[dbus/f18: 2/3] Revert "1:1.6.8-3"
Rex Dieter
rdieter at fedoraproject.org
Wed Nov 14 21:33:11 UTC 2012
commit 7ddd4da9c57fc143f633fb84b5a91cd6bbfb031f
Author: Rex Dieter <rdieter at fedoraproject.org>
Date: Wed Nov 14 15:32:25 2012 -0600
Revert "1:1.6.8-3"
This reverts commit bb4913459e4185b3909064ccee65c1392832ebaa.
...24-Don-t-access-environment-variables-or-.patch | 234 ++++++++++++++++++++
...n-dropping-capabilities-only-include-AUDI.patch | 37 +++
dbus-1.0.1-generate-xml-docs.patch | 11 +
dbus.spec | 28 +--
4 files changed, 293 insertions(+), 17 deletions(-)
---
diff --git a/0001-CVE-2012-3524-Don-t-access-environment-variables-or-.patch b/0001-CVE-2012-3524-Don-t-access-environment-variables-or-.patch
new file mode 100644
index 0000000..b449a70
--- /dev/null
+++ b/0001-CVE-2012-3524-Don-t-access-environment-variables-or-.patch
@@ -0,0 +1,234 @@
+From 450d975046bbd54271da62ce5fcbe50113f2e453 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters at verbum.org>
+Date: Wed, 22 Aug 2012 10:03:34 -0400
+Subject: [PATCH] CVE-2012-3524: Don't access environment variables or run
+ dbus-launch when setuid
+
+This matches a corresponding change in GLib. See
+glib/gutils.c:g_check_setuid().
+
+Some programs attempt to use libdbus when setuid; notably the X.org
+server is shipped in such a configuration. libdbus never had an
+explicit policy about its use in setuid programs.
+
+I'm not sure whether we should advertise such support. However, given
+that there are real-world programs that do this currently, we can make
+them safer with not too much effort.
+
+Better to fix a problem caused by an interaction between two
+components in *both* places if possible.
+
+How to determine whether or not we're running in a privilege-escalated
+path is operating system specific. Note that GTK+'s code to check
+euid versus uid worked historically on Unix, more modern systems have
+filesystem capabilities and SELinux domain transitions, neither of
+which are captured by the uid comparison.
+
+On Linux/glibc, the way this works is that the kernel sets an
+AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
+startup. If found, then glibc sets a public-but-undocumented
+__libc_enable_secure variable which we can use. Unfortunately, while
+it *previously* worked to check this variable, a combination of newer
+binutils and RPM break it:
+http://www.openwall.com/lists/owl-dev/2012/08/14/1
+
+So for now on Linux/glibc, we fall back to the historical Unix version
+until we get glibc fixed.
+
+On some BSD variants, there is a issetugid() function. On other Unix
+variants, we fall back to what GTK+ has been doing.
+
+Reported-by: Sebastian Krahmer <krahmer at suse.de>
+Signed-off-by: Colin Walters <walters at verbum.org>
+---
+ configure.ac | 2 +-
+ dbus/dbus-keyring.c | 7 +++++
+ dbus/dbus-sysdeps-unix.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++
+ dbus/dbus-sysdeps-win.c | 6 ++++
+ dbus/dbus-sysdeps.c | 5 ++++
+ dbus/dbus-sysdeps.h | 1 +
+ 6 files changed, 94 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index e2c9bdf..b0f2ec2 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -595,7 +595,7 @@ AC_DEFINE_UNQUOTED([DBUS_USE_SYNC], [$have_sync], [Use the gcc __sync extension]
+ AC_SEARCH_LIBS(socket,[socket network])
+ AC_CHECK_FUNC(gethostbyname,,[AC_CHECK_LIB(nsl,gethostbyname)])
+
+-AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull)
++AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull issetugid getresuid)
+
+ AC_CHECK_HEADERS([syslog.h])
+ if test "x$ac_cv_header_syslog_h" = "xyes"; then
+diff --git a/dbus/dbus-keyring.c b/dbus/dbus-keyring.c
+index 23b9df5..3b9ce31 100644
+--- a/dbus/dbus-keyring.c
++++ b/dbus/dbus-keyring.c
+@@ -717,6 +717,13 @@ _dbus_keyring_new_for_credentials (DBusCredentials *credentials,
+ DBusCredentials *our_credentials;
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
++
++ if (_dbus_check_setuid ())
++ {
++ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
++ "Unable to create DBus keyring when setuid");
++ return NULL;
++ }
+
+ keyring = NULL;
+ error_set = FALSE;
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+index cef8bd3..b4ecc96 100644
+--- a/dbus/dbus-sysdeps-unix.c
++++ b/dbus/dbus-sysdeps-unix.c
+@@ -3434,6 +3434,13 @@ _dbus_get_autolaunch_address (const char *scope,
+ DBusString uuid;
+ dbus_bool_t retval;
+
++ if (_dbus_check_setuid ())
++ {
++ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
++ "Unable to autolaunch when setuid");
++ return FALSE;
++ }
++
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+ retval = FALSE;
+
+@@ -3551,6 +3558,13 @@ _dbus_lookup_launchd_socket (DBusString *socket_path,
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+
++ if (_dbus_check_setuid ())
++ {
++ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
++ "Unable to find launchd socket when setuid");
++ return FALSE;
++ }
++
+ i = 0;
+ argv[i] = "launchctl";
+ ++i;
+@@ -3591,6 +3605,13 @@ _dbus_lookup_session_address_launchd (DBusString *address, DBusError *error)
+ dbus_bool_t valid_socket;
+ DBusString socket_path;
+
++ if (_dbus_check_setuid ())
++ {
++ dbus_set_error_const (error, DBUS_ERROR_NOT_SUPPORTED,
++ "Unable to find launchd socket when setuid");
++ return FALSE;
++ }
++
+ if (!_dbus_string_init (&socket_path))
+ {
+ _DBUS_SET_OOM (error);
+@@ -4086,4 +4107,57 @@ _dbus_close_all (void)
+ close (i);
+ }
+
++/**
++ * **NOTE**: If you modify this function, please also consider making
++ * the corresponding change in GLib. See
++ * glib/gutils.c:g_check_setuid().
++ *
++ * Returns TRUE if the current process was executed as setuid (or an
++ * equivalent __libc_enable_secure is available). See:
++ * http://osdir.com/ml/linux.lfs.hardened/2007-04/msg00032.html
++ */
++dbus_bool_t
++_dbus_check_setuid (void)
++{
++ /* TODO: get __libc_enable_secure exported from glibc.
++ * See http://www.openwall.com/lists/owl-dev/2012/08/14/1
++ */
++#if 0 && defined(HAVE_LIBC_ENABLE_SECURE)
++ {
++ /* See glibc/include/unistd.h */
++ extern int __libc_enable_secure;
++ return __libc_enable_secure;
++ }
++#elif defined(HAVE_ISSETUGID)
++ /* BSD: http://www.freebsd.org/cgi/man.cgi?query=issetugid&sektion=2 */
++ return issetugid ();
++#else
++ uid_t ruid, euid, suid; /* Real, effective and saved user ID's */
++ gid_t rgid, egid, sgid; /* Real, effective and saved group ID's */
++
++ static dbus_bool_t check_setuid_initialised;
++ static dbus_bool_t is_setuid;
++
++ if (_DBUS_UNLIKELY (!check_setuid_initialised))
++ {
++#ifdef HAVE_GETRESUID
++ if (getresuid (&ruid, &euid, &suid) != 0 ||
++ getresgid (&rgid, &egid, &sgid) != 0)
++#endif /* HAVE_GETRESUID */
++ {
++ suid = ruid = getuid ();
++ sgid = rgid = getgid ();
++ euid = geteuid ();
++ egid = getegid ();
++ }
++
++ check_setuid_initialised = TRUE;
++ is_setuid = (ruid != euid || ruid != suid ||
++ rgid != egid || rgid != sgid);
++
++ }
++ return is_setuid;
++#endif
++}
++
+ /* tests in dbus-sysdeps-util.c */
+diff --git a/dbus/dbus-sysdeps-win.c b/dbus/dbus-sysdeps-win.c
+index 397520a..bc4951b 100644
+--- a/dbus/dbus-sysdeps-win.c
++++ b/dbus/dbus-sysdeps-win.c
+@@ -3632,6 +3632,12 @@ _dbus_path_is_absolute (const DBusString *filename)
+ return FALSE;
+ }
+
++dbus_bool_t
++_dbus_check_setuid (void)
++{
++ return FALSE;
++}
++
+ /** @} end of sysdeps-win */
+ /* tests in dbus-sysdeps-util.c */
+
+diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c
+index 861bfec..04fb8d7 100644
+--- a/dbus/dbus-sysdeps.c
++++ b/dbus/dbus-sysdeps.c
+@@ -182,6 +182,11 @@ _dbus_setenv (const char *varname,
+ const char*
+ _dbus_getenv (const char *varname)
+ {
++ /* Don't respect any environment variables if the current process is
++ * setuid. This is the equivalent of glibc's __secure_getenv().
++ */
++ if (_dbus_check_setuid ())
++ return NULL;
+ return getenv (varname);
+ }
+
+diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
+index 4052cda..eee9160 100644
+--- a/dbus/dbus-sysdeps.h
++++ b/dbus/dbus-sysdeps.h
+@@ -87,6 +87,7 @@ typedef struct DBusPipe DBusPipe;
+
+ void _dbus_abort (void) _DBUS_GNUC_NORETURN;
+
++dbus_bool_t _dbus_check_setuid (void);
+ const char* _dbus_getenv (const char *varname);
+ dbus_bool_t _dbus_setenv (const char *varname,
+ const char *value);
+--
+1.7.11.4
+
diff --git a/0001-selinux-when-dropping-capabilities-only-include-AUDI.patch b/0001-selinux-when-dropping-capabilities-only-include-AUDI.patch
new file mode 100644
index 0000000..e072b4b
--- /dev/null
+++ b/0001-selinux-when-dropping-capabilities-only-include-AUDI.patch
@@ -0,0 +1,37 @@
+From e1b83fb58eadfd02227673db9a7e2833d29b0c98 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart at poettering.net>
+Date: Mon, 23 Apr 2012 00:32:43 +0200
+Subject: [PATCH] selinux: when dropping capabilities only include AUDIT caps
+ if we have them
+
+When we drop capabilities we shouldn't assume we can keep
+CAP_AUDIT_WRITE unconditionally, since it will not be available when
+running in containers.
+
+This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
+actually have it in the first place.
+
+This makes audit/selinux enabled D-Bus work in a Linux container.
+---
+ bus/selinux.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/bus/selinux.c b/bus/selinux.c
+index 36287e9..1bfc791 100644
+--- a/bus/selinux.c
++++ b/bus/selinux.c
+@@ -1053,8 +1053,9 @@ _dbus_change_to_daemon_user (const char *user,
+ int rc;
+
+ capng_clear (CAPNG_SELECT_BOTH);
+- capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+- CAP_AUDIT_WRITE);
++ if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
++ capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
++ CAP_AUDIT_WRITE);
+ rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
+ if (rc)
+ {
+--
+1.7.10
+
diff --git a/dbus-1.0.1-generate-xml-docs.patch b/dbus-1.0.1-generate-xml-docs.patch
new file mode 100644
index 0000000..60598bc
--- /dev/null
+++ b/dbus-1.0.1-generate-xml-docs.patch
@@ -0,0 +1,11 @@
+--- dbus-1.0.1/Doxyfile.in.generate-xml-docs 2006-11-25 23:42:59.000000000 -0500
++++ dbus-1.0.1/Doxyfile.in 2006-11-25 23:43:12.000000000 -0500
+@@ -133,7 +133,7 @@
+ #---------------------------------------------------------------------------
+ # configuration options related to the XML output
+ #---------------------------------------------------------------------------
+-GENERATE_XML = NO
++GENERATE_XML = YES
+ #---------------------------------------------------------------------------
+ # Configuration options related to the preprocessor
+ #---------------------------------------------------------------------------
diff --git a/dbus.spec b/dbus.spec
index 3edd3de..ec88dd9 100644
--- a/dbus.spec
+++ b/dbus.spec
@@ -9,7 +9,7 @@ Summary: D-BUS message bus
Name: dbus
Epoch: 1
Version: 1.6.8
-Release: 3%{?dist}
+Release: 2%{?dist}
URL: http://www.freedesktop.org/software/dbus/
#VCS: git:git://git.freedesktop.org/git/dbus/dbus
Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
@@ -33,7 +33,7 @@ Requires(post): systemd-units chkconfig
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires: libselinux >= %{libselinux_version}
-Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: dbus-libs = %{epoch}:%{version}-%{release}
Requires(pre): /usr/sbin/useradd
# Conflict with cups prior to configuration file change, so that the
@@ -59,7 +59,7 @@ This package contains lowlevel libraries for accessing D-BUS.
%package doc
Summary: Developer documentation for D-BUS
Group: Documentation
-Requires: %{name} = %{epoch}:%{version}-%{release}
+Requires: %name = %{epoch}:%{version}-%{release}
BuildArch: noarch
%description doc
@@ -69,7 +69,8 @@ other supporting documentation such as the introspect dtd file.
%package devel
Summary: Development files for D-BUS
Group: Development/Libraries
-Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %name = %{epoch}:%{version}-%{release}
+Requires: pkgconfig
%description devel
This package contains libraries and header files needed for
@@ -78,7 +79,7 @@ developing software that uses D-BUS.
%package x11
Summary: X11-requiring add-ons for D-BUS
Group: Development/Libraries
-Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %name = %{epoch}:%{version}-%{release}
%description x11
D-BUS contains some tools that require Xlib to be installed, those are
@@ -101,7 +102,7 @@ COMMON_ARGS="--enable-libaudit --enable-selinux=yes --with-init-scripts=redhat -
# leave verbose mode so people can debug their apps but make sure to
# turn it off on stable releases with --disable-verbose-mode
%configure $COMMON_ARGS --disable-tests --disable-asserts --enable-doxygen-docs --enable-xml-docs --with-systemdsystemunitdir=/lib/systemd/system/
-make %{?_smp_mflags} V=1
+make
%install
rm -rf %{buildroot}
@@ -200,7 +201,7 @@ fi
%files libs
%defattr(-,root,root,-)
-/%{_lib}/libdbus-1.so.3*
+/%{_lib}/*dbus-1*.so.*
%files x11
%defattr(-,root,root)
@@ -217,20 +218,13 @@ fi
%files devel
%defattr(-,root,root)
-/%{_lib}/libdbus-1.so
-%dir %{_libdir}/dbus-1.0/
+/%{_lib}/lib*.so
+%dir %{_libdir}/dbus-1.0
%{_libdir}/dbus-1.0/include/
%{_libdir}/pkgconfig/dbus-1.pc
-%{_includedir}/dbus-1.0/
+%{_includedir}/*
%changelog
-* Wed Nov 14 2012 Rex Dieter <rdieter at fedoraproject.org>
-- 1:1.6.8-3
-- %%build: verbose build, use %%_smp_mflags
-- %%files: tighten up, use less globs
-- tighten deps via %%_isa
-- drop old/unused patches
-
* Wed Oct 3 2012 Bill Nottingham <notting at redhat.com> - 1:1.6.8-2
- Drop systemd-sysv-convert in trigger, and resulting dependency (#852822)
More information about the scm-commits
mailing list