[dbus-glib/f18] CVE-2013-0292

Colin Walters walters at fedoraproject.org
Wed Feb 20 14:21:42 UTC 2013 

commit 62e06795884b0653da2f72d59687e17677cc1922
Author: Colin Walters <walters at verbum.org>
Date:   Wed Feb 20 09:21:11 2013 -0500

    CVE-2013-0292
    
      Resolves: #911714

 ...92-dbus-gproxy-Verify-sender-of-NameOwner.patch |   51 ++++++++++++++++++++
 dbus-glib.spec                                     |    8 +++-
 2 files changed, 58 insertions(+), 1 deletions(-)
---
diff --git a/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch b/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch
new file mode 100644
index 0000000..b168d13
--- /dev/null
+++ b/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch
@@ -0,0 +1,51 @@
+From 166978a09cf5edff4028e670b6074215a4c75eca Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters at verbum.org>
+Date: Thu, 14 Feb 2013 10:19:34 -0500
+Subject: [PATCH] CVE-2013-0292: dbus-gproxy: Verify sender of NameOwnerChanged signals to be o.f.DBus
+
+Anyone can hop on the bus and emit a signal whose interface is
+o.f.DBus; it's expected at the moments that clients (and notably DBus
+libraries) check the sender.
+
+This could previously be used to trick a system service using dbus-glib
+into thinking a malicious signal came from a privileged source, by
+claiming that ownership of the privileged source's well-known name had
+changed from the privileged source's real unique name to the attacker's
+unique name.
+
+[altered to be NULL-safe so it won't crash on peer connections -smcv]
+Signed-off-by: Simon McVittie <simon.mcvittie at collabora.co.uk>
+Reviewed-by: Simon McVittie <simon.mcvittie at collabora.co.uk>
+---
+ dbus/dbus-gproxy.c |    7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c
+index 2fc52f9..c3ae9ec 100644
+--- a/dbus/dbus-gproxy.c
++++ b/dbus/dbus-gproxy.c
+@@ -1250,8 +1250,11 @@ dbus_g_proxy_manager_filter (DBusConnection    *connection,
+       GSList *tmp;
+       const char *sender;
+ 
++      sender = dbus_message_get_sender (message);
++
+       /* First we handle NameOwnerChanged internally */
+-      if (dbus_message_is_signal (message,
++      if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 &&
++	  dbus_message_is_signal (message,
+ 				  DBUS_INTERFACE_DBUS,
+ 				  "NameOwnerChanged"))
+ 	{
+@@ -1280,8 +1283,6 @@ dbus_g_proxy_manager_filter (DBusConnection    *connection,
+ 	    }
+ 	}
+ 
+-      sender = dbus_message_get_sender (message);
+-
+       /* dbus spec requires these, libdbus validates */
+       g_assert (dbus_message_get_path (message) != NULL);
+       g_assert (dbus_message_get_interface (message) != NULL);
+-- 
+1.7.1
+
diff --git a/dbus-glib.spec b/dbus-glib.spec
index 22348b8..b9b51c8 100644
--- a/dbus-glib.spec
+++ b/dbus-glib.spec
@@ -8,7 +8,7 @@
 Summary: GLib bindings for D-Bus
 Name: dbus-glib
 Version: 0.100
-Release: 1%{?dist}
+Release: 2%{?dist}
 URL: http://www.freedesktop.org/software/dbus/
 #VCS: git:git://git.freedesktop.org/git/dbus/dbus-glib
 Source0: http://dbus.freedesktop.org/releases/dbus-glib/%{name}-%{version}.tar.gz
@@ -23,6 +23,8 @@ BuildRequires: libxml2-devel
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: gettext
 
+Patch0: 0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch
+
 %description
 
 D-Bus add-on library to integrate the standard D-Bus library with
@@ -110,6 +112,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Wed Feb 20 2013 Colin Walters <walters at redhat.com> - 0.100-2
+- CVE-2013-0292
+  Resolves: #911714
+
 * Tue Jul 17 2012 Colin Walters <walters at verbum.org> - 0.100-1
 - Update to 0.100

More information about the scm-commits mailing list