platform/upstream/dbus.git
20 months agodbus-marshal-validate: Validate length of arrays of fixed-length items 86/288486/1
Simon McVittie [Mon, 12 Sep 2022 12:14:18 +0000 (13:14 +0100)]
dbus-marshal-validate: Validate length of arrays of fixed-length items

This fast-path previously did not check that the array was made up
of an integer number of items. This could lead to assertion failures
and out-of-bounds accesses during subsequent message processing (which
assumes that the message has already been validated), particularly after
the addition of _dbus_header_remove_unknown_fields(), which makes it
more likely that dbus-daemon will apply non-trivial edits to messages.

Thanks: Evgeny Vereshchagin
Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
Resolves: CVE-2022-42011
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
(cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984)
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
Change-Id: Idfe8cead0721c414f1e6946a5dc0544bad63d42e

20 months agodbus-marshal-validate: Check brackets in signature nest correctly 82/288482/1
Simon McVittie [Tue, 13 Sep 2022 14:10:22 +0000 (15:10 +0100)]
dbus-marshal-validate: Check brackets in signature nest correctly

In debug builds with assertions enabled, a signature with incorrectly
nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
in an assertion failure.

In production builds without assertions enabled, a signature with
incorrectly nested `()` and `{}` could potentially result in a crash
or incorrect message parsing, although we do not have a concrete example
of either of these failure modes.

Thanks: Evgeny Vereshchagin
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
Resolves: CVE-2022-42010
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916)
(cherry picked from commit 3e53a785dee8d1432156188a2c4260e4cbc78c4d)

Change-Id: I0b3f37401dd6e0a0e8a9004e5a85e166b68db810
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
2 years agodbus: fix 64-bit compiler warnings 24/278524/1 accepted/tizen_7.0_unified_hotfix tizen_7.0_hotfix accepted/tizen/7.0/unified/20221110.061519 accepted/tizen/7.0/unified/hotfix/20221116.110704 accepted/tizen/unified/20220722.031020 submit/tizen/20220721.133433 tizen_7.0_m2_release
Gaurav Gupta [Tue, 19 Jul 2022 06:10:34 +0000 (11:40 +0530)]
dbus: fix 64-bit compiler warnings

Fix 64-bit compiler warnings.

Change-Id: I799a07c197a95d80a4fb33998ca113533ac4a54e
Signed-off-by: Gaurav Gupta <g.gupta@samsung.com>
2 years agobus/policy: separate prefix rules in default context 94/274494/1 accepted/tizen/unified/20220526.144439 submit/tizen/20220502.052537 submit/tizen/20220525.001052
Adrian Szyndela [Fri, 29 Apr 2022 06:58:42 +0000 (08:58 +0200)]
bus/policy: separate prefix rules in default context

To handle prefix rules stored with all other rules in the default context
we need to match each prefix of each name against policy rules.
That's because names are looked up in the hash tables, so we can
miss a prefix rule for a prefix of the name.

However, if prefix rules are separated from non-prefix rules, we
can simply check them all once for each name, and also check hash tables once
for each name.

This is what this commit changes. It separates prefix rules
from non-prefix rules, and handles them in sequence.

This gives a little boost, especially if there are no prefix rules.

Change-Id: Ifade906d35af96a973920ce9c2f6065f5b9b549e

2 years agobus/policy: fix obvious mistake send->receive 15/273015/1
Adrian Szyndela [Tue, 29 Mar 2022 14:03:45 +0000 (16:03 +0200)]
bus/policy: fix obvious mistake send->receive

Fortunately, the bit fields are at the exact same position,
in the union, so it worked so far...

Change-Id: Iaad9589dfc0f4f7e6a0f4ef4767a600f4cf2f54a

2 years agoGVariant: reuse existing init function 84/267684/2
Adrian Szyndela [Wed, 8 Dec 2021 14:57:01 +0000 (15:57 +0100)]
GVariant: reuse existing init function

Reuse existing reader initialization function instead
of inventing new code for the same purpose.

Change-Id: If9cee9c565134c774c1f0efc0aaef661fde28f6c

2 years agoGVariant: fix dbus_message_copy() 93/266093/2 accepted/tizen/unified/20211116.130508 submit/tizen/20211110.015122 submit/tizen/20211115.094939
Adrian Szyndela [Fri, 5 Nov 2021 11:28:29 +0000 (12:28 +0100)]
GVariant: fix dbus_message_copy()

dbus_message_copy() did not take into account differences
between locked and unlocked GVariant messages.

This commit adds support for converting from locked to unlocked
GVariant message when a copy is made.

Additionally:
- it fixes initialization of the read iterator for unlocked messages;
- locking or warning on such initialization is no longer needed.

Change-Id: I4d316e1b1ae4e9af194ddc329833147c8c6a8055

3 years agoMinor fix for the license of tests package 21/265321/1 accepted/tizen/unified/20211108.181413 submit/tizen/20211103.072537 submit/tizen/20211104.092607 submit/tizen_base/20211104.091630
Hyotaek Shim [Fri, 15 Oct 2021 02:14:09 +0000 (11:14 +0900)]
Minor fix for the license of tests package

Change-Id: I35bc2c2df48fbfdf35a9c275825d7faaf5255547
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
3 years agoClarify license declaration 89/265089/5
Hyotaek Shim [Fri, 8 Oct 2021 11:31:08 +0000 (20:31 +0900)]
Clarify license declaration

Tizen uses D-Bus under the Academic Free License version 2.1 by default.
For the avoidance of doubt, except that if any license choice other than
GPL or LGPL is available it will apply instead, Tizen elects to use only
the GPL version 2 for any process, program, modules, etc.,
where the license of it is GPL version 2 or later version.

Change-Id: I2096cf4fa1947be8b18414b51af27b1ac9fc02b0
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
3 years agokdbus: add memfd_create() syscall number for aarch64 75/264875/1 submit/tizen/20211001.142833
Adrian Szyndela [Fri, 1 Oct 2021 10:49:48 +0000 (12:49 +0200)]
kdbus: add memfd_create() syscall number for aarch64

Citing Lukasz Stelmach <l.stelmach@samsung.com>:

> The number of the memfd_syscall() on arm64 is the same as on arm only
> for 32-bit processes. 64-bit process must use the number defined in the
> asm-generic/unistd.h kernel header.

Additionally, made other numbers same as in glib.

Change-Id: Ibb038d5d0de13f8a7b88051364564c541ca0fa9a

3 years agoRemove dbus.conf when installing extension-kdbus 13/264313/2 accepted/tizen/6.5/unified/20211028.225808 accepted/tizen/unified/20210916.023815 submit/tizen/20210916.013904 submit/tizen/20210916.015938 submit/tizen_6.5/20211028.163301 tizen_6.5.m2_release
Youngjae Cho [Thu, 16 Sep 2021 01:16:36 +0000 (10:16 +0900)]
Remove dbus.conf when installing extension-kdbus

Prevent system reboot by resourced vip due to absence of dbus-deamon
when dbus-libs-extension-kdbus package had been installed.

Change-Id: I5264b9e87f04f5a1e55abe401a62c6afccef78e4
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>
3 years agodbus: add vip configuration 42/263442/5 accepted/tizen/unified/20210914.084929 submit/tizen/20210913.042525
Youngjae Cho [Thu, 2 Sep 2021 09:14:48 +0000 (18:14 +0900)]
dbus: add vip configuration

Change-Id: I02c9d76cce2f1587add8ad6a48551cf67b3dbe73
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>
3 years agodbus-daemon: send signals on connection overflow 88/257988/3 accepted/tizen/unified/20210531.130419 submit/tizen/20210524.120505
Adrian Szyndela [Fri, 7 May 2021 09:13:26 +0000 (11:13 +0200)]
dbus-daemon: send signals on connection overflow

Change-Id: I4f0e78fe9ad8c63da7256f2dadae2029eb534004

3 years agobus: add ConnectionOverflow signal API 87/257987/2
Adrian Szyndela [Wed, 5 May 2021 12:40:41 +0000 (14:40 +0200)]
bus: add ConnectionOverflow signal API

Change-Id: Iea17de732637ea990944cb63d1ef7a1a4bc4b1b8

3 years agodbus: prepare API for checking transport overflow 86/257986/2
Adrian Szyndela [Thu, 29 Apr 2021 12:48:57 +0000 (14:48 +0200)]
dbus: prepare API for checking transport overflow

Add API for checking transport overflow and implementation
of transport overflow indicator for socket transport.
Other transports always show "no overflow" for now.

Change-Id: I5169403c4548bdaeb9b08e909a45f9299e146e5d

3 years agoFix build errors for --disable-cynara 84/250284/1 accepted/tizen/unified/20201224.151524 submit/tizen/20201223.062745
Hyotaek Shim [Wed, 23 Dec 2020 06:20:21 +0000 (15:20 +0900)]
Fix build errors for --disable-cynara

Change-Id: I20b221b16212f4b0cdb83eca52c0a37048ce7ed7
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
3 years agoRevert "Add Requires=local-fs.target and After=local-fs.target to dbus.service" 38/247838/2 accepted/tizen/unified/20201118.123917 submit/tizen/20201117.100830
Hyotaek Shim [Tue, 17 Nov 2020 09:53:51 +0000 (09:53 +0000)]
Revert "Add Requires=local-fs.target and After=local-fs.target to dbus.service"

This reverts commit a346f90f4a8d8f07a17f67ac2a240f78e26bf433.

Change-Id: I819f1bc03da7a137feda66938502cc7f357275dd

3 years agoMerge "Merge '1.12.20' into tizen" into tizen
Hyotaek Shim [Wed, 4 Nov 2020 08:21:43 +0000 (08:21 +0000)]
Merge "Merge '1.12.20' into tizen" into tizen

4 years agoAdd Requires=local-fs.target and After=local-fs.target to dbus.service 32/245432/1 accepted/tizen/unified/20201105.124409 submit/tizen/20201104.052319
INSUN PYO [Thu, 8 Oct 2020 11:14:48 +0000 (20:14 +0900)]
Add Requires=local-fs.target and After=local-fs.target to dbus.service

Those dependencies prevent dbus.service from running in emergency mode,
because local-fs.target always fails in emergency mode.

Change-Id: Id5c13ce5eca21ae5cdcbacfa842a365eb7fc766b

4 years agoMerge '1.12.20' into tizen 71/244971/1
Adrian Szyndela [Mon, 28 Sep 2020 11:52:20 +0000 (13:52 +0200)]
Merge '1.12.20' into tizen

Change-Id: I69124bb712d62976218715a4d88db6196397a0fb

4 years agoBump to 1.12.20 upgrade-to-1.12.20
Adrian Szyndela [Mon, 28 Sep 2020 06:33:11 +0000 (08:33 +0200)]
Bump to 1.12.20

Change-Id: Ic0987a6ccdd46539d62483481361e7efdcf03444

4 years agoMerge 'dbus-1.12.20' into tizen
Adrian Szyndela [Fri, 25 Sep 2020 13:55:03 +0000 (15:55 +0200)]
Merge 'dbus-1.12.20' into tizen

dbus-1.12.20

Change-Id: I8b3a9e851dca1d42a5785fa94c97f5e9074cac35

4 years agoBUS_RESULT: fix missed changes of TRUE/FALSE to BUS_RESULT 79/244879/1 accepted/tizen_6.0_unified_hotfix tizen_6.0_hotfix accepted/tizen/6.0/unified/hotfix/20201103.000322 accepted/tizen/unified/20200928.072833 submit/tizen/20200925.142828 submit/tizen_6.0/20201029.205501 submit/tizen_6.0_hotfix/20201102.192901 submit/tizen_6.0_hotfix/20201103.115101 tizen_6.0.m2_release
Adrian Szyndela [Fri, 25 Sep 2020 09:27:12 +0000 (11:27 +0200)]
BUS_RESULT: fix missed changes of TRUE/FALSE to BUS_RESULT

The Tizen's branch code that added Cynara integration had changed
return types in some functions from dbus_bool_t to BusResult. The code
from upstream master branch uses dbus_bool_t. While merging recent
changes from the upstream, there were some parts that were merged
without changing TRUE/FALSE to BUS_RESULT_* or with checking conditions
as bool values instead of checking the enum.

The above, and the fact that TRUE==1, FALSE==0, BUS_RESULT_TRUE==0,
BUS_RESULT_FALSE==1 has led to aborting on asserts, when enabled.
This could also lead to issues with activation.

This commit fixes the TRUE/FALSE handling where needed.

Change-Id: I6cbf1aa0b43699464c9214b50fd8bb23a84709e8

4 years agopolicy: take proper eavesdropping value in verbose mode 78/244878/1
Adrian Szyndela [Thu, 24 Sep 2020 05:54:59 +0000 (07:54 +0200)]
policy: take proper eavesdropping value in verbose mode

Change-Id: I5a5893d56c1d4fd98d3dc807319c73c9791dff6a

4 years agobus/connection: don't check cmdline in session dbus-daemon 65/244465/2 accepted/tizen/unified/20200922.090815 submit/tizen/20200921.022732
Adrian Szyndela [Fri, 18 Sep 2020 12:50:10 +0000 (14:50 +0200)]
bus/connection: don't check cmdline in session dbus-daemon

Session dbus-daemon may have no rights to look into cmdline in /proc.
In such cases logs are cluttered with access denied.

This commit disables checking cmdline for session dbus-daemon.

(Before)
May 21 08:13:06 localhost dbus-daemon[676]: [session uid=5001 pid=676] Rejected send message, 1 matched rules; type="method_call", send
er=":1.33" (uid=5001 pid=1090 comm="/usr/apps/org.tizen.multi-assistant-service/bin/or" label="User::Pkg::org.tizen.multi-assistant-ser
vice") interface="org.freedesktop.DBus" member="RequestName" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus
" privilege="(n/a)" (bus) rule(<deny send_type="method_call" />)

(After)
May 21 08:21:55 localhost dbus-daemon[678]: [session uid=5001 pid=678] Rejected send message, 1 matched rules; type="method_call", send
er=":1.33" (uid=5001 pid=1110 comm="<not-read>" label="User::Pkg::org.tizen.multi-assistant-service") interface="org.freedesktop.DBus"
member="RequestName" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" privilege="(n/a)" (bus) rule(<deny sen
d_type="method_call" />)

Change-Id: I15c3b9b2a5675546b6adb3b1521e790088bd8f85
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
4 years agobus: initialize can_send_result 58/244358/1 submit/tizen/20200918.070747
Adrian Szyndela [Thu, 17 Sep 2020 14:08:22 +0000 (16:08 +0200)]
bus: initialize can_send_result

can_send_result may be uninitialized for cases with no send_policy.

Change-Id: I0f490c3c6920df525f5583b421162f7f33b8cb68

4 years agocheck: remove 'return sth' from void function 57/244357/1
Adrian Szyndela [Thu, 17 Sep 2020 14:07:17 +0000 (16:07 +0200)]
check: remove 'return sth' from void function

Change-Id: I362319c7de7ac38f68595202efe8fb2b3c5a3389

4 years agocynara integration: check policy right away for both send and receive 10/244110/2
Adrian Szyndela [Mon, 14 Sep 2020 11:06:02 +0000 (13:06 +0200)]
cynara integration: check policy right away for both send and receive

Check policy at moments, when sender is still present, so the policy
can be checked for both sender and receiver.

This way only potential waiting for cynara check is left with no need
to access any connection data.

Change-Id: I6544740c6e31dee286261fe3cddb3f692c669c4d

4 years agocynara integration: create deferred message only when it's not already created 09/244109/1
Adrian Szyndela [Mon, 7 Sep 2020 12:54:34 +0000 (14:54 +0200)]
cynara integration: create deferred message only when it's not already created

This will allow altering existing deferred messages, enabling
concurrent asynchronous cynara checks for SEND and RECEIVE.

Change-Id: I1f31c173e4229661bca9f14ecaa158ee67342db4

4 years agocynara integration: initialize deferred_messages 08/244108/1
Adrian Szyndela [Mon, 7 Sep 2020 11:10:11 +0000 (13:10 +0200)]
cynara integration: initialize deferred_messages

Initialize deferred messages in order to be able to alter them
on concurrent Cynara calls. This way we'll be able to run
both asynchronous requests for SEND and RECEIVE, if needed.

Change-Id: I060969ad5645c6a1d72f1c91edb46ecc3217ef79

4 years agopolicy: bugfix -> get const data instead non-const 07/244107/1
Adrian Szyndela [Mon, 14 Sep 2020 11:04:25 +0000 (13:04 +0200)]
policy: bugfix -> get const data instead non-const

Get const data instead of non-const data for constant strings.
It triggered asserts when they are enabled, although the underlying
production code is the same.

Change-Id: Ic7102b6601ca168e6bf5f6902988a06c6ab76f03

4 years agoAdded a check to avoid integer underflow. 41/242041/2 accepted/tizen/unified/20200907.023444 submit/tizen/20200827.104709 submit/tizen/20200903.044811
DEEPAK SINGH [Fri, 14 Aug 2020 10:03:57 +0000 (15:33 +0530)]
Added a check to avoid integer underflow.

Change-Id: I68962e09d1c2c8ef367a4766c23e7b15cf1e6dc1
Signed-off-by: Deepak Singh <deepak.sn@samsung.com>
4 years agobus/connection: Add assert to BUS_CONNECTION_DATA 08/242208/2
INSUN PYO [Tue, 25 Aug 2020 04:25:49 +0000 (13:25 +0900)]
bus/connection: Add assert to BUS_CONNECTION_DATA

Change-Id: Ie56e99fc5c8038863b69b350128f2d6eef1acc6a

4 years agospec: change system bus socket location: /var/run/dbus/system_bus_socket → /run/dbus... 05/240305/1 accepted/tizen/unified/20200819.122321 submit/tizen/20200812.075733
INSUN PYO [Wed, 5 Aug 2020 07:10:56 +0000 (16:10 +0900)]
spec: change system bus socket location: /var/run/dbus/system_bus_socket â†’ /run/dbus/system_bus_socket

Journal Log
 - Jan 01 09:11:45 localhost systemd[1]: /usr/lib/systemd/system/dbus.socket:8: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket â†’ /run/dbus/system_bus_socket; please update the unit file accordingly

Change-Id: Idf5d68e791efc70ef324a0ba50807a5512815ac7
Ref: https://gitlab.freedesktop.org/dbus/dbus/-/issues/180

4 years agoRevert "tizen: notify service readyness after successful config file parsing" 85/240285/1 accepted/tizen/unified/20200806.062507 submit/tizen/20200805.062948
INSUN PYO [Wed, 5 Aug 2020 05:33:19 +0000 (14:33 +0900)]
Revert "tizen: notify service readyness after successful config file parsing"

This reverts commit bbacc6024e474f4e7dd1387618209cab9524a95c.

 - security-manager's nss plugin removed the dependency with security-manager service.
 - So, deadlock is removed.

Change-Id: I047da2ae670f59a6dcac9f58877c49f77bb25c7f

4 years agoRemove unused license file, COPYING 57/240257/1 accepted/tizen/unified/20200805.122533 submit/tizen/20200805.013704
Hyotaek Shim [Wed, 5 Aug 2020 01:34:27 +0000 (10:34 +0900)]
Remove unused license file, COPYING

Change-Id: Ie3e28ff56652ee454ad1f7362a93fec0973af0f6
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
4 years agopackaging: Cleanup license definitions 40/240240/1
Karol Lewandowski [Tue, 4 Aug 2020 16:30:39 +0000 (18:30 +0200)]
packaging: Cleanup license definitions

State clearly that libdbus and dbus-daemon are distributed under AFL-2.1
license in Tizen (including kdbus support).

The tools that are in "dbus" package are under various licensed so all
are listed.

Change-Id: Ibfc3731e1e4bc0f59d9eae198ecc453fb9bea180

4 years agoRemove unnecessary build dependency to libzio 07/237807/1 accepted/tizen/unified/20200707.140952 submit/tizen/20200706.011908 submit/tizen/20200706.012823
Hyotaek Shim [Mon, 6 Jul 2020 01:18:32 +0000 (10:18 +0900)]
Remove unnecessary build dependency to libzio

Change-Id: I7c9f8584c81602c773c342360dc12621c3e6b760
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
4 years agov1.12.20 dbus-1.12.20
Simon McVittie [Thu, 2 Jul 2020 10:10:00 +0000 (11:10 +0100)]
v1.12.20

Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agoUpdate NEWS
Simon McVittie [Thu, 2 Jul 2020 09:25:04 +0000 (10:25 +0100)]
Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agouserdb: Reference-count DBusUserInfo, DBusGroupInfo
Simon McVittie [Tue, 30 Jun 2020 18:29:06 +0000 (19:29 +0100)]
userdb: Reference-count DBusUserInfo, DBusGroupInfo

Previously, the hash table indexed by uid (or gid) took ownership of the
single reference to the heap-allocated struct, and the hash table
indexed by username (or group name) had a borrowed pointer to the same
struct that exists in the other hash table.

However, this can break down if you have two or more distinct usernames
that share a numeric identifier. This is generally a bad idea, because
the user-space model in such situations does not match the kernel-space
reality, and in particular there is no effective kernel-level security
boundary between such users, but it is sometimes done anyway.

In this case, when the second username is looked up in the userdb, it
overwrites (replaces) the entry in the hash table that is indexed by
uid, freeing the DBusUserInfo. This results in both the key and the
value in the hash table that is indexed by username becoming dangling
pointers (use-after-free), leading to undefined behaviour, which is
certainly not what we want to see when doing access control.

An equivalent situation can occur with groups, in the rare case where
a numeric group ID has two names (although I have not heard of this
being done in practice).

Solve this by reference-counting the data structure. There are up to
three references in practice: one held temporarily while the lookup
function is populating and storing it, one held by the hash table that
is indexed by uid, and one held by the hash table that is indexed by
name.

Closes: dbus#305
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2b7948ef907669e844b52c4fa2268d6e3162a70c)

4 years agouserdb: Make lookups return a const pointer
Simon McVittie [Tue, 30 Jun 2020 18:13:17 +0000 (19:13 +0100)]
userdb: Make lookups return a const pointer

This makes it more obvious that the returned pointer points to a
struct owned by the userdb, which must not be freed or have its
contents modified, and is only valid to dereference until the next
modification to the userdb's underlying hash tables (which in practice
means until the lock is released, because after that we have no
guarantees about what might be going on in another thread).

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 6ee66ff7bcc91803111d950512f02651e664f74f)

4 years agoSolaris and derivatives do not adjust cmsg_len on MSG_CTRUNC
Andy Fiddaman [Fri, 12 Jun 2020 12:32:20 +0000 (12:32 +0000)]
Solaris and derivatives do not adjust cmsg_len on MSG_CTRUNC

(cherry picked from commit b96ef23e406baa08648339a53b0161fc80de7ce4)

4 years agobus/policy: activation: check target name 98/235398/2 accepted/tizen/unified/20200605.020519 submit/tizen/20200604.095417 submit/tizen/20200604.233300 submit/tizen/20200605.005713
Adrian Szyndela [Thu, 4 Jun 2020 07:24:01 +0000 (09:24 +0200)]
bus/policy: activation: check target name

Check target name taken from message instead of org.freedesktop.DBus in case
of no peer available. This is the case when activation is happening.

Change-Id: I181edbb28a1b26ed79552bb6df8b00892d2ceac8

4 years agoStart 1.12.20 development
Simon McVittie [Tue, 2 Jun 2020 19:57:39 +0000 (20:57 +0100)]
Start 1.12.20 development

Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agoPrepare 1.12.18
Simon McVittie [Tue, 2 Jun 2020 11:18:39 +0000 (12:18 +0100)]
Prepare 1.12.18

Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agofdpass test: Assert that we don't leak file descriptors
Simon McVittie [Thu, 16 Apr 2020 13:41:48 +0000 (14:41 +0100)]
fdpass test: Assert that we don't leak file descriptors

This version is for the dbus-1.12 branch, and doesn't rely on dbus!153
or dbus!120.

Reproduces: dbus#294
Reproduces: CVE-2020-12049
Reproduces: GHSL-2020-057
Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agosysdeps-unix: On MSG_CTRUNC, close the fds we did receive
Simon McVittie [Thu, 16 Apr 2020 13:45:11 +0000 (14:45 +0100)]
sysdeps-unix: On MSG_CTRUNC, close the fds we did receive

MSG_CTRUNC indicates that we have received fewer fds that we should
have done because the buffer was too small, but we were treating it
as though it indicated that we received *no* fds. If we received any,
we still have to make sure we close them, otherwise they will be leaked.

On the system bus, if an attacker can induce us to leak fds in this
way, that's a local denial of service via resource exhaustion.

Reported-by: Kevin Backhouse, GitHub Security Lab
Fixes: dbus#294
Fixes: CVE-2020-12049
Fixes: GHSL-2020-057

4 years agobus/policy: use hash tables for checking policy 93/234093/2 accepted/tizen/unified/20200602.133244 submit/tizen/20200601.123056
Adrian Szyndela [Thu, 21 May 2020 08:32:19 +0000 (10:32 +0200)]
bus/policy: use hash tables for checking policy

Only for send/receive/own rules in default context.

Change-Id: Iabbbfa5d582f9993b832f49193da93225c645014

4 years agobus/connection: API for getting list of names from connections 92/234092/2
Adrian Szyndela [Wed, 13 May 2020 13:21:53 +0000 (15:21 +0200)]
bus/connection: API for getting list of names from connections

Change-Id: I2854f6cc51b26ff04a9984778f899ba9656ba290

4 years agobus/policy: direct checking of policy, without copies 91/234091/2
Adrian Szyndela [Wed, 20 May 2020 13:09:21 +0000 (15:09 +0200)]
bus/policy: direct checking of policy, without copies

Change-Id: I42926c107aae0be1a1247a61f3558122b07f9914

4 years agobus/policy: generalized policy checking process 90/234090/2
Adrian Szyndela [Wed, 20 May 2020 13:01:22 +0000 (15:01 +0200)]
bus/policy: generalized policy checking process

Change-Id: I573ddbc7e64bef38ed7517644bd842728e14679b

4 years agobus/policy: reduce warnings by adding default cases 89/234089/2
Adrian Szyndela [Wed, 20 May 2020 12:29:17 +0000 (14:29 +0200)]
bus/policy: reduce warnings by adding default cases

Change-Id: I6267b3c7cc6fead8c4dd37967c122e1597239ebf

4 years agobus/policy: reduce number of params in check_ functions 88/234088/2
Adrian Szyndela [Wed, 20 May 2020 12:17:33 +0000 (14:17 +0200)]
bus/policy: reduce number of params in check_ functions

No functional changes, just packed arguments to structs.

Change-Id: I0e5a22a208ba7085727e617c52cd061c39524967

4 years agobus/policy: extract check_* functions 87/234087/2
Adrian Szyndela [Wed, 20 May 2020 12:03:10 +0000 (14:03 +0200)]
bus/policy: extract check_* functions

No functional changes, just moving code around.

This extracts check_send_rule, check_receive_rule,
and check_own_rule from their own respective
bus_client_policy_can_check_* functions.

Change-Id: Ice4b2b96054b33a376bc3f48df29447747e7980e

4 years agobus/policy: remove optimization 86/234086/2
Adrian Szyndela [Fri, 17 Apr 2020 08:37:06 +0000 (10:37 +0200)]
bus/policy: remove optimization

This removes optimization, because in subsequent commits
we're going to apply:
* direct checking of policy
* hash tables instead of lists.

Change-Id: I6de32c4a29bac1d185f76eb88b22198c9ea22413

4 years agobus/policy: make local functions static 85/234085/2
Adrian Szyndela [Fri, 17 Apr 2020 08:25:25 +0000 (10:25 +0200)]
bus/policy: make local functions static

Change-Id: Ideba1fea470bc0d38c04f428b23270fe6176ac95

4 years agoStats: Add field PendingReplies 99/233899/10
sanghyeok.oh [Wed, 20 May 2020 07:32:23 +0000 (16:32 +0900)]
Stats: Add field PendingReplies

Pending replies will increasing
1) if client sending lots of messages to destination at once
2) if server eats incoming messages.(no reply)

In case of 2) dbus-daemon still has pending information.
With default bus context option (reply_timeout=-1) it never freed.

Assuming 2) happended repeatedly, then it is hard to detect until it
exceeds maximum pending replies limit, because of dbus-daemon print warning messages
only if pending replies over bus limit(default 1024 for system bus).

Change-Id: Iee0515fac68af7586547cc5ef5e6fa73d388a312
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
4 years agoCoverity fix 61/232161/2
sanghyeok.oh [Wed, 29 Apr 2020 00:10:37 +0000 (09:10 +0900)]
Coverity fix

Change-Id: I57c318bdf8a0e2d8d731c002185946930392718e

4 years agoUpdate NEWS
Simon McVittie [Fri, 15 May 2020 10:24:14 +0000 (11:24 +0100)]
Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agodbus-daemon test: Don't test fd limits if in an unprivileged container
Simon McVittie [Tue, 4 Dec 2018 12:09:26 +0000 (12:09 +0000)]
dbus-daemon test: Don't test fd limits if in an unprivileged container

In an unprivileged container, uid 0 doesn't have CAP_SYS_RESOURCE, so
we can't expect the dbus-daemon to be able to escalate its fd limit.

This can be reproduced using bubblewrap:

    sudo bwrap \
        --cap-drop CAP_SYS_RESOURCE \
        --ro-bind / / \
        --dev /dev \
    env \
        DBUS_TEST_DAEMON=.../bus/dbus-daemon \
        DBUS_TEST_DATA=.../test/data \
    .../test/test-dbus-daemon \
        -p /fd-limit \
        --verbose

Bug-Debian: https://bugs.debian.org/908092

4 years agoUpdate NEWS
Simon McVittie [Mon, 20 Apr 2020 19:40:02 +0000 (20:40 +0100)]
Update NEWS

4 years agodoxygen: fix example for dbus_message_append_args
Felipe Franciosi [Mon, 23 Sep 2019 12:22:32 +0000 (13:22 +0100)]
doxygen: fix example for dbus_message_append_args

Commit 724adb2f6 mangled the dbus_message_append_args() code example.
This fixes it by breaking the lines and aligning at the right places.

Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
4 years agoUpdate NEWS
Simon McVittie [Mon, 20 Apr 2020 19:05:28 +0000 (20:05 +0100)]
Update NEWS

4 years agocmake: Add X11 include path for tools
Tuomo Rinne [Wed, 22 Jan 2020 21:31:15 +0000 (21:31 +0000)]
cmake: Add X11 include path for tools

Fixes compilation issues for case when X11 is not in a standard location

4 years agodoc: replace dbus-send's --address with --peer and --bus
Christopher Morin [Wed, 3 Jul 2019 08:28:29 +0000 (08:28 +0000)]
doc: replace dbus-send's --address with --peer and --bus

See merge request dbus/dbus!115

(cherry picked from commit fd41caa3664d480605628f08c217581bc42fa3e7)

4 years agoUpdate NEWS
Simon McVittie [Mon, 20 Apr 2020 18:28:16 +0000 (19:28 +0100)]
Update NEWS

4 years agodbus-message: bring back the original layout of DBusMessageIter 35/231235/3 accepted/tizen/unified/20200421.051607 submit/tizen/20200420.123023 submit/tizen/20200420.213220
Adrian Szyndela [Mon, 20 Apr 2020 09:35:42 +0000 (11:35 +0200)]
dbus-message: bring back the original layout of DBusMessageIter

The layout introduced with GVariant was kind of mimicking
the real structure, as opposed to the original layout, which
was taking into account only total sizes.

Dbus-1.10.8 introduced some static assertions for the properties of
DBusMessageIter. These are incompatible with the "GVariant" layout.

Moreover, they show that the "GVariant" layout could be prone to
the copying, that could omit some fields or parts of fields, due
to its not "packed" structure.

This commit brings back the original layout, with modifications
suited for GVariant-sized DBusMessageRealIter.

As an additional feature - this should fix compilation for 64-bit
architectures.

Change-Id: Ie1cac3748d408c22acf177ede5fb9e4e29818c9b

4 years agospec: fix dbus.conf paths in files section 47/231247/1
Adrian Szyndela [Mon, 20 Apr 2020 11:44:16 +0000 (13:44 +0200)]
spec: fix dbus.conf paths in files section

The two files: sysusers.d/dbus.conf and tmpfiles.d/dbus.conf
are always installed into {%_prefix}/lib, even if libdir is %{_prefix}/lib64
or %{_prefix}/lib/x86_86-linux-gnu or %{_prefix}/what/ever.

This commit fixes spec file to package the files from %{_prefix}/lib
instead of %{_libdir}.

Change-Id: I1f3a99f04c4bc880a9e38f77c112acdb61bbd4ad

4 years agoMerge dbus-1.12.16 into tizen 87/230987/1 submit/tizen/20200417.133959
Adrian Szyndela [Thu, 16 Apr 2020 10:36:37 +0000 (12:36 +0200)]
Merge dbus-1.12.16 into tizen

Change-Id: Ie55319b9a3075a1f1f12afadecc6c06c39e3dd3b

4 years agoactivation: fix indentation upgrade-to-1.12.16
Adrian Szyndela [Tue, 7 Apr 2020 15:19:58 +0000 (17:19 +0200)]
activation: fix indentation

4 years agodbus-transport: stop using orig_len outside its context
Adrian Szyndela [Tue, 7 Apr 2020 07:05:04 +0000 (09:05 +0200)]
dbus-transport: stop using orig_len outside its context

4 years agopackaging: update packaging for dbus-1.12.16
Adrian Szyndela [Tue, 7 Apr 2020 06:37:34 +0000 (08:37 +0200)]
packaging: update packaging for dbus-1.12.16

- spec: drop deprecated option --with-init-scripts
- spec: package new, installed files
- spec: acknowledge removing of dbus.socket from dbus.target.wants
- spec: add autoconf-archive build dependency
- acknowledge renaming HACKING to CONTRIBUTING.md
- spec: bump version to 1.12.16

4 years agoMerge dbus-1.12.16 into tizen
Adrian Szyndela [Tue, 7 Apr 2020 06:00:23 +0000 (08:00 +0200)]
Merge dbus-1.12.16 into tizen

dbus 1.12.16

4 years agoRevert "Add dependency to security-manager.socket" 09/229109/1 accepted/tizen/unified/20200406.133221 submit/tizen/20200402.112144
INSUN PYO [Mon, 30 Mar 2020 01:45:41 +0000 (10:45 +0900)]
Revert "Add dependency to security-manager.socket"

This reverts commit 8d7fa32af68f2ba1f5da3494ce6d50e8e7c2c034.

Change-Id: Iaf3890e804b87b7c6751237e0ef93b3ad5db9ceb

4 years agoRevert "Remove DefaultDependencies=no from dbus.socket" 52/228752/2
INSUN PYO [Wed, 25 Mar 2020 07:42:30 +0000 (07:42 +0000)]
Revert "Remove DefaultDependencies=no from dbus.socket"

This reverts commit 873bad7e9515fbafb8682fa6cdadfee629762e0d.

Change-Id: I642e8ca08d551320b56d97e682c969689640700f

4 years agopolicy: print policy denied complaint log for signal broadcasting 85/227485/1
sanghyeok.oh [Thu, 12 Mar 2020 06:13:44 +0000 (15:13 +0900)]
policy: print policy denied complaint log for signal broadcasting

Debugging is difficult due to lack of error information:
When the broadcast signal is blocked by dbus policy,
unlike other types of dbus messages,
dbus-daemon does not print any error logs,
it just passes an error message to the bus monitor.

Change-Id: I9c6c55530d64451403664ea1eee4b703360691eb

4 years agoMerge branch 'cherry-pick-b034b83b' into 'dbus-1.12'
Simon McVittie [Tue, 25 Feb 2020 12:59:48 +0000 (12:59 +0000)]
Merge branch 'cherry-pick-b034b83b' into 'dbus-1.12'

[1.12] bus: Don't explicitly clear BusConnections.monitors

See merge request dbus/dbus!142

4 years agobus: Don't explicitly clear BusConnections.monitors
Simon McVittie [Thu, 20 Feb 2020 00:36:53 +0000 (00:36 +0000)]
bus: Don't explicitly clear BusConnections.monitors

Each connection that is an active monitor holds a pointer to its own
link in this list, via BusConnectionData.link_in_monitors. We can't
validly free the list while these pointers exist: that would be a
use-after-free, when each connection gets disconnected and tries to
remove itself from the list.

Instead, let each connection remove itself from the list, then assert
that the list has become empty.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/291

(cherry picked from commit b034b83b59efffd4cc819ad42d0cd078d91d53df)

4 years agoMerge branch 'cherry-pick-bf71a58e' into 'dbus-1.12'
Simon McVittie [Thu, 20 Feb 2020 13:23:22 +0000 (13:23 +0000)]
Merge branch 'cherry-pick-bf71a58e' into 'dbus-1.12'

doc: Fix environment variable name in dbus-daemon(1)

See merge request dbus/dbus!141

4 years agodoc: Fix environment variable name in dbus-daemon(1)
Philip Withnall [Tue, 13 Aug 2019 14:08:03 +0000 (14:08 +0000)]
doc: Fix environment variable name in dbus-daemon(1)

Spotted by Mubin. This documentation relates to the code in
add_bus_environment() in bus/activation.c.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Fixes: #275

(cherry picked from commit bf71a58e4ab496c1726209aaad94a1abe670a01f)

4 years agoauth: Reject DBUS_COOKIE_SHA1 for users other than the server owner 59/222259/1
Simon McVittie [Thu, 30 May 2019 11:53:03 +0000 (12:53 +0100)]
auth: Reject DBUS_COOKIE_SHA1 for users other than the server owner

The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
of a shared home directory by having the server write a secret "cookie"
into a .dbus-keyrings subdirectory of the desired identity's home
directory with 0700 permissions, and having the client prove that it can
read the cookie. This never actually worked for non-malicious clients in
the case where server uid != client uid (unless the server and client
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
Unix uid 0) because an unprivileged server would fail to write out the
cookie, and an unprivileged client would be unable to read the resulting
file owned by the server.

Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
is owned by the uid of the server (a side-effect of a check added to
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
by a non-malicious client with a uid differing from the server's.

Joe Vennix of Apple Information Security discovered that the
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
attack: a malicious client with write access to its own home directory
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
read and write in unintended locations. In the worst case this could
result in the DBusServer reusing a cookie that is known to the
malicious client, and treating that cookie as evidence that a subsequent
client connection came from an attacker-chosen uid, allowing
authentication bypass.

This is mitigated by the fact that by default, the well-known system
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
at an early stage, before manipulating cookies. As a result, this
vulnerability only applies to:

* system or session dbus-daemons with non-standard configuration
* third-party dbus-daemon invocations such as at-spi2-core (although
  in practice at-spi2-core also only accepts EXTERNAL by default)
* third-party uses of DBusServer such as the one in Upstart

Avoiding symlink attacks in a portable way is difficult, because APIs
like openat() and Linux /proc/self/fd are not universally available.
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
a non-matching uid, we can solve this vulnerability in an easier way
without regressions, by rejecting it early (before looking at
~/.dbus-keyrings) whenever the requested identity doesn't match the
identity of the process hosting the DBusServer.

Change-Id: I04d70bf97d78d25551e9adc217a4dd7652d428b6
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
Closes: CVE-2019-12749

5 years agoRevert "tizen: Add additional unit for "unified" user session" 19/212319/2 accepted/tizen_5.5_unified_mobile_hotfix tizen_5.5_mobile_hotfix tizen_5.5_tv accepted/tizen/5.5/unified/20191031.005930 accepted/tizen/5.5/unified/mobile/hotfix/20201027.063100 accepted/tizen/unified/20190822.045457 submit/tizen/20190820.090809 submit/tizen_5.5/20191031.000006 submit/tizen_5.5_mobile_hotfix/20201026.185106 tizen_5.5.m2_release
Yunmi Ha [Tue, 20 Aug 2019 08:09:07 +0000 (08:09 +0000)]
Revert "tizen: Add additional unit for "unified" user session"

This reverts commit 662187a7597aaf9c9ad2a635944951e6174a36da.

We've optimized systemd-user without unified system/session.
So, we revert the patch for unified system/session.

Change-Id: I70ee37ebeda65e549c5f544d37d511cb6d54b757

5 years agopolicy: modify complaint log to print out matched rule 91/211091/1 accepted/tizen/unified/20190816.112439 submit/tizen/20190812.022819
sanghyeok.oh [Tue, 30 Jul 2019 03:01:33 +0000 (12:01 +0900)]
policy: modify complaint log to print out matched rule

Reconstruct rule with xml format.

Change-Id: I760f5c89f519672743a10fa15b66ac14b7e819a1
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
5 years agopolicy: change complaint log format of bus_client_policy_check_can_own() to print... 11/210611/1
sanghyeok.oh [Tue, 23 Jul 2019 02:43:40 +0000 (11:43 +0900)]
policy: change complaint log format of bus_client_policy_check_can_own() to print out connection log

Change-Id: Ib0fc3be8b07577da687a024f5c39178dad387644
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
5 years agokdbus: fix computing bloom filters 65/210465/1 accepted/tizen/unified/20190722.074825 submit/tizen/20190719.104741
Adrian Szyndela [Fri, 19 Jul 2019 08:23:27 +0000 (10:23 +0200)]
kdbus: fix computing bloom filters

The bloom filters computing had been implemented in the past, basing
on systemd. However, the reimplementation introduced two bugs:
- no clearing of 'p' variable;
- clearing of hash_index variable in a wrong place.

This fixes the bugs.

The same applies to glib.

Change-Id: Ie7c602c6bc881e38c62f41d482ab3785b03c5503

5 years agoRevert "Fix for smack error when dbus-daemon(session) accesses proc/cmdline" 37/210237/2 accepted/tizen/unified/20190717.220434 submit/tizen/20190717.061730
Hyotaek Shim [Wed, 17 Jul 2019 06:11:50 +0000 (06:11 +0000)]
Revert "Fix for smack error when dbus-daemon(session) accesses proc/cmdline"

This reverts commit c7fbfc743059b3e9988a359106ad459511b5ea78.

Change-Id: I86742a428f372ff6988a13df12694c550e2a53c2

5 years agogvariant: fix UBSan related code 24/208924/1 accepted/tizen/unified/20190702.114943 submit/tizen/20190701.095512
sanghyeok.oh [Mon, 1 Jul 2019 08:42:36 +0000 (17:42 +0900)]
gvariant: fix UBSan related code

fix Undefined Behavior Sanitizer error.

Change-Id: If3b68e68d4de753d0e66c0eeb07f626431057cbf
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
5 years agopolicy: add complaint log for bus_client_policy_check_can_own() 34/208234/3
sanghyeok.oh [Thu, 20 Jun 2019 07:11:01 +0000 (16:11 +0900)]
policy: add complaint log for bus_client_policy_check_can_own()

Change-Id: I4e67ff2258b11bab764f51cfe7e2ae01f2a11d49
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
5 years agoMerge "Remove unused DbusError to avoid memory leak." into tizen accepted/tizen/unified/20190624.115337 submit/tizen/20190624.005319
sanghyeok oh [Mon, 24 Jun 2019 00:52:11 +0000 (00:52 +0000)]
Merge "Remove unused DbusError to avoid memory leak." into tizen

5 years agoremove unused DBusError in kdbus_read_message() 89/207789/2
Himanshu Maithani [Tue, 28 May 2019 08:48:27 +0000 (14:18 +0530)]
remove unused DBusError in kdbus_read_message()

The function defines and initializes  local DBusError.
It is not used in kdbus_decode_msg() and function relies on assert for error.
So, remove the DBusError variable in kdbus_decode_msg().

Change-Id: Ic726f2a161f06766b081f1a98e83ff4f3834f75b
Signed-off-by: Himanshu Maithani <himanshu.m@samsung.com>
Signed-off-by: Gaurav Gupta <g.gupta@samsung.com>
5 years agoRemove unused DbusError to avoid memory leak. 80/207880/1
Gaurav Gupta [Thu, 13 Jun 2019 10:57:07 +0000 (16:27 +0530)]
Remove unused DbusError to avoid memory leak.

Pass NULL as error argument to avoid setting error string in dbus_validate_bus_name(), thus avoid possible memory leak.
We expect the name to be valid bus name (utf8) as it is fetched from the connection.
It will also optimize stack usage as "local_error" variable & dbus_error_init() function are called in for loop.

Other fix could be to check free "error" if it is set.
Signed-off-by: Gaurav Gupta <g.gupta@samsung.com>
Reviewed-by: Himanshu Maithani <himanshu.m@samsung.com>
Change-Id: I773211edd76b6591369bbaae5464971894481a28

5 years agofix: missing dbus_error_free in kdbus_write_msg_internal 88/207788/1 submit/tizen/20190624.001018
himanshu.m@samsung.com [Tue, 28 May 2019 06:31:55 +0000 (12:01 +0530)]
fix: missing dbus_error_free in kdbus_write_msg_internal

free message/name from the error in kdbus_write_msg_internal

Change-Id: I7f03abc0fc3f7c81e3725b3325f9e15209906e35
Signed-off-by: Himanshu Maithani <himanshu.m@samsung.com>
Signed-off-by: Gaurav Gupta <g.gupta@samsung.com>
5 years agoStart 1.12.18 development
Simon McVittie [Tue, 11 Jun 2019 15:29:36 +0000 (16:29 +0100)]
Start 1.12.18 development

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoPrepare version 1.12.16 dbus-1.12.16
Simon McVittie [Sun, 9 Jun 2019 11:28:03 +0000 (12:28 +0100)]
Prepare version 1.12.16

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agotest: Add basic test coverage for DBUS_COOKIE_SHA1
Simon McVittie [Thu, 30 May 2019 11:58:28 +0000 (12:58 +0100)]
test: Add basic test coverage for DBUS_COOKIE_SHA1

We don't actually complete successful authentication, because that
would require us to generate a cookie and compute the correct SHA1,
which is difficult to do in a deterministic authentication script.
However, we do assert that dbus#269 (CVE-2019-12749) has been fixed.

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoauth: Reject DBUS_COOKIE_SHA1 for users other than the server owner
Simon McVittie [Thu, 30 May 2019 11:53:03 +0000 (12:53 +0100)]
auth: Reject DBUS_COOKIE_SHA1 for users other than the server owner

The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
of a shared home directory by having the server write a secret "cookie"
into a .dbus-keyrings subdirectory of the desired identity's home
directory with 0700 permissions, and having the client prove that it can
read the cookie. This never actually worked for non-malicious clients in
the case where server uid != client uid (unless the server and client
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
Unix uid 0) because an unprivileged server would fail to write out the
cookie, and an unprivileged client would be unable to read the resulting
file owned by the server.

Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
is owned by the uid of the server (a side-effect of a check added to
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
by a non-malicious client with a uid differing from the server's.

Joe Vennix of Apple Information Security discovered that the
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
attack: a malicious client with write access to its own home directory
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
read and write in unintended locations. In the worst case this could
result in the DBusServer reusing a cookie that is known to the
malicious client, and treating that cookie as evidence that a subsequent
client connection came from an attacker-chosen uid, allowing
authentication bypass.

This is mitigated by the fact that by default, the well-known system
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
at an early stage, before manipulating cookies. As a result, this
vulnerability only applies to:

* system or session dbus-daemons with non-standard configuration
* third-party dbus-daemon invocations such as at-spi2-core (although
  in practice at-spi2-core also only accepts EXTERNAL by default)
* third-party uses of DBusServer such as the one in Upstart

Avoiding symlink attacks in a portable way is difficult, because APIs
like openat() and Linux /proc/self/fd are not universally available.
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
a non-matching uid, we can solve this vulnerability in an easier way
without regressions, by rejecting it early (before looking at
~/.dbus-keyrings) whenever the requested identity doesn't match the
identity of the process hosting the DBusServer.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
Closes: CVE-2019-12749

5 years agoStart 1.12.16 development
Simon McVittie [Fri, 17 May 2019 14:48:14 +0000 (15:48 +0100)]
Start 1.12.16 development

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoRelease 1.12.14 dbus-1.12.14
Simon McVittie [Fri, 17 May 2019 09:41:10 +0000 (10:41 +0100)]
Release 1.12.14

5 years agoapply default deny own policy 94/206094/1 accepted/tizen/unified/20190602.221846 submit/tizen/20190530.011453
sanghyeok.oh [Tue, 14 May 2019 07:38:22 +0000 (16:38 +0900)]
apply default deny own policy

Change default own policy from allow to deny.

Change-Id: Ifde07a31ea3e6b8c97a6b7aee093ff9bf67c301c
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>