a bit) those properties would also be exposed to D-Bus clients. To fix this completely, you need to: 1) get dbus-glib master when the patch is commited, OR grab the patch from https://bugzilla.redhat.com/show_bug.cgi?id=585394 and build a new dbus-glib 2) rebuild NetworkManager against the new dbus-glib
2026-02-05 07:40:28 +01:00 · 2010-08-11 15:40:25 -05:00 · 2010-08-11 15:40:25 -05:00 · 92babdb658
commit 92babdb658
parent 96a9ce41fb
3 changed files with 29 additions and 13 deletions
--- a/configure.ac
+++ b/configure.ac
@ -203,6 +203,12 @@ dnl
 AC_CHECK_LIB([dl], [dladdr], LIBDL="-ldl", LIBDL="")
 AC_SUBST(LIBDL)

+dnl
+dnl Checks for new dbus-glib property access function
+dnl
+AC_CHECK_LIB([dbus-glib-1], [dbus_glib_global_set_disable_legacy_property_access], ac_have_dg_prop="1", ac_have_dg_prop="0")
+AC_DEFINE_UNQUOTED(HAVE_DBUS_GLIB_DISABLE_LEGACY_PROP_ACCESS, $ac_have_dg_prop, [Define if you have a dbus-glib with dbus_glib_global_set_disable_legacy_property_access()])
+
 PKG_CHECK_MODULES(DBUS, dbus-1 >= 1.1 dbus-glib-1 >= 0.75)
 AC_SUBST(DBUS_CFLAGS)
 AC_SUBST(DBUS_LIBS)
--- a/src/main.c
+++ b/src/main.c
@ -19,10 +19,7 @@
 * Copyright (C) 2005 - 2008 Novell, Inc.
 */

-#ifdef HAVE_CONFIG_H
-# include <config.h>
-#endif
-
+#include <config.h>
 #include <glib.h>
 #include <dbus/dbus.h>
 #include <dbus/dbus-glib-lowlevel.h>
@ -627,6 +624,17 @@ main (int argc, char *argv[])
 		g_thread_init (NULL);
 	dbus_g_thread_init ();

+#ifndef HAVE_DBUS_GLIB_DISABLE_LEGACY_PROP_ACCESS
+#error HAVE_DBUS_GLIB_DISABLE_LEGACY_PROP_ACCESS not defined
+#endif
+
+#if HAVE_DBUS_GLIB_DISABLE_LEGACY_PROP_ACCESS
+	/* Ensure that non-exported properties don't leak out, and that the
+	 * introspection 'access' permissions are respected.
+	 */
+	dbus_glib_global_set_disable_legacy_property_access ();
+#endif
+
 	setup_signals ();

 	nm_logging_start (become_daemon);
--- a/src/nm-wifi-ap.c
+++ b/src/nm-wifi-ap.c
@ -153,6 +153,8 @@ set_property (GObject *object, guint prop_id,
 	case PROP_STRENGTH:
 		nm_ap_set_strength (ap, g_value_get_char (value));
 		break;
+	case PROP_HW_ADDRESS:
+		break;
 	default:
 		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
 		break;
@ -242,7 +244,7 @@ nm_ap_class_init (NMAccessPointClass *ap_class)
 							NM_802_11_AP_FLAGS_NONE,
 							NM_802_11_AP_FLAGS_PRIVACY,
 							NM_802_11_AP_FLAGS_NONE,
-							G_PARAM_READWRITE));
+							G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));

 	g_object_class_install_property
 		(object_class, PROP_WPA_FLAGS,
@ -252,7 +254,7 @@ nm_ap_class_init (NMAccessPointClass *ap_class)
 							NM_802_11_AP_SEC_NONE,
 							all_sec_flags,
 							NM_802_11_AP_SEC_NONE,
-							G_PARAM_READWRITE));
+							G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));

 	g_object_class_install_property
 		(object_class, PROP_RSN_FLAGS,
@ -262,7 +264,7 @@ nm_ap_class_init (NMAccessPointClass *ap_class)
 							NM_802_11_AP_SEC_NONE,
 							all_sec_flags,
 							NM_802_11_AP_SEC_NONE,
-							G_PARAM_READWRITE));
+							G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));

 	g_object_class_install_property
 		(object_class, PROP_SSID,
@ -270,7 +272,7 @@ nm_ap_class_init (NMAccessPointClass *ap_class)
 	                         "SSID",
 	                         "SSID",
 	                         DBUS_TYPE_G_UCHAR_ARRAY,
-	                         G_PARAM_READWRITE));
+	                         G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));

 	g_object_class_install_property
 		(object_class, PROP_FREQUENCY,
@ -278,7 +280,7 @@ nm_ap_class_init (NMAccessPointClass *ap_class)
 							"Frequency",
 							"Frequency",
 							0, 10000, 0,
-							G_PARAM_READWRITE));
+							G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));

 	g_object_class_install_property
 		(object_class, PROP_HW_ADDRESS,
@ -286,7 +288,7 @@ nm_ap_class_init (NMAccessPointClass *ap_class)
 							  "MAC Address",
 							  "Hardware MAC address",
 							  NULL,
-							  G_PARAM_READABLE));
+							  G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
 	
 	g_object_class_install_property
 		(object_class, PROP_MODE,
@ -294,7 +296,7 @@ nm_ap_class_init (NMAccessPointClass *ap_class)
 						   "Mode",
 						   "Mode",
 						   NM_802_11_MODE_ADHOC, NM_802_11_MODE_INFRA, NM_802_11_MODE_INFRA,
-						   G_PARAM_READWRITE));
+						   G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));

 	g_object_class_install_property
 		(object_class, PROP_MAX_BITRATE,
@ -302,7 +304,7 @@ nm_ap_class_init (NMAccessPointClass *ap_class)
 							"Max Bitrate",
 							"Max Bitrate",
 							0, G_MAXUINT16, 0,
-							G_PARAM_READWRITE));
+							G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));

 	g_object_class_install_property
 		(object_class, PROP_STRENGTH,
@ -310,7 +312,7 @@ nm_ap_class_init (NMAccessPointClass *ap_class)
 							"Strength",
 							"Strength",
 							G_MININT8, G_MAXINT8, 0,
-							G_PARAM_READWRITE));
+							G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));

 	/* Signals */
 	signals[PROPERTIES_CHANGED] =