1 |
From 166978a09cf5edff4028e670b6074215a4c75eca Mon Sep 17 00:00:00 2001 |
2 |
From: Colin Walters <walters@verbum.org> |
3 |
Date: Thu, 14 Feb 2013 15:19:34 +0000 |
4 |
Subject: CVE-2013-0292: dbus-gproxy: Verify sender of NameOwnerChanged signals to be o.f.DBus |
5 |
|
6 |
Anyone can hop on the bus and emit a signal whose interface is |
7 |
o.f.DBus; it's expected at the moments that clients (and notably DBus |
8 |
libraries) check the sender. |
9 |
|
10 |
This could previously be used to trick a system service using dbus-glib |
11 |
into thinking a malicious signal came from a privileged source, by |
12 |
claiming that ownership of the privileged source's well-known name had |
13 |
changed from the privileged source's real unique name to the attacker's |
14 |
unique name. |
15 |
|
16 |
[altered to be NULL-safe so it won't crash on peer connections -smcv] |
17 |
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> |
18 |
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk> |
19 |
--- |
20 |
diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c |
21 |
index 2fc52f9..c3ae9ec 100644 |
22 |
--- a/dbus/dbus-gproxy.c |
23 |
+++ b/dbus/dbus-gproxy.c |
24 |
@@ -1250,8 +1250,11 @@ dbus_g_proxy_manager_filter (DBusConnection *connection, |
25 |
GSList *tmp; |
26 |
const char *sender; |
27 |
|
28 |
+ sender = dbus_message_get_sender (message); |
29 |
+ |
30 |
/* First we handle NameOwnerChanged internally */ |
31 |
- if (dbus_message_is_signal (message, |
32 |
+ if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 && |
33 |
+ dbus_message_is_signal (message, |
34 |
DBUS_INTERFACE_DBUS, |
35 |
"NameOwnerChanged")) |
36 |
{ |
37 |
@@ -1280,8 +1283,6 @@ dbus_g_proxy_manager_filter (DBusConnection *connection, |
38 |
} |
39 |
} |
40 |
|
41 |
- sender = dbus_message_get_sender (message); |
42 |
- |
43 |
/* dbus spec requires these, libdbus validates */ |
44 |
g_assert (dbus_message_get_path (message) != NULL); |
45 |
g_assert (dbus_message_get_interface (message) != NULL); |
46 |
-- |
47 |
cgit v0.9.0.2-2-gbebe |