Ubuntu
iio-sensor-proxy package

iio-sensor-proxy: Insecure configuration of dbus service

  1. Xenial (16.04)
  2. Bug #1666358
Bug #1666358 reported by Jeremy Bícha
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
IIO Sensor Proxy
Fix Released
Unknown
iio-sensor-proxy (Debian)
Fix Released
Unknown
iio-sensor-proxy (Ubuntu)
Fix Released
High
Unassigned
Xenial
Fix Released
High
Unassigned
Yakkety
Fix Released
High
Unassigned

Bug Description

The dbus configuration for iio-sensor-proxy allowed any process on the system bus to send an org.freedesktop.DBus.Properties.Set() call to any other process on the system bus, even if the destination process expected to be only accessible by root.

https://github.com/hadess/iio-sensor-proxy/commit/e2d81f2

This was fixed in the upstream version 2.1
and in Debian's 2.0-4 (which was autosynced to zesty).

Test Case
=========
dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \
    --print-reply / org.freedesktop.DBus.Properties.Set string:Foo variant:string:bar

Bad response:
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface
 'org.freedesktop.DBus.Properties' on object at path /

Good response:
Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched  rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527
 comm="dbus-send --system --dest=org.freedesktop.nm_dispa")
 interface="org.freedesktop.DBus.Properties" member="Set" error
 name="(unset)" requested_reply="0"
 destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528
 comm="/usr/lib/NetworkManager/nm-dispatcher ")

Testing Done
============
I built the packages in my PPA and installed to Ubuntu GNOME 16.04.2 and 16.10. The test cases completed successfully after install; no log out required.

See original description
Tags: xenial yakkety
Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Jeremy Bícha (jbicha) wrote :
description: updated
Revision history for this message
Jeremy Bícha (jbicha) wrote :
Bug Watch Updater (bug-watch-updater)
Changed in iio-sensor-proxy:
status: Unknown → Fix Released
Jeremy Bícha (jbicha)
description: updated
Changed in iio-sensor-proxy (Ubuntu):
status: New → Confirmed
Changed in iio-sensor-proxy (Ubuntu Xenial):
status: New → Confirmed
Changed in iio-sensor-proxy (Ubuntu Yakkety):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in iio-sensor-proxy (Debian):
status: Unknown → Fix Released
Mathew Hodson (mhodson)
Changed in iio-sensor-proxy (Ubuntu):
importance: Undecided → High
Changed in iio-sensor-proxy (Ubuntu Xenial):
importance: Undecided → High
Changed in iio-sensor-proxy (Ubuntu Yakkety):
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs in comments 1 and 2. Packages are building now and will be released as security updates. Thanks!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Actually, while the xenial debdiff does look good, the package is failing to build properly. The binary package ends up with the following files:

 drwxr-xr-x root/root 0 2017-02-28 07:44 ./rules.d/
 -rw-r--r-- root/root 381 2017-02-28 07:44 ./rules.d/40-iio-sensor-proxy.rules

Instead of what is expected:

 drwxr-xr-x root/root 0 2015-08-14 13:14 ./lib/udev/
 drwxr-xr-x root/root 0 2015-08-14 13:14 ./lib/udev/rules.d/
 -rw-r--r-- root/root 381 2015-08-14 13:14 ./lib/udev/rules.d/40-iio-sensor-proxy.rules

Could you please submit a fixed debdiff? Thanks.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Actually, never mind, simply adding udev to the Build-Depends solved the issue, so I'm uploading it now.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package iio-sensor-proxy - 1.3-1ubuntu2

---------------
iio-sensor-proxy (1.3-1ubuntu2) yakkety-security; urgency=medium

   * SECURITY UPDATE: insecure dbus configuration (LP: #1666358)
    - debian/patches/iio-dbus-policy-security.patch:
      Patch from Debian, applied upstream. Restrict send_destination
      to "net.hadess.SensorProxy" in net.hadess.SensorProxy.conf

 -- Jeremy Bicha <email address hidden> Mon, 20 Feb 2017 21:17:39 -0500

Changed in iio-sensor-proxy (Ubuntu Yakkety):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package iio-sensor-proxy - 1.1-1ubuntu1

---------------
iio-sensor-proxy (1.1-1ubuntu1) xenial-security; urgency=medium

  [ Jeremy Bicha ]
  * SECURITY UPDATE: insecure dbus configuration (LP: #1666358)
    - debian/patches/iio-dbus-policy-security.patch:
      Patch from Debian, applied upstream. Restrict send_destination
      to "net.hadess.SensorProxy" in net.hadess.SensorProxy.conf

  [ Marc Deslauriers ]
  * debian/control: added udev to Build-Depends.

 -- Marc Deslauriers <email address hidden> Tue, 28 Feb 2017 07:55:12 -0500

Changed in iio-sensor-proxy (Ubuntu Xenial):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur)
Changed in iio-sensor-proxy (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.