CVE-2010-1172 dbus-glib: property access not validated

Bug #616517 reported by Mathieu Trudel-Lapierre on 2010-08-11
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dbus-glib (Debian)
Fix Released
Unknown
dbus-glib (Fedora)
Fix Released
Medium
dbus-glib (Ubuntu)
Medium
Unassigned
Hardy
Medium
Jamie Strandboge
Karmic
Medium
Unassigned
Lucid
Medium
Jamie Strandboge
modemmanager (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Jamie Strandboge
network-manager (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Jamie Strandboge
Karmic
Undecided
Unassigned
Lucid
Undecided
Jamie Strandboge

Bug Description

As also reported in RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=585394

A flaw was recently discovered in dbus-glib where it didn't
respect the "access" flag on properties specified. Basically, core OS
services like NetworkManager which use dbus-glib were specifying e.g. the
"Ip4Address" as read-only for remote access, but in fact any process could
modify it.

A patch is available. However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).

KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager

KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)

KNOWN NOT AFFECTED (because I audited them)
* gnome-panel (no dbus properties)
* gnome-system-monitor (ditto)

PROBABLY NOT AFFECTED
* hal (doesn't claim to handle org.freedesktop.DBus.Properties)
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)

The desktop team recently discovered a flaw in dbus-glib where it didn't respect the "access" flag on properties specified. Basically, core OS services like NetworkManager which use dbus-glib were specifying e.g. the "Ip4Address" as read-only for remote access, but in fact any process could modify it.

I have a patch for dbus-glib (attached). However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).

This affected list is for F-12; I think for RHEL5 we just need dbus-glib and NetworkManager.

KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager

KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)

KNOWN NOT AFFECTED (because I audited them)
* gnome-panel (no dbus properties)
* gnome-system-monitor (ditto)

PROBABLY NOT AFFECTED
* hal (doesn't claim to handle org.freedesktop.DBus.Properties)
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)

Created attachment 408742
respect property access flags

Note that affected services will need to be recompiled.

This has been assigned CVE-2010-1172

Created attachment 409584
0001-Respect-property-access-flags-for-writing-allow-disa.patch

Updated patch; this one exercises the legacy disabled cased.

Latest patch appears to allow setting properties listed as 'access=read' even though I"ve disabled legacy property access:

NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (is set 1)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)

but introspection/nm-device.xml lists Ip4Address as access=read.

Also, you can kill the:

  /* Try both forms of property names: "foo_bar" or "FooBar"; for historical
   * reasons we accept both.
   */
  if (object_info
      && !(property_info_from_object_info (object_info, wincaps_propiface, requested_propname, &access_type)

'object_info' check there now in check_property_access since there's a check for if (!object_info) just above.

Nevermind about the Ip4Address thing, needed a clean rebuild locally.

So the latest patch looks good to me.

Created attachment 437622
patch against dbus-glib git master

This patch is rebased on dbus-glib git master as of today (commit 9440209e2).

This is public now.

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0616 https://rhn.redhat.com/errata/RHSA-2010-0616.html

visibility: private → public
Changed in dbus-glib (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in dbus-glib (Ubuntu):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus-glib - 0.88-2

---------------
dbus-glib (0.88-2) unstable; urgency=medium

  * Re-upload to unstable, with release team acknowledgement for squeeze

dbus-glib (0.88-1) experimental; urgency=low

  [ Sjoerd Simons ]
  * debian/control: Move packaging from svn to git
  * debian/rules, debian/libdbus-glib-1-2-dbg.links:
    - Don't symlink the dbg doc directory to the main packages one, it's too
      brittle and doesn't win much
  * debian/control, debian/update-patches.mk
    - Copy patch updating script from pkg-telepathy
  * debian/patches/0001-Fix-lookup-of-regular-properties-when-shadow-propert.patch
    - Fix crash when using shadow properties (from upstream git)

  [ Simon McVittie ]
  * New upstream version
    - fixes CVE-2010-1172, unvalidated property access (Closes: #592753,
      LP: #616517)
    - drop the patch Sjoerd added, which is included in the upstream release
    - update symbols file for new ABI (some of which is part of the security
      bugfix)
    - mark dbus_g_object_type_install_info as requiring a dependency on this
      version, because it will be "version 1" instead of "version 0" object
      info for anything compiled against this version
 -- Sebastien Bacher <email address hidden> Tue, 17 Aug 2010 11:22:07 +0100

Changed in dbus-glib (Ubuntu):
status: Fix Committed → Fix Released
Sebastien Bacher (seb128) wrote :

 dbus-glib (0.88-1) experimental; urgency=low

   [ Sjoerd Simons ]
   * debian/control: Move packaging from svn to git
   * debian/rules, debian/libdbus-glib-1-2-dbg.links:
     - Don't symlink the dbg doc directory to the main packages one, it's too
       brittle and doesn't win much
   * debian/control, debian/update-patches.mk
     - Copy patch updating script from pkg-telepathy
   * debian/patches/0001-Fix-lookup-of-regular-properties-when-shadow-propert.patch
     - Fix crash when using shadow properties (from upstream git)

   [ Simon McVittie ]
   * New upstream version
     - fixes CVE-2010-1172, unvalidated property access (Closes: #592753,
       LP: #616517)
     - drop the patch Sjoerd added, which is included in the upstream release
     - update symbols file for new ABI (some of which is part of the security
       bugfix)
     - mark dbus_g_object_type_install_info as requiring a dependency on this
       version, because it will be "version 1" instead of "version 0" object
       info for anything compiled against this version

Changed in dbus-glib (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus-glib (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus-glib (Ubuntu Karmic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. Karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug is
being marked "Won't Fix". Please see this document for currently
supported Ubuntu releases: https://wiki.ubuntu.com/Releases

Please feel free to report any other bugs you may find.

Changed in dbus-glib (Ubuntu Karmic):
status: In Progress → Won't Fix
Changed in dbus-glib (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in dbus-glib (Ubuntu Hardy):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus-glib - 0.84-1ubuntu0.2

---------------
dbus-glib (0.84-1ubuntu0.2) lucid-security; urgency=low

  * SECURITY UPDATE: fix to honor access flag on specified properties
   - debian/patches/01-CVE-2010-1172.patch: don't allow Set/write calls for
     readonly properties, or properties not listed in the XML
   - CVE-2010-1172
   - LP: #616517
 -- Jamie Strandboge <email address hidden> Wed, 25 May 2011 15:46:32 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus-glib - 0.74-2ubuntu0.1

---------------
dbus-glib (0.74-2ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: fix to honor access flag on specified properties
   - debian/patches/02-CVE-2010-1172.patch: don't allow Set/write calls for
     readonly properties, or properties not listed in the XML
   - debian/patches/03-CVE-2010-1172-tests.patch: backport test cases
   - CVE-2010-1172
   - LP: #616517
  * debian/control: Build-Depends on libexpat1-dev
 -- Jamie Strandboge <email address hidden> Tue, 24 May 2011 15:48:55 -0500

Changed in dbus-glib (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in dbus-glib (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in dbus-glib (Ubuntu Karmic):
assignee: Jamie Strandboge (jdstrand) → nobody
Jamie Strandboge (jdstrand) wrote :

network-manager and modemmanager have to be rebuilt to incorporate the changes to dbus-glib.

Changed in modemmanager (Ubuntu):
status: New → Fix Released
Changed in network-manager (Ubuntu):
status: New → Fix Released
Changed in network-manager (Ubuntu Karmic):
status: New → Won't Fix
Changed in modemmanager (Ubuntu Karmic):
status: New → Won't Fix
Changed in modemmanager (Ubuntu Lucid):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in modemmanager (Ubuntu Hardy):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in network-manager (Ubuntu Lucid):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in network-manager (Ubuntu Hardy):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in modemmanager (Ubuntu Hardy):
status: Fix Released → Invalid
assignee: Jamie Strandboge (jdstrand) → nobody
Changed in dbus-glib (Debian):
status: Unknown → Fix Released
Changed in dbus-glib (Fedora):
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.