SImulate dbus method doesn't require authentication

This is CVE-2015-1323

Sorry that this has still not been done :( I will be on vac next week so it might be delayed even more. I will try to get to it tonight.

Is there any progress on this Michael?

This might be sufficient, its a bit ugly right now, should become a context manager:
with os.seteuid(trans.uid):
    ...
But should fix the issue that install-file can be used as a information leak.

I believe the improved patch just converts the issue into a race condition; the lintian run itself should probably also run with the privileges of the user that requested the simulation, no?

Thanks

Thanks Seth for the review. The lintian code itself runs now as the user too (it was doing that before too but the getgroup/setgroups were missing :( Feedback/review very welcome.

If the latest incarnation of the patch looks ok I will prepare debdiffs for aptdaemon.

Michael, I believe these patches address the issue; it seems ready to me to put together debdiffs for publishing.

However, I'm a little concerned about the get_uid_from_dbus_name() and related calls in aptdaemon/policykit1.py -- using pids alone to identify a process is racy. Pids plus spawn times are stable. Our auditing guide recommends using polkit_unix_process_new_for_owner() -- any idea if that's amenable to this file?

policykit1.py get_proc_info_from_dbus_name() also makes the assumption that process command lines can be parsed as utf--8. How dire is the result of this routine crashing? I suspect it'll just be an inconvenience to the user, but I thought I should ask while we're here looking at it.

Thanks

@Seth thanks for the review and the suggestions. I will look into this if polkit_unix_process_new_for_owner() can be used.

The backport for trusty and precise is also a bit more difficult due to source layout changes, I need to look into that next.

Hi Michael,

What's the status on these debdiffs?
Are they good to go, or do I simply need to add the missing py2 test to them?

Hi Marc,

I think the diffs are good to go but I would love to do a final regression test once this is build in a private PPA. Is it possible for me to get access to a private PPA so that I can do a end-to-end test before this gets published? Or will you do this anyway (a final test that regular package still install via e.g. software-center and that regular locally debs can be viewed/installed via the normal software-center).

I have successfully tested the proposed debdiffs.

I will publish updates for this issue on 2015-06-16 17:00:00 UTC

Thanks!

This bug was fixed in the package aptdaemon - 1.1.1+bzr980-0ubuntu1.1

---------------
aptdaemon (1.1.1+bzr980-0ubuntu1.1) utopic-security; urgency=low

  * SECURITY UPDATE: information disclosure via simulate dbus method
    (LP: #1449587)
    - debian/patches/lp1449587.diff: drop privileges when running lintian,
      update tests.
    - CVE-2015-1323

 -- Michael Vogt <email address hidden> Fri, 29 May 2015 19:03:05 +0200

This bug was fixed in the package aptdaemon - 0.43+bzr805-0ubuntu10

---------------
aptdaemon (0.43+bzr805-0ubuntu10) precise-security; urgency=low

  * SECURITY UPDATE: information disclosure via simulate dbus method
    (LP: #1449587)
    - debian/patches/lp1449587.diff: drop privileges when running lintian,
      update tests.
    - CVE-2015-1323

 -- Michael Vogt <email address hidden> Tue, 02 Jun 2015 09:01:58 +0200

This bug was fixed in the package aptdaemon - 1.1.1+bzr982-0ubuntu3.1

---------------
aptdaemon (1.1.1+bzr982-0ubuntu3.1) vivid-security; urgency=low

  * SECURITY UPDATE: information disclosure via simulate dbus method
    (LP: #1449587)
    - debian/patches/lp1449587.diff: drop privileges when running lintian,
      update tests.
    - CVE-2015-1323

 -- Michael Vogt <email address hidden> Fri, 29 May 2015 19:00:31 +0200