CVE-2015-0245: discard forged ActivationFailure messages

Without this code change, non-systemd processes can make dbus-daemon think systemd failed to activate a system service, resulting in an error reply back to the requester. In practice we can address this in system.conf by only allowing root to forge these messages, but this check is the real solution, particularly on systems where root is not all-powerful. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88811 Reviewed-by: Alban Crequy Reviewed-by: David King Reviewed-by: Philip Withnall
2026-05-08 14:58:04 +02:00 · 2015-01-26 20:06:48 +00:00 · 2015-01-26 20:06:48 +00:00 · 03c5e16175
commit 03c5e16175
parent aaea599163
1 changed files with 18 additions and 0 deletions
--- a/bus/driver.c
+++ b/bus/driver.c
@ -2061,8 +2061,26 @@ bus_driver_handle_message (DBusConnection *connection,
  if (dbus_message_is_signal (message, "org.freedesktop.systemd1.Activator", "ActivationFailure"))
    {
      BusContext *context;
+      DBusConnection *systemd;

      context = bus_connection_get_context (connection);
+      systemd = bus_driver_get_owner_of_name (connection,
+          "org.freedesktop.systemd1");
+
+      if (systemd != connection)
+        {
+          const char *attacker;
+
+          attacker = bus_connection_get_name (connection);
+          bus_context_log (context, DBUS_SYSTEM_LOG_SECURITY,
+                           "Ignoring forged ActivationFailure message from "
+                           "connection %s (%s)",
+                           attacker ? attacker : "(unauthenticated)",
+                           bus_connection_get_loginfo (connection));
+          /* ignore it */
+          return TRUE;
+        }
+
      return dbus_activation_systemd_failure(bus_context_get_activation(context), message);
    }