diff options
authorColin Walters <>2013-02-14 10:19:34 -0500
committerSimon McVittie <>2013-02-15 16:58:42 +0000
commit166978a09cf5edff4028e670b6074215a4c75eca (patch)
parentc6cbdf9ed99f82983dd529319475dd02c53ad2aa (diff)
CVE-2013-0292: dbus-gproxy: Verify sender of NameOwnerChanged signals to be o.f.DBus
Anyone can hop on the bus and emit a signal whose interface is o.f.DBus; it's expected at the moments that clients (and notably DBus libraries) check the sender. This could previously be used to trick a system service using dbus-glib into thinking a malicious signal came from a privileged source, by claiming that ownership of the privileged source's well-known name had changed from the privileged source's real unique name to the attacker's unique name. [altered to be NULL-safe so it won't crash on peer connections -smcv] Signed-off-by: Simon McVittie <> Reviewed-by: Simon McVittie <>
1 files changed, 4 insertions, 3 deletions
diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c
index 2fc52f9..c3ae9ec 100644
--- a/dbus/dbus-gproxy.c
+++ b/dbus/dbus-gproxy.c
@@ -1250,8 +1250,11 @@ dbus_g_proxy_manager_filter (DBusConnection *connection,
GSList *tmp;
const char *sender;
+ sender = dbus_message_get_sender (message);
/* First we handle NameOwnerChanged internally */
- if (dbus_message_is_signal (message,
+ if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 &&
+ dbus_message_is_signal (message,
@@ -1280,8 +1283,6 @@ dbus_g_proxy_manager_filter (DBusConnection *connection,
- sender = dbus_message_get_sender (message);
/* dbus spec requires these, libdbus validates */
g_assert (dbus_message_get_path (message) != NULL);
g_assert (dbus_message_get_interface (message) != NULL);