diff options
author | Jussi Kukkonen <jussi.kukkonen@intel.com> | 2015-06-24 23:06:46 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-06-28 09:44:18 +0100 |
commit | affbc3f64940d59815941ce94c4aa19cab4aa72c (patch) | |
tree | b6803853fed1f4590fc0e2381e3c12f2269296d8 | |
parent | 919c7bf5c6ddd31483a3d31f3a91d268c4c14450 (diff) | |
download | ast2050-yocto-poky-affbc3f64940d59815941ce94c4aa19cab4aa72c.zip ast2050-yocto-poky-affbc3f64940d59815941ce94c4aa19cab4aa72c.tar.gz |
dbus: CVE-2015-0245: prevent forged ActivationFailure
Fix CVE-2015-0245 by preventing non-root and non-systemd processes
from fooling the dbus daemon into thinking systemd service activation
failed.
(From OE-Core rev: 961aaa50ed363a680b08be77a44ac13ce984b2f3)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/dbus/dbus.inc | 1 | ||||
-rw-r--r-- | meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch | 48 |
2 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc index fb5d017..f1744c8 100644 --- a/meta/recipes-core/dbus/dbus.inc +++ b/meta/recipes-core/dbus/dbus.inc @@ -17,6 +17,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ file://dbus-1.init \ file://os-test.patch \ file://clear-guid_from_server-if-send_negotiate_unix_f.patch \ + file://CVE-2015-0245-prevent-forged-ActivationFailure.patch \ " inherit useradd autotools pkgconfig gettext update-rc.d diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch new file mode 100644 index 0000000..59363b3 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch @@ -0,0 +1,48 @@ +CVE-2015-0245: prevent forged ActivationFailure from non-root processes + +Upstream has fixed this in code but suggests using this as a easily +backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811 + +Upstream-Status: Inappropriate +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> + + + +From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <simon.mcvittie@collabora.co.uk> +Date: Mon, 26 Jan 2015 20:09:56 +0000 +Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure from + non-root processes + +Without either this rule or better checking in dbus-daemon, non-systemd +processes can make dbus-daemon think systemd failed to activate a system +service, resulting in an error reply back to the requester. + +This is redundant with the fix in the C code (which I consider to be +the real solution), but is likely to be easier to backport. +--- + bus/system.conf.in | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bus/system.conf.in b/bus/system.conf.in +index 92f4cc4..851b9e6 100644 +--- a/bus/system.conf.in ++++ b/bus/system.conf.in +@@ -68,6 +68,14 @@ + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" + send_member="UpdateActivationEnvironment"/> ++ <deny send_destination="org.freedesktop.DBus" ++ send_interface="org.freedesktop.systemd1.Activator"/> ++ </policy> ++ ++ <!-- Only systemd, which runs as root, may report activation failures. --> ++ <policy user="root"> ++ <allow send_destination="org.freedesktop.DBus" ++ send_interface="org.freedesktop.systemd1.Activator"/> + </policy> + + <!-- Config files are placed here that among other things, punch +-- +2.1.4 + |