GHSL-2023-139: use-after-free in user.c
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
accountsservice (Ubuntu) |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Focal |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Jammy |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Kinetic |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Lunar |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Mantic |
Fix Released
|
Medium
|
Marc Deslauriers |
Bug Description
# GitHub Security Lab (GHSL) Vulnerability Report, accountsservice: `GHSL-2023-139`
The [GitHub Security Lab](https:/
We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `<email address hidden>` (please include `GHSL-2023-139` as a reference).
If you are _NOT_ the correct point of contact for this report, please let us know!
## Summary
An unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process.
## Product
accountsservice
## Tested Version
[22.08.8-1ubuntu7](https:/
The bug is easier to observe on Ubuntu 23.04 than on Ubuntu 22.04 LTS, but it is present on both.
## Details
### Use-after-free when `throw_error` is called (`GHSL-2023-139`)
After receiving a D-Bus [method call](https:/
```c
static void
user_change_
{
const gchar *language = data;
if (!user_
/* SetLanguage was probably called from a login greeter,
}
<snip>
out:
}
```
If `user_HOME_
An attacker can trigger the bug above by causing `user_HOME_
```bash
dbus-send --system --print-reply --dest=
```
On Ubuntu 23.04, the above command causes `accounts-daemon` to crash with a `SIGSEGV`. But on Ubuntu 22.04 LTS it doesn't cause any visible harm. The difference is due to a recent [change in GLib's](https:/
#### Impact
Exploitation is likely to be difficult, but this bug could potentially enable a local unprivileged attacker to gain root privileges.
#### Remediation
Always return immediately after calling `throw_error`. For example, it is done correctly in `user_change_
```c
if (type != G_FILE_
g_debug ("not a regular file\n");
throw_error (context, ERROR_FAILED, "file '%s' is not a regular file", filename);
return;
}
```
## GitHub Security Advisories
We recommend you create a private [GitHub Security Advisory](https:/
## Credit
This issue was discovered and reported by GHSL team member [@kevinbackhouse (Kevin Backhouse)](https:/
## Contact
You can contact the GHSL team at `<email address hidden>`, please include a reference to `GHSL-2023-139` in any communication regarding this issue.
## Disclosure Policy
This report is subject to our [coordinated disclosure policy](https:/
CVE References
information type: | Private Security → Public Security |
tags: | added: patch |
Hi Kevin,
Thanks for reporting this issue!
I see the multiple instances of the problematic code were added by the Ubuntu-specific 0010-set- language. patch patch.
We'll investigate this issue shortly and will get back to you with a proposed fix, a proposed CRD, and a CVE number.