AgeCommit message (Collapse)AuthorFilesLines
2014-06-05CVE-2014-3477: deliver activation errors correctly, fixing Denial of Servicedbus-1.4Alban Crequy3-11/+24
How it should work: When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check whether the message can be delivered after the service has been activated. The service is considered activated when its well-known name is requested with org.freedesktop.DBus.RequestName. When the message delivery is denied, the service stays activated but should not receive the activating message (the message which triggered the activation). dbus-daemon is supposed to drop the activating message and reply to the sender with a D-Bus error message. However, it does not work as expected: 1. The error message is delivered to the service instead of being delivered to the sender. As an example, the error message could be something like: An SELinux policy prevents this sender from sending this message to this recipient, [...] member="MaliciousMethod" If the sender and the service are malicious confederates and agree on a protocol to insert information in the member name, the sender can leak information to the service, even though the LSM attempted to block the communication between the sender and the service. 2. The error message is delivered as a reply to the RequestName call from service. It means the activated service will believe it cannot request the name and might exit. The sender could activate the service frequently and systemd will give up activating it. Thus the denial of service. The following changes fix the bug: - bus_activation_send_pending_auto_activation_messages() only returns an error in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM (and its only caller sets the OOM error). - When a client is not allowed to talk to the service, a D-Bus error message is pre-allocated to be delivered to the client as part of the transaction. The error is not propagated to the caller so RequestName will not fail (except on OOM). [fixed a misleading comment -smcv] Bug: Reviewed-by: Simon McVittie <> Reviewed-by: Colin Walters <>
2013-06-13Start 1.4.27Simon McVittie2-1/+8
2013-06-12Prepare embargoed release for tomorrowdbus-1.4.26Simon McVittie2-2/+6
2013-06-12Fix distcheck with newer Doxygen: remove *.js, too, during uninstallSimon McVittie1-0/+1
2013-06-12Fix distcheck: remove potentially-read-only files from builddirSimon McVittie1-0/+1
During distcheck, the srcdir is read-only. During "make all", cp may preserve the read-only status of the file copied from the srcdir, resulting in failure to overwrite it with an identical file during "make check" (which depends on all-local). Signed-off-by: Simon McVittie <>
2013-06-12Add a test-case for CVE-2013-2168Simon McVittie2-0/+94
Reviewed-by: Thiago Macieira <>
2013-06-12CVE-2013-2168: _dbus_printf_string_upper_bound: copy the va_list for each useSimon McVittie2-5/+20
Using a va_list more than once is non-portable: it happens to work under the ABI of (for instance) x86 Linux, but not x86-64 Linux. This led to _dbus_printf_string_upper_bound() crashing if it should have returned exactly 1024 bytes. Many system services can be induced to process a caller-controlled string in ways that end up using _dbus_printf_string_upper_bound(), so this is a denial of service. Reviewed-by: Thiago Macieira <>
2012-11-09NEWSSimon McVittie1-1/+4
2012-11-09Don't leak temporary fds pointing to /dev/nullMichel HERMIER2-0/+2
Bug: [commit message added -smcv] Reviewed-by: Simon McVittie <>
2012-10-04activation helper: when compiled for tests, do not reset system bus addressSimon McVittie1-1/+1
Otherwise, the tests try to connect to the real system bus, which will often fail - particularly if you run the tests configured for the default /usr/local (with no intention of installing the result), in which case the tests would try to connect to /usr/local/var/run/dbus/system_bus_socket. Reviewed-by: Colin Walters <> Bug:
2012-10-02Post-release version bumpSimon McVittie2-1/+6
2012-09-28Release 1.4.24dbus-1.4.24Colin Walters2-2/+5
2012-09-28Release 1.4.22Colin Walters2-3/+5
2012-09-28activation-helper: Ensure DBUS_STARTER_ADDRESS is set correctlyGeoffrey Thomas1-11/+5
The fix for CVE-2012-3524 filters out all environment variables if libdbus is used from a setuid program, to prevent various spoofing attacks. Unfortunately, the activation helper is a setuid program linking libdbus, and this creates a regression for launched programs using DBUS_STARTER_ADDRESS, since it will no longer exist. Fix this by hardcoding the starter address to the default system bus address. Signed-off-by: Geoffrey Thomas <> Signed-off-by: Colin Walters <>
2012-09-28hardening: Remove activation helper handling for DBUS_VERBOSEColin Walters1-13/+1
It's not really useful. See Conflicts: bus/activation-helper.c
2012-09-28hardening: Ensure _dbus_check_setuid() is initialized threadsafe mannerColin Walters1-0/+5
This is a highly theoretical concern, but we might as well. Conflicts: dbus/dbus-sysdeps-pthread.c
2012-09-28CVE-2012-3524: Don't access environment variables or run dbus-launch when setuidColin Walters6-1/+94
This matches a corresponding change in GLib. See glib/gutils.c:g_check_setuid(). Some programs attempt to use libdbus when setuid; notably the server is shipped in such a configuration. libdbus never had an explicit policy about its use in setuid programs. I'm not sure whether we should advertise such support. However, given that there are real-world programs that do this currently, we can make them safer with not too much effort. Better to fix a problem caused by an interaction between two components in *both* places if possible. How to determine whether or not we're running in a privilege-escalated path is operating system specific. Note that GTK+'s code to check euid versus uid worked historically on Unix, more modern systems have filesystem capabilities and SELinux domain transitions, neither of which are captured by the uid comparison. On Linux/glibc, the way this works is that the kernel sets an AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on startup. If found, then glibc sets a public-but-undocumented __libc_enable_secure variable which we can use. Unfortunately, while it *previously* worked to check this variable, a combination of newer binutils and RPM break it: So for now on Linux/glibc, we fall back to the historical Unix version until we get glibc fixed. On some BSD variants, there is a issetugid() function. On other Unix variants, we fall back to what GTK+ has been doing. Reported-by: Sebastian Krahmer <> Signed-off-by: Colin Walters <> Conflicts: dbus/dbus-sysdeps-unix.c
2012-04-25NEWSSimon McVittie1-0/+11
2012-04-25use cp and mkdir -p instead of install within source treeAntoine Jacoutot1-7/+7
$(INSTALL) and $(INSTALL_DATA) try to change ownerships to root:bin when copying tests to builddir. Presumably this is a difference in behaviour between GNU and BSD install(1): the one in GNU coreutils doesn't try-and-fail to change ownership if you're not root. [Commit message added by smcv] Bug: Reviewed-by: Simon McVittie <>
2012-04-12Avoid using monotonic time in the DBUS_COOKIE_SHA1 authentication methodDavid Zeuthen13-29/+67
When libdbus-1 moved to using monotonic time support for the DBUS_COOKIE_SHA1 authentication was broken, in particular interoperability with non-libdbus-1 implementations such as GDBus. The problem is that if monotonic clocks are available in the OS, _dbus_get_current_time() will not return the number of seconds since the Epoch so using it for DBUS_COOKIE_SHA1 will violate the D-Bus specification. If both peers are using libdbus-1 it's not a problem since both ends will use the wrong time and thus agree. However, if the other end is another implementation and following the spec it will not work. First, we change _dbus_get_current_time() back so it always returns time since the Epoch and we then rename it _dbus_get_real_time() to make this clear. We then introduce _dbus_get_monotonic_time() and carefully make all current users of _dbus_get_current_time() use it, if applicable. During this audit, one of the callers, _dbus_generate_uuid(), was currently using monotonic time but it was decided to make it use real time instead. Signed-off-by: David Zeuthen <> Reviewed-by: Simon McVittie <> Bug:
2012-03-27Start 1.4.21Simon McVittie1-1/+1
2012-03-27Prepare version 1.4.20dbus-1.4.20Simon McVittie2-3/+23
2012-03-27Fix duplicate case value compiling with mingw-w64Andoni Morales Alastruey1-12/+6
In mingw-w64 both ESOMETHING and WSASOMETHING are defined, leading to a duplicate case in the switch. Reviewed-by: Simon McVittie <> Bug:
2012-03-27Port to glib 2.31.x g_thread APIMartin Pitt2-42/+38
g_thread_init() is deprecated since glib 2.24, call g_type_init() instead. Bump glib requirement accordingly. g_thread_create is deprecated since 2.31, use g_thread_new() instead. When building with a glib earlier than 2.31, provide a backwards compatibility shim. [Added a comment about why we're using g_type_init() in a test that doesn't otherwise use GObject -smcv] [Applied to 1.4 despite just being a deprecation fix because it also fixes linking with GLib 2.32, in which gthread has been removed from gobject's Requires and moved to Requires.private, Debian #665665 -smcv] Bug: Bug-Debian: Reviewed-by: Simon McVittie <>
2012-03-12Enumerate data files used in the build rather than using find(1)Simon McVittie1-83/+130
Bug: Reviewed-by: Will Thompson <>
2012-02-20NEWS for 1.4Simon McVittie1-1/+1
2012-02-20dbus-protocol.h: compile under C++11Marc Mutz1-1/+1
C++11 compilers have a feature called 'user-defined string literals' which allow arbitrary string suffixes to have user-defined meaning. This makes code that concatenates macros with string literals without intervening whitespace illegal under C++11. Fortunately, string literal concatenation has allowed intervening whitespace since the dawn of time, so the solution is to simply pad with spaces. Tested (header) with GCC 4.7 (trunk). Bug: Reviewed-by: Simon McVittie <>
2012-02-13Back to development statusSimon McVittie2-1/+6
2012-02-13Release D-Bus 1.4.18dbus-1.4.18Simon McVittie2-2/+4
2012-02-13dbus-daemon: fix forgotten counter increase while copying configured auth ↵Pavel Strashkin1-0/+1
mechanisms Previously, only one auth mechanism was used. Bug: Reviewed-by: Simon McVittie <>
2012-02-13Revert "dbus-daemon: fix forgotten counter increase while copying configured ↵Simon McVittie1-1/+0
auth mechanisms" This reverts commit 26b57efe43c991616186db5c499f729a900c6544. It was incorrectly attributed.
2012-02-08NEWSSimon McVittie1-0/+3
2012-02-08docs: correctly invoke man2htmlJack Nagel1-1/+1
man2html expects to find its input on stdin, so just passing the filename will cause it to hang waiting for input. [man2html 1.6g as shipped in Debian seems to be fine with files on the command line, but apparently other versions aren't? -smcv] Signed-off-by: Jack Nagel <> Reviewed-by: Simon McVittie <> Bug:
2012-01-23Don't warn about deprecated declarations in this stable branchSimon McVittie1-0/+4
2012-01-23Revert addition of files which were only meant to exist on master, tooSimon McVittie5-1003/+0
This completes the reversion started in 5df8c3db12590edd68e968.
2012-01-23update NEWSSimon McVittie1-0/+3
2012-01-23dbus-daemon: fix forgotten counter increase while copying configured auth ↵Simon McVittie1-0/+1
mechanisms Previously, only one auth mechanism was used. Bug: Reviewed-by: Simon McVittie <>
2012-01-04NEWS so farSimon McVittie1-1/+21
2012-01-04Remove some dead code related to fd.o #37258eXeC001er1-1/+0
This would now just attempt to close fd -1, which is useless. [commit message added by smcv] Bug: Reviewed-by: Simon McVittie <>
2012-01-04Revert all changes since a36d4918a6f646e085Simon McVittie117-3307/+2608
Someone seems to have merged part of master into 1.4. Again. Let's go back to the "last known good" point (the branch-point of some 1.4 branches I had locally), then we can cherry-pick the changes that should have gone in.
2011-12-251.4 branch need a fix to be compilable with msvcRalf Habacker1-1/+2
2011-12-22keep cmake in sync with automake related to default bus addressesRalf Habacker1-2/+2
2011-12-21windows fix: use install root as base path for relative pathes in dbus ↵Ralf Habacker1-6/+38
service file
2011-12-21Merge branch 'dbus-1.4' of ssh:// into dbus-1.4Ralf Habacker7-41/+120
2011-12-21Adds a configure time key --with-dbus-session-bus-default-addressSiraj Razick1-1/+2
With this key we can specifiy the default session bus address at compile time with autotool builds made with mingw32. Bug: Reviewed-by: Ralf Habacker <>
2011-12-21Merge branch 'dbus-1.4' of ssh:// into dbus-1.4Ralf Habacker3-24/+40
2011-11-02corrupt test: compile successfully against older GLib (Debian stable)Simon McVittie1-23/+37
We don't really need g_socket_send_with_blocking here. Also, don't leak the GLib socket objects. Bug: Reviewed-by: Lennart Poettering <>
2011-11-02Set DBUS_TEST_HOMEDIR when running installcheckSimon McVittie1-0/+1
This avoids spamming ~/.dbus and ~/.dbus-keyrings with filesystem activity while running the tests. Bug: Reviewed-by: Lennart Poettering <>
2011-11-02_dbus_listen_tcp_socket: avoid leaking listen_fd in unlikely circumstancesSimon McVittie1-1/+2
If getaddrinfo (with port == 0) succeeds, the kernel gives us a port when we first listen on a socket, we jump back to redo_lookup_with_port, and getaddrinfo (with the nonzero port) fails, we leak listen_fd and all the fds in it. From the department of "without static analysis we'd never have spotted this", or possibly "backward goto considered harmful". Bug: Bug-NB: NB#180486 CID-2389 Reviewed-by: Will Thompson <>
2011-10-29refactored cmake version extracting from configure.acRalf Habacker2-13/+46