summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Walters <walters@verbum.org>2013-02-14 15:19:34 (GMT)
committerSimon McVittie <simon.mcvittie@collabora.co.uk>2013-02-15 16:58:42 (GMT)
commit166978a09cf5edff4028e670b6074215a4c75eca (patch)
tree58ce00e3a26a63ffb1af3f2189dcf6122d88f25f
parentc6cbdf9ed99f82983dd529319475dd02c53ad2aa (diff)
CVE-2013-0292: dbus-gproxy: Verify sender of NameOwnerChanged signals to be o.f.DBus
Anyone can hop on the bus and emit a signal whose interface is o.f.DBus; it's expected at the moments that clients (and notably DBus libraries) check the sender. This could previously be used to trick a system service using dbus-glib into thinking a malicious signal came from a privileged source, by claiming that ownership of the privileged source's well-known name had changed from the privileged source's real unique name to the attacker's unique name. [altered to be NULL-safe so it won't crash on peer connections -smcv] Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
-rw-r--r--dbus/dbus-gproxy.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c
index 2fc52f9..c3ae9ec 100644
--- a/dbus/dbus-gproxy.c
+++ b/dbus/dbus-gproxy.c
@@ -1250,8 +1250,11 @@ dbus_g_proxy_manager_filter (DBusConnection *connection,
GSList *tmp;
const char *sender;
+ sender = dbus_message_get_sender (message);
+
/* First we handle NameOwnerChanged internally */
- if (dbus_message_is_signal (message,
+ if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 &&
+ dbus_message_is_signal (message,
DBUS_INTERFACE_DBUS,
"NameOwnerChanged"))
{
@@ -1280,8 +1283,6 @@ dbus_g_proxy_manager_filter (DBusConnection *connection,
}
}
- sender = dbus_message_get_sender (message);
-
/* dbus spec requires these, libdbus validates */
g_assert (dbus_message_get_path (message) != NULL);
g_assert (dbus_message_get_interface (message) != NULL);