summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Walters <walters@verbum.org>2013-02-14 10:19:34 -0500
committerSimon McVittie <simon.mcvittie@collabora.co.uk>2013-02-15 16:58:42 +0000
commit166978a09cf5edff4028e670b6074215a4c75eca (patch)
tree58ce00e3a26a63ffb1af3f2189dcf6122d88f25f
parentc6cbdf9ed99f82983dd529319475dd02c53ad2aa (diff)
CVE-2013-0292: dbus-gproxy: Verify sender of NameOwnerChanged signals to be o.f.DBus
Anyone can hop on the bus and emit a signal whose interface is o.f.DBus; it's expected at the moments that clients (and notably DBus libraries) check the sender. This could previously be used to trick a system service using dbus-glib into thinking a malicious signal came from a privileged source, by claiming that ownership of the privileged source's well-known name had changed from the privileged source's real unique name to the attacker's unique name. [altered to be NULL-safe so it won't crash on peer connections -smcv] Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
-rw-r--r--dbus/dbus-gproxy.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c
index 2fc52f9..c3ae9ec 100644
--- a/dbus/dbus-gproxy.c
+++ b/dbus/dbus-gproxy.c
@@ -1247,14 +1247,17 @@ dbus_g_proxy_manager_filter (DBusConnection *connection,
char *tri;
GSList *full_list;
GSList *owned_names;
GSList *tmp;
const char *sender;
+ sender = dbus_message_get_sender (message);
+
/* First we handle NameOwnerChanged internally */
- if (dbus_message_is_signal (message,
+ if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 &&
+ dbus_message_is_signal (message,
DBUS_INTERFACE_DBUS,
"NameOwnerChanged"))
{
const char *name;
const char *prev_owner;
const char *new_owner;
@@ -1277,14 +1280,12 @@ dbus_g_proxy_manager_filter (DBusConnection *connection,
else if (manager->owner_names != NULL)
{
dbus_g_proxy_manager_replace_name_owner (manager, name, prev_owner, new_owner);
}
}
- sender = dbus_message_get_sender (message);
-
/* dbus spec requires these, libdbus validates */
g_assert (dbus_message_get_path (message) != NULL);
g_assert (dbus_message_get_interface (message) != NULL);
g_assert (dbus_message_get_member (message) != NULL);
tri = tristring_from_message (message);