diff options
| author | Jussi Kukkonen <jussi.kukkonen@intel.com> | 2015-06-24 23:06:46 +0300 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-07-20 20:53:08 +0100 |
| commit | a8aa06b2405dec31a306fdf47bd1fdf740fde7bd (patch) | |
| tree | 300596a2bc51c01d5bdcf2071648a3886d443cf5 /meta | |
| parent | 429ab46f975c05f65120beddf50099c7cb0b2f86 (diff) | |
| download | openembedded-core-a8aa06b2405dec31a306fdf47bd1fdf740fde7bd.tar.gz openembedded-core-a8aa06b2405dec31a306fdf47bd1fdf740fde7bd.tar.bz2 openembedded-core-a8aa06b2405dec31a306fdf47bd1fdf740fde7bd.zip | |
dbus: CVE-2015-0245: prevent forged ActivationFailure
Fix CVE-2015-0245 by preventing non-root and non-systemd processes
from fooling the dbus daemon into thinking systemd service activation
failed.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-core/dbus/dbus.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch | 48 |
2 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc index d38ba7e1d2..971eabf82c 100644 --- a/meta/recipes-core/dbus/dbus.inc +++ b/meta/recipes-core/dbus/dbus.inc @@ -17,6 +17,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ file://dbus-1.init \ file://os-test.patch \ file://clear-guid_from_server-if-send_negotiate_unix_f.patch \ + file://CVE-2015-0245-prevent-forged-ActivationFailure.patch \ " inherit useradd autotools pkgconfig gettext update-rc.d diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch new file mode 100644 index 0000000000..59363b3e76 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch @@ -0,0 +1,48 @@ +CVE-2015-0245: prevent forged ActivationFailure from non-root processes + +Upstream has fixed this in code but suggests using this as a easily +backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811 + +Upstream-Status: Inappropriate +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> + + + +From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <simon.mcvittie@collabora.co.uk> +Date: Mon, 26 Jan 2015 20:09:56 +0000 +Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure from + non-root processes + +Without either this rule or better checking in dbus-daemon, non-systemd +processes can make dbus-daemon think systemd failed to activate a system +service, resulting in an error reply back to the requester. + +This is redundant with the fix in the C code (which I consider to be +the real solution), but is likely to be easier to backport. +--- + bus/system.conf.in | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bus/system.conf.in b/bus/system.conf.in +index 92f4cc4..851b9e6 100644 +--- a/bus/system.conf.in ++++ b/bus/system.conf.in +@@ -68,6 +68,14 @@ + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" + send_member="UpdateActivationEnvironment"/> ++ <deny send_destination="org.freedesktop.DBus" ++ send_interface="org.freedesktop.systemd1.Activator"/> ++ </policy> ++ ++ <!-- Only systemd, which runs as root, may report activation failures. --> ++ <policy user="root"> ++ <allow send_destination="org.freedesktop.DBus" ++ send_interface="org.freedesktop.systemd1.Activator"/> + </policy> + + <!-- Config files are placed here that among other things, punch +-- +2.1.4 + |