diff options
author | Matthias Gerstner <matthias.gerstner@suse.de> | 2018-07-10 09:51:47 -0400 |
---|---|---|
committer | Ray Strode <rstrode@redhat.com> | 2018-07-10 09:55:59 -0400 |
commit | f9abd359f71a5bce421b9ae23432f539a067847a (patch) | |
tree | d4bbace87219f370ad280095f28685fe3bdfd3f9 | |
parent | 34bedecf7da81a8b42382254e3f9a32398c1ca5d (diff) |
user: fix insufficient path prefix check
The path prefix check can be circumvented by regular users by passing
relative path component like so:
$ dbus-send --system --print-reply --dest=org.freedesktop.Accounts \
/org/freedesktop/Accounts/User1000 \
org.freedesktop.Accounts.User.SetIconFile \
string:/usr/share/../../tmp/test
This results in a user controlled path being stored in the
accountsservice. Clients of accountsservice may unwittingly trust this
path.
To fix that situation this commit canonicalizes the input path before
the prefix comparison.
Some small changes to patch by Ray Strode.
https://bugs.freedesktop.org/show_bug.cgi?id=107085
Notes
CVE-2018-14036
-rw-r--r-- | src/user.c | 8 |
1 files changed, 8 insertions, 0 deletions
@@ -1334,6 +1334,14 @@ user_change_icon_file_authorized_cb (Daemon *daemon, } file = g_file_new_for_path (filename); + g_clear_pointer (&filename, g_free); + + /* Canonicalize path so we can call g_str_has_prefix on it + * below without concern for ../ path components moving outside + * the prefix + */ + filename = g_file_get_path (file); + info = g_file_query_info (file, G_FILE_ATTRIBUTE_UNIX_MODE "," G_FILE_ATTRIBUTE_STANDARD_TYPE "," G_FILE_ATTRIBUTE_STANDARD_SIZE, |