dbus: CVE-2015-0245: prevent forged ActivationFailure

Fix CVE-2015-0245 by preventing non-root and non-systemd processes
from fooling the dbus daemon into thinking systemd service activation
failed.

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index d38ba7e1d2f1701637c021dbf6a37813c0a239e8..971eabf82cf801be74ac7b61b5cec8e620200b58 100644 (file)
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
            file://dbus-1.init \
            file://os-test.patch \
            file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+           file://CVE-2015-0245-prevent-forged-ActivationFailure.patch \
 "
 
 inherit useradd autotools pkgconfig gettext update-rc.d

diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
new file mode 100644 (file)
index 0000000..59363b3
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
@@ -0,0 +1,48 @@
+CVE-2015-0245: prevent forged ActivationFailure from non-root processes
+
+Upstream has fixed this in code but suggests using this as a easily
+backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811
+
+Upstream-Status: Inappropriate
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+
+
+
+From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Date: Mon, 26 Jan 2015 20:09:56 +0000
+Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure from
+ non-root processes
+
+Without either this rule or better checking in dbus-daemon, non-systemd
+processes can make dbus-daemon think systemd failed to activate a system
+service, resulting in an error reply back to the requester.
+
+This is redundant with the fix in the C code (which I consider to be
+the real solution), but is likely to be easier to backport.
+---
+ bus/system.conf.in | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 92f4cc4..851b9e6 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -68,6 +68,14 @@
+     <deny send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus"
+           send_member="UpdateActivationEnvironment"/>
++    <deny send_destination="org.freedesktop.DBus"
++          send_interface="org.freedesktop.systemd1.Activator"/>
++  </policy>
++
++  <!-- Only systemd, which runs as root, may report activation failures. -->
++  <policy user="root">
++    <allow send_destination="org.freedesktop.DBus"
++           send_interface="org.freedesktop.systemd1.Activator"/>
+   </policy>
+ 
+   <!-- Config files are placed here that among other things, punch 
+-- 
+2.1.4
+