Ubuntu
dbus-glib package

CVE-2010-1172 dbus-glib: property access not validated

Bug #616517 reported by Mathieu Trudel-Lapierre
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dbus-glib (Debian)
Fix Released
Unknown
dbus-glib (Fedora)
Fix Released
Medium
dbus-glib (Ubuntu)
Fix Released
Medium
Unassigned
Hardy
Fix Released
Medium
Jamie Strandboge
Karmic
Won't Fix
Medium
Unassigned
Lucid
Fix Released
Medium
Jamie Strandboge
modemmanager (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Karmic
Won't Fix
Undecided
Unassigned
Lucid
Fix Released
Undecided
Jamie Strandboge
network-manager (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Fix Released
Undecided
Jamie Strandboge
Karmic
Won't Fix
Undecided
Unassigned
Lucid
Fix Released
Undecided
Jamie Strandboge

Bug Description

As also reported in RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=585394

A flaw was recently discovered in dbus-glib where it didn't
respect the "access" flag on properties specified. Basically, core OS
services like NetworkManager which use dbus-glib were specifying e.g. the
"Ip4Address" as read-only for remote access, but in fact any process could
modify it.

A patch is available. However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).

KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager

KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)

KNOWN NOT AFFECTED (because I audited them)
* gnome-panel (no dbus properties)
* gnome-system-monitor (ditto)

PROBABLY NOT AFFECTED
* hal (doesn't claim to handle org.freedesktop.DBus.Properties)
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)

Revision history for this message
In , Colin (colin-redhat-bugs) wrote :

The desktop team recently discovered a flaw in dbus-glib where it didn't respect the "access" flag on properties specified. Basically, core OS services like NetworkManager which use dbus-glib were specifying e.g. the "Ip4Address" as read-only for remote access, but in fact any process could modify it.

I have a patch for dbus-glib (attached). However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).

This affected list is for F-12; I think for RHEL5 we just need dbus-glib and NetworkManager.

KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager

KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)

KNOWN NOT AFFECTED (because I audited them)
* gnome-panel (no dbus properties)
* gnome-system-monitor (ditto)

PROBABLY NOT AFFECTED
* hal (doesn't claim to handle org.freedesktop.DBus.Properties)
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)

Revision history for this message
In , Colin (colin-redhat-bugs) wrote :

Created attachment 408742
respect property access flags

Note that affected services will need to be recompiled.

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

This has been assigned CVE-2010-1172

Revision history for this message
In , Colin (colin-redhat-bugs) wrote :

Created attachment 409584
0001-Respect-property-access-flags-for-writing-allow-disa.patch

Updated patch; this one exercises the legacy disabled cased.

Revision history for this message
In , Dan (dan-redhat-bugs) wrote :

Latest patch appears to allow setting properties listed as 'access=read' even though I"ve disabled legacy property access:

NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (is set 1)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)

but introspection/nm-device.xml lists Ip4Address as access=read.

Also, you can kill the:

  /* Try both forms of property names: "foo_bar" or "FooBar"; for historical
   * reasons we accept both.
   */
  if (object_info
      && !(property_info_from_object_info (object_info, wincaps_propiface, requested_propname, &access_type)

'object_info' check there now in check_property_access since there's a check for if (!object_info) just above.

Revision history for this message
In , Dan (dan-redhat-bugs) wrote :

Nevermind about the Ip4Address thing, needed a clean rebuild locally.

So the latest patch looks good to me.

Revision history for this message
In , Colin (colin-redhat-bugs) wrote :

Created attachment 437622
patch against dbus-glib git master

This patch is rebased on dbus-glib git master as of today (commit 9440209e2).

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

This is public now.

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0616 https://rhn.redhat.com/errata/RHSA-2010-0616.html

Mathieu Trudel-Lapierre (cyphermox)
visibility: private → public
Marc Deslauriers (mdeslaur)
Changed in dbus-glib (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Sebastien Bacher (seb128)
Changed in dbus-glib (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus-glib - 0.88-2

---------------
dbus-glib (0.88-2) unstable; urgency=medium

  * Re-upload to unstable, with release team acknowledgement for squeeze

dbus-glib (0.88-1) experimental; urgency=low

  [ Sjoerd Simons ]
  * debian/control: Move packaging from svn to git
  * debian/rules, debian/libdbus-glib-1-2-dbg.links:
    - Don't symlink the dbg doc directory to the main packages one, it's too
      brittle and doesn't win much
  * debian/control, debian/update-patches.mk
    - Copy patch updating script from pkg-telepathy
  * debian/patches/0001-Fix-lookup-of-regular-properties-when-shadow-propert.patch
    - Fix crash when using shadow properties (from upstream git)

  [ Simon McVittie ]
  * New upstream version
    - fixes CVE-2010-1172, unvalidated property access (Closes: #592753,
      LP: #616517)
    - drop the patch Sjoerd added, which is included in the upstream release
    - update symbols file for new ABI (some of which is part of the security
      bugfix)
    - mark dbus_g_object_type_install_info as requiring a dependency on this
      version, because it will be "version 1" instead of "version 0" object
      info for anything compiled against this version
 -- Sebastien Bacher <email address hidden> Tue, 17 Aug 2010 11:22:07 +0100

Changed in dbus-glib (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Sebastien Bacher (seb128) wrote :

 dbus-glib (0.88-1) experimental; urgency=low

   [ Sjoerd Simons ]
   * debian/control: Move packaging from svn to git
   * debian/rules, debian/libdbus-glib-1-2-dbg.links:
     - Don't symlink the dbg doc directory to the main packages one, it's too
       brittle and doesn't win much
   * debian/control, debian/update-patches.mk
     - Copy patch updating script from pkg-telepathy
   * debian/patches/0001-Fix-lookup-of-regular-properties-when-shadow-propert.patch
     - Fix crash when using shadow properties (from upstream git)

   [ Simon McVittie ]
   * New upstream version
     - fixes CVE-2010-1172, unvalidated property access (Closes: #592753,
       LP: #616517)
     - drop the patch Sjoerd added, which is included in the upstream release
     - update symbols file for new ABI (some of which is part of the security
       bugfix)
     - mark dbus_g_object_type_install_info as requiring a dependency on this
       version, because it will be "version 1" instead of "version 0" object
       info for anything compiled against this version

Jamie Strandboge (jdstrand)
Changed in dbus-glib (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus-glib (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus-glib (Ubuntu Karmic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. Karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug is
being marked "Won't Fix". Please see this document for currently
supported Ubuntu releases: https://wiki.ubuntu.com/Releases

Please feel free to report any other bugs you may find.

Changed in dbus-glib (Ubuntu Karmic):
status: In Progress → Won't Fix
Jamie Strandboge (jdstrand)
Changed in dbus-glib (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in dbus-glib (Ubuntu Hardy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus-glib - 0.84-1ubuntu0.2

---------------
dbus-glib (0.84-1ubuntu0.2) lucid-security; urgency=low

  * SECURITY UPDATE: fix to honor access flag on specified properties
   - debian/patches/01-CVE-2010-1172.patch: don't allow Set/write calls for
     readonly properties, or properties not listed in the XML
   - CVE-2010-1172
   - LP: #616517
 -- Jamie Strandboge <email address hidden> Wed, 25 May 2011 15:46:32 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus-glib - 0.74-2ubuntu0.1

---------------
dbus-glib (0.74-2ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: fix to honor access flag on specified properties
   - debian/patches/02-CVE-2010-1172.patch: don't allow Set/write calls for
     readonly properties, or properties not listed in the XML
   - debian/patches/03-CVE-2010-1172-tests.patch: backport test cases
   - CVE-2010-1172
   - LP: #616517
  * debian/control: Build-Depends on libexpat1-dev
 -- Jamie Strandboge <email address hidden> Tue, 24 May 2011 15:48:55 -0500

Changed in dbus-glib (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in dbus-glib (Ubuntu Lucid):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in dbus-glib (Ubuntu Karmic):
assignee: Jamie Strandboge (jdstrand) → nobody
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

network-manager and modemmanager have to be rebuilt to incorporate the changes to dbus-glib.

Changed in modemmanager (Ubuntu):
status: New → Fix Released
Changed in network-manager (Ubuntu):
status: New → Fix Released
Changed in network-manager (Ubuntu Karmic):
status: New → Won't Fix
Changed in modemmanager (Ubuntu Karmic):
status: New → Won't Fix
Changed in modemmanager (Ubuntu Lucid):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in modemmanager (Ubuntu Hardy):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in network-manager (Ubuntu Lucid):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in network-manager (Ubuntu Hardy):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in modemmanager (Ubuntu Hardy):
status: Fix Released → Invalid
assignee: Jamie Strandboge (jdstrand) → nobody
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-1138-1
http://www.ubuntu.com/usn/usn-1138-2

Bug Watch Updater (bug-watch-updater)
Changed in dbus-glib (Debian):
status: Unknown → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in dbus-glib (Fedora):
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.