From dff8e78a05148d601ef555b0341f9bbc9a34e815 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 1 Feb 2017 11:10:26 +0000 Subject: [PATCH 1/7] Update NEWS for 1.10 branch --- NEWS | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/NEWS b/NEWS index 53ab3066..69e99e4a 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,12 @@ D-Bus 1.10.16 (UNRELEASED) == +Enhancements: + +• Do the Travis-CI build in Docker containers for Ubuntu LTS, Debian + stable and Debian testing in addition to the older Ubuntu that is + the default (fd.o #98889, Simon McVittie) + Fixes: ... From bca5a8465a653a3e623d5ed172a419808e88f9b3 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Tue, 14 Feb 2017 08:58:26 +0000 Subject: [PATCH 2/7] Travis-CI: Get new autoconf-archive from Ubuntu Hopefully this has better uptime than snapshot.debian.org, which is really an archival service rather than a production component. This particular autoconf-archive version was in Ubuntu 16.10, so it should stay around for a while. Signed-off-by: Simon McVittie (cherry picked from commit 9935a5b7d177b2368506fa48e7fdfa94ea0151fa) --- tools/ci-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ci-install.sh b/tools/ci-install.sh index b01c28ab..5c0ec7d7 100755 --- a/tools/ci-install.sh +++ b/tools/ci-install.sh @@ -145,7 +145,7 @@ case "$ci_distro" in case "$ci_suite" in (trusty|jessie) # Ubuntu 14.04's autoconf-archive is too old - wget http://snapshot.debian.org/archive/debian/20160905T163745Z/pool/main/a/autoconf-archive/autoconf-archive_20160320-1_all.deb + wget http://archive.ubuntu.com/ubuntu/pool/universe/a/autoconf-archive/autoconf-archive_20160320-1_all.deb $sudo dpkg -i autoconf-archive_*_all.deb rm autoconf-archive_*_all.deb ;; From be51bfe915af717aa462fc7957e5a3c6dabc746b Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 15 Feb 2017 16:32:04 +0000 Subject: [PATCH 3/7] Change _dbus_create_directory to fail for existing directories If we don't trap EEXIST and its Windows equivalent, we are unable to detect the situation where we create an ostensibly unique subdirectory in a shared /tmp, but an attacker has already created it. This affects dbus-nonce (the nonce-tcp transport) and the activation reload test. Add a new _dbus_ensure_directory() for the one case where we want it to succeed even on EEXIST: the DBUS_COOKIE_SHA1 keyring, which we know we are creating in our own trusted "official" $HOME. In the new transient service support on Bug #99825, ensure_owned_directory() would need the same treatment. We are not treating this as a serious security problem, because the nonce-tcp transport is rarely enabled on Unix and there are multiple mitigations. The nonce-tcp transport creates a new unique file with O_EXCL and 0600 (private to user) permissions, then overwrites the requested filename via atomic-overwrite, so the worst that could happen there is that an attacker could place a symbolic link matching the name of a directory we are going to create, causing a dbus-daemon configured for nonce-tcp to traverse the symlink and atomically overwrite a file named "nonce" in a directory of the attacker's choice, with new random contents that are not known to the attacker. This seems unlikely to be exploitable for anything worse than denial of service in practice. In mainline Linux since 3.6, this attack is also defeated by the fs.protected_symlinks sysctl, which many distributions enable by default. The activation reload test suffers from a classic symlink attack due to time-of-check/time-of-use errors in its implementation, but as part of the developer-only "embedded tests" that are only intended to be run on a trusted machine, it is not treated as security-sensitive. That code path will be fixed in a subsequent commit. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828 Signed-off-by: Simon McVittie Reviewed-by: Philip Withnall --- dbus/dbus-keyring.c | 2 +- dbus/dbus-sysdeps-unix.c | 31 ++++++++++++++++++++++++++++++- dbus/dbus-sysdeps-win.c | 31 ++++++++++++++++++++++++++++++- dbus/dbus-sysdeps.h | 3 +++ 4 files changed, 64 insertions(+), 3 deletions(-) diff --git a/dbus/dbus-keyring.c b/dbus/dbus-keyring.c index bb7e4f8d..68b05794 100644 --- a/dbus/dbus-keyring.c +++ b/dbus/dbus-keyring.c @@ -807,7 +807,7 @@ _dbus_keyring_new_for_credentials (DBusCredentials *credentials, * unless someone else manages to create it */ dbus_error_init (&tmp_error); - if (!_dbus_create_directory (&keyring->directory, + if (!_dbus_ensure_directory (&keyring->directory, &tmp_error)) { _dbus_verbose ("Creating keyring directory: %s\n", diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c index ed776a70..9d914f8c 100644 --- a/dbus/dbus-sysdeps-unix.c +++ b/dbus/dbus-sysdeps-unix.c @@ -2953,7 +2953,7 @@ _dbus_get_real_time (long *tv_sec, * @returns #TRUE on success */ dbus_bool_t -_dbus_create_directory (const DBusString *filename, +_dbus_ensure_directory (const DBusString *filename, DBusError *error) { const char *filename_c; @@ -2976,6 +2976,35 @@ _dbus_create_directory (const DBusString *filename, return TRUE; } +/** + * Creates a directory. Unlike _dbus_ensure_directory(), this only succeeds + * if the directory is genuinely newly-created. + * + * @param filename directory filename + * @param error initialized error object + * @returns #TRUE on success + */ +dbus_bool_t +_dbus_create_directory (const DBusString *filename, + DBusError *error) +{ + const char *filename_c; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + + filename_c = _dbus_string_get_const_data (filename); + + if (mkdir (filename_c, 0700) < 0) + { + dbus_set_error (error, DBUS_ERROR_FAILED, + "Failed to create directory %s: %s\n", + filename_c, _dbus_strerror (errno)); + return FALSE; + } + else + return TRUE; +} + /** * Appends the given filename to the given directory. * diff --git a/dbus/dbus-sysdeps-win.c b/dbus/dbus-sysdeps-win.c index d19267e6..c5219ab7 100644 --- a/dbus/dbus-sysdeps-win.c +++ b/dbus/dbus-sysdeps-win.c @@ -2223,6 +2223,35 @@ _dbus_disable_sigpipe (void) { } +/** + * Creates a directory. Unlike _dbus_ensure_directory(), this only succeeds + * if the directory is genuinely newly-created. + * + * @param filename directory filename + * @param error initialized error object + * @returns #TRUE on success + */ +dbus_bool_t +_dbus_create_directory (const DBusString *filename, + DBusError *error) +{ + const char *filename_c; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + + filename_c = _dbus_string_get_const_data (filename); + + if (!CreateDirectoryA (filename_c, NULL)) + { + dbus_set_error (error, DBUS_ERROR_FAILED, + "Failed to create directory %s: %s\n", + filename_c, _dbus_strerror_from_errno ()); + return FALSE; + } + else + return TRUE; +} + /** * Creates a directory; succeeds if the directory * is created or already existed. @@ -2232,7 +2261,7 @@ _dbus_disable_sigpipe (void) * @returns #TRUE on success */ dbus_bool_t -_dbus_create_directory (const DBusString *filename, +_dbus_ensure_directory (const DBusString *filename, DBusError *error) { const char *filename_c; diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h index 2d152b8c..0ee45c97 100644 --- a/dbus/dbus-sysdeps.h +++ b/dbus/dbus-sysdeps.h @@ -421,6 +421,9 @@ DBUS_PRIVATE_EXPORT dbus_bool_t _dbus_create_directory (const DBusString *filename, DBusError *error); DBUS_PRIVATE_EXPORT +dbus_bool_t _dbus_ensure_directory (const DBusString *filename, + DBusError *error); +DBUS_PRIVATE_EXPORT dbus_bool_t _dbus_delete_directory (const DBusString *filename, DBusError *error); From 1488f02d9e34a3ef0710dace2b1e92cbc30cd99d Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 15 Feb 2017 17:24:14 +0000 Subject: [PATCH 4/7] activation test: Fix time-of-check/time-of-use bug waiting to happen Creating a directory is atomic, stat'ing it to see whether to remove it is very much not. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828 Signed-off-by: Simon McVittie Reviewed-by: Philip Withnall --- bus/activation.c | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/bus/activation.c b/bus/activation.c index 12113295..1a98af6d 100644 --- a/bus/activation.c +++ b/bus/activation.c @@ -2436,21 +2436,8 @@ out: static dbus_bool_t init_service_reload_test (DBusString *dir) { - DBusStat stat_buf; - - if (!_dbus_stat (dir, &stat_buf, NULL)) - { - if (!_dbus_create_directory (dir, NULL)) - return FALSE; - } - else - { - if (!test_remove_directory (dir)) - return FALSE; - - if (!_dbus_create_directory (dir, NULL)) - return FALSE; - } + if (!_dbus_create_directory (dir, NULL)) + return FALSE; /* Create one initial file */ if (!test_create_service_file (dir, SERVICE_FILE_1, SERVICE_NAME_1, "exec-1")) @@ -2638,6 +2625,9 @@ bus_activation_service_reload_test (const DBusString *test_data_dir) /* Do nothing? */ } + if (!cleanup_service_reload_test (&directory)) + goto out; + /* Do OOM tests */ if (!init_service_reload_test (&directory)) _dbus_assert_not_reached ("could not initiate service reload test"); From 8b582cb10d7cf00af7a70496aec48af24edc542b Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 16 Feb 2017 13:37:46 +0000 Subject: [PATCH 5/7] Prepare 1.10.16 --- NEWS | 25 +++++++++++++++++++++++-- configure.ac | 4 ++-- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 69e99e4a..59efcfa7 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,12 @@ -D-Bus 1.10.16 (UNRELEASED) +D-Bus 1.10.16 (2017-02-16) == +The “super digging powers” release. + +The fixes in this release are arguably security fixes, but if they +affect you, please take this opportunity to rethink how you are +configuring dbus. + Enhancements: • Do the Travis-CI build in Docker containers for Ubuntu LTS, Debian @@ -9,7 +15,22 @@ Enhancements: Fixes: -... +• Prevent symlink attacks in the nonce-tcp transport on Unix that could + allow an attacker to overwrite a file named "nonce", in a directory + that the user running dbus-daemon can write, with a random value + known only to the user running dbus-daemon. This is unlikely to be + exploitable in practice, particularly since the nonce-tcp transport + is really only useful on Windows. + + On Unix systems we strongly recommend using only the unix: and systemd: + transports, together with EXTERNAL authentication. These are the only + transports and authentication mechanisms enabled by default, + + (fd.o #99828, Simon McVittie) + +• Avoid symlink attacks in the "embedded tests", which are not enabled + by default and should never be enabled in production builds of dbus. + (fd.o #99828, Simon McVittie) D-Bus 1.10.14 (2016-11-28) == diff --git a/configure.ac b/configure.ac index 2af08ba3..9ad52fff 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ AC_PREREQ([2.63]) m4_define([dbus_major_version], [1]) m4_define([dbus_minor_version], [10]) -m4_define([dbus_micro_version], [15]) +m4_define([dbus_micro_version], [16]) m4_define([dbus_version], [dbus_major_version.dbus_minor_version.dbus_micro_version]) AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus]) @@ -38,7 +38,7 @@ LT_CURRENT=17 ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=9 +LT_REVISION=10 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has From cb538cc2732ecc597c6a265d2d3077c6fe0286e0 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 16 Feb 2017 15:57:30 +0000 Subject: [PATCH 6/7] Start 1.10.18 Signed-off-by: Simon McVittie --- NEWS | 5 +++++ configure.ac | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 59efcfa7..e85ef4bf 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,8 @@ +D-Bus 1.10.18 (UNRELEASED) +== + +... + D-Bus 1.10.16 (2017-02-16) == diff --git a/configure.ac b/configure.ac index 9ad52fff..db4679d4 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ AC_PREREQ([2.63]) m4_define([dbus_major_version], [1]) m4_define([dbus_minor_version], [10]) -m4_define([dbus_micro_version], [16]) +m4_define([dbus_micro_version], [17]) m4_define([dbus_version], [dbus_major_version.dbus_minor_version.dbus_micro_version]) AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus]) From fea69f0661ff48382218874f6598849a9e71ea31 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 16 Feb 2017 15:57:46 +0000 Subject: [PATCH 7/7] NEWS: fix typo Signed-off-by: Simon McVittie --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NEWS b/NEWS index e85ef4bf..207c2224 100644 --- a/NEWS +++ b/NEWS @@ -29,7 +29,7 @@ Fixes: On Unix systems we strongly recommend using only the unix: and systemd: transports, together with EXTERNAL authentication. These are the only - transports and authentication mechanisms enabled by default, + transports and authentication mechanisms enabled by default. (fd.o #99828, Simon McVittie)