summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Gerstner <matthias.gerstner@suse.de>2018-07-10 09:51:47 -0400
committerRay Strode <rstrode@redhat.com>2018-07-10 09:55:59 -0400
commitf9abd359f71a5bce421b9ae23432f539a067847a (patch)
treed4bbace87219f370ad280095f28685fe3bdfd3f9
parent34bedecf7da81a8b42382254e3f9a32398c1ca5d (diff)
user: fix insufficient path prefix check
The path prefix check can be circumvented by regular users by passing relative path component like so: $ dbus-send --system --print-reply --dest=org.freedesktop.Accounts \ /org/freedesktop/Accounts/User1000 \ org.freedesktop.Accounts.User.SetIconFile \ string:/usr/share/../../tmp/test This results in a user controlled path being stored in the accountsservice. Clients of accountsservice may unwittingly trust this path. To fix that situation this commit canonicalizes the input path before the prefix comparison. Some small changes to patch by Ray Strode. https://bugs.freedesktop.org/show_bug.cgi?id=107085
Notes
CVE-2018-14036
-rw-r--r--src/user.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/src/user.c b/src/user.c
index c8a2942..174530f 100644
--- a/src/user.c
+++ b/src/user.c
@@ -1334,6 +1334,14 @@ user_change_icon_file_authorized_cb (Daemon *daemon,
}
file = g_file_new_for_path (filename);
+ g_clear_pointer (&filename, g_free);
+
+ /* Canonicalize path so we can call g_str_has_prefix on it
+ * below without concern for ../ path components moving outside
+ * the prefix
+ */
+ filename = g_file_get_path (file);
+
info = g_file_query_info (file, G_FILE_ATTRIBUTE_UNIX_MODE ","
G_FILE_ATTRIBUTE_STANDARD_TYPE ","
G_FILE_ATTRIBUTE_STANDARD_SIZE,