From 6db561dce296b4c233b9fe9b117012249a99df08 Mon Sep 17 00:00:00 2001 From: "John (J5) Palmieri" Date: Tue, 26 Feb 2008 13:30:47 -0500 Subject: CVE-2008-0595 dbus security policy circumvention * CVE-2008-0595 - security policy of the type work as an implicit allow for messages sent without an interface bypassing the default deny rules and potentially allowing restricted methods exported on the bus to be executed by unauthorized users. This patch fixes the issue. * bus/policy.c (bus_client_policy_check_can_send, bus_client_policy_check_can_receive): skip messages without an interface when evaluating an allow rule, and thus pass it to the default deny rules --- ChangeLog | 12 ++++++++++++ bus/policy.c | 32 ++++++++++++++++++++++++++------ 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index e4a32374..4b68cb37 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2008-02-26 John (J5) Palmieri + + * CVE-2008-0595 - security policy of the type work as an implicit allow for + messages sent without an interface bypassing the default deny rules + and potentially allowing restricted methods exported on the bus to be + executed by unauthorized users. This patch fixes the issue. + * bus/policy.c (bus_client_policy_check_can_send, + bus_client_policy_check_can_receive): skip messages without an + interface when evaluating an allow rule, and thus pass it to the + default deny rules + 2008-02-26 John (J5) Palmieri * correctly unref connections without guids during shutdown diff --git a/bus/policy.c b/bus/policy.c index 383b2b18..caa544e7 100644 --- a/bus/policy.c +++ b/bus/policy.c @@ -942,9 +942,19 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, if (rule->d.send.interface != NULL) { - if (dbus_message_get_interface (message) != NULL && - strcmp (dbus_message_get_interface (message), - rule->d.send.interface) != 0) + /* The interface is optional in messages. For allow rules, if the message + * has no interface we want to skip the rule (and thus not allow); + * for deny rules, if the message has no interface we want to use the + * rule (and thus deny). + */ + dbus_bool_t no_interface; + + no_interface = dbus_message_get_interface (message) == NULL; + + if ((no_interface && rule->allow) || + (!no_interface && + strcmp (dbus_message_get_interface (message), + rule->d.send.interface) != 0)) { _dbus_verbose (" (policy) skipping rule for different interface\n"); continue; @@ -1128,9 +1138,19 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, if (rule->d.receive.interface != NULL) { - if (dbus_message_get_interface (message) != NULL && - strcmp (dbus_message_get_interface (message), - rule->d.receive.interface) != 0) + /* The interface is optional in messages. For allow rules, if the message + * has no interface we want to skip the rule (and thus not allow); + * for deny rules, if the message has no interface we want to use the + * rule (and thus deny). + */ + dbus_bool_t no_interface; + + no_interface = dbus_message_get_interface (message) == NULL; + + if ((no_interface && rule->allow) || + (!no_interface && + strcmp (dbus_message_get_interface (message), + rule->d.receive.interface) != 0)) { _dbus_verbose (" (policy) skipping rule for different interface\n"); continue; -- cgit