current/SOURCES/dbus-glib-CVE-2013-0292.patch

From 166978a09cf5edff4028e670b6074215a4c75eca Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 14 Feb 2013 15:19:34 +0000
Subject: CVE-2013-0292: dbus-gproxy: Verify sender of NameOwnerChanged signals to be o.f.DBus

Anyone can hop on the bus and emit a signal whose interface is
o.f.DBus; it's expected at the moments that clients (and notably DBus
libraries) check the sender.

This could previously be used to trick a system service using dbus-glib
into thinking a malicious signal came from a privileged source, by
claiming that ownership of the privileged source's well-known name had
changed from the privileged source's real unique name to the attacker's
unique name.

[altered to be NULL-safe so it won't crash on peer connections -smcv]
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
---
diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c
index 2fc52f9..c3ae9ec 100644
--- a/dbus/dbus-gproxy.c
+++ b/dbus/dbus-gproxy.c
@@ -1250,8 +1250,11 @@ dbus_g_proxy_manager_filter (DBusConnection    *connection,
       GSList *tmp;
       const char *sender;
 
+      sender = dbus_message_get_sender (message);
+
       /* First we handle NameOwnerChanged internally */
-      if (dbus_message_is_signal (message,
+      if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 &&
+         dbus_message_is_signal (message,
                                  DBUS_INTERFACE_DBUS,
                                  "NameOwnerChanged"))
        {
@@ -1280,8 +1283,6 @@ dbus_g_proxy_manager_filter (DBusConnection    *connection,
            }
        }
 
-      sender = dbus_message_get_sender (message);
-
       /* dbus spec requires these, libdbus validates */
       g_assert (dbus_message_get_path (message) != NULL);
       g_assert (dbus_message_get_interface (message) != NULL);
--
cgit v0.9.0.2-2-gbebe
1	From 166978a09cf5edff4028e670b6074215a4c75eca Mon Sep 17 00:00:00 2001
2	From: Colin Walters <walters@verbum.org>
3	Date: Thu, 14 Feb 2013 15:19:34 +0000
4	Subject: CVE-2013-0292: dbus-gproxy: Verify sender of NameOwnerChanged signals to be o.f.DBus
5
6	Anyone can hop on the bus and emit a signal whose interface is
7	o.f.DBus; it's expected at the moments that clients (and notably DBus
8	libraries) check the sender.
9
10	This could previously be used to trick a system service using dbus-glib
11	into thinking a malicious signal came from a privileged source, by
12	claiming that ownership of the privileged source's well-known name had
13	changed from the privileged source's real unique name to the attacker's
14	unique name.
15
16	[altered to be NULL-safe so it won't crash on peer connections -smcv]
17	Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
18	Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
19	---
20	diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c
21	index 2fc52f9..c3ae9ec 100644
22	--- a/dbus/dbus-gproxy.c
23	+++ b/dbus/dbus-gproxy.c
24	@@ -1250,8 +1250,11 @@ dbus_g_proxy_manager_filter (DBusConnection *connection,
25	GSList *tmp;
26	const char *sender;
27
28	+ sender = dbus_message_get_sender (message);
29	+
30	/* First we handle NameOwnerChanged internally */
31	- if (dbus_message_is_signal (message,
32	+ if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 &&
33	+ dbus_message_is_signal (message,
34	DBUS_INTERFACE_DBUS,
35	"NameOwnerChanged"))
36	{
37	@@ -1280,8 +1283,6 @@ dbus_g_proxy_manager_filter (DBusConnection *connection,
38	}
39	}
40
41	- sender = dbus_message_get_sender (message);
42	-
43	/* dbus spec requires these, libdbus validates */
44	g_assert (dbus_message_get_path (message) != NULL);
45	g_assert (dbus_message_get_interface (message) != NULL);
46	--
47	cgit v0.9.0.2-2-gbebe