[Bug 616517] Re: CVE-2010-1172 dbus-glib: property access not validated

Bug Watch Updater 616517 at bugs.launchpad.net
Fri Oct 27 08:16:35 UTC 2017 

Launchpad has imported 9 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=585394.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2010-04-23T21:16:19+00:00 Colin wrote:

The desktop team recently discovered a flaw in dbus-glib where it didn't
respect the  "access" flag on properties specified.  Basically, core OS
services like NetworkManager which use dbus-glib were specifying e.g.
the "Ip4Address" as read-only for remote access, but in fact any process
could modify it.

I have a patch for dbus-glib (attached).  However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).

This affected list is for F-12; I think for RHEL5 we just need dbus-glib
and NetworkManager.

KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager

KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)

KNOWN NOT AFFECTED (because I audited them)
* gnome-panel (no dbus properties)
* gnome-system-monitor (ditto)

PROBABLY NOT AFFECTED
* hal (doesn't claim to handle org.freedesktop.DBus.Properties)
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)

Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus-
glib/+bug/616517/comments/0

------------------------------------------------------------------------
On 2010-04-23T21:28:02+00:00 Colin wrote:

Created attachment 408742
respect property access flags

Note that affected services will need to be recompiled.

Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus-
glib/+bug/616517/comments/1

------------------------------------------------------------------------
On 2010-04-23T21:46:47+00:00 Vincent wrote:

This has been assigned CVE-2010-1172

Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus-
glib/+bug/616517/comments/2

------------------------------------------------------------------------
On 2010-04-27T20:46:43+00:00 Colin wrote:

Created attachment 409584
0001-Respect-property-access-flags-for-writing-allow-disa.patch

Updated patch; this one exercises the legacy disabled cased.

Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus-
glib/+bug/616517/comments/3

------------------------------------------------------------------------
On 2010-04-27T22:22:28+00:00 Dan wrote:

Latest patch appears to allow setting properties listed as 'access=read'
even though I"ve disabled legacy property access:

NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 1)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)

but introspection/nm-device.xml lists Ip4Address as access=read.


Also, you can kill the:

  /* Try both forms of property names: "foo_bar" or "FooBar"; for historical
   * reasons we accept both.
   */
  if (object_info
      && !(property_info_from_object_info (object_info, wincaps_propiface, requested_propname, &access_type)

'object_info' check there now in check_property_access since there's a
check for if (!object_info) just above.

Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus-
glib/+bug/616517/comments/4

------------------------------------------------------------------------
On 2010-04-27T22:52:58+00:00 Dan wrote:

Nevermind about the Ip4Address thing, needed a clean rebuild locally.

So the latest patch looks good to me.

Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus-
glib/+bug/616517/comments/5

------------------------------------------------------------------------
On 2010-08-09T15:21:00+00:00 Colin wrote:

Created attachment 437622
patch against dbus-glib git master

This patch is rebased on dbus-glib git master as of today (commit
9440209e2).

Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus-
glib/+bug/616517/comments/6

------------------------------------------------------------------------
On 2010-08-10T16:07:50+00:00 Vincent wrote:

This is public now.

Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus-
glib/+bug/616517/comments/7

------------------------------------------------------------------------
On 2010-08-10T21:19:40+00:00 errata-xmlrpc wrote:

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0616 https://rhn.redhat.com/errata/RHSA-2010-0616.html

Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus-
glib/+bug/616517/comments/8


** Changed in: dbus-glib (Fedora)
       Status: Unknown => Fix Released

** Changed in: dbus-glib (Fedora)
   Importance: Unknown => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus-glib in Ubuntu.
https://bugs.launchpad.net/bugs/616517

Title:
  CVE-2010-1172 dbus-glib: property access not validated

Status in dbus-glib package in Ubuntu:
  Fix Released
Status in modemmanager package in Ubuntu:
  Fix Released
Status in network-manager package in Ubuntu:
  Fix Released
Status in dbus-glib source package in Lucid:
  Fix Released
Status in modemmanager source package in Lucid:
  Fix Released
Status in network-manager source package in Lucid:
  Fix Released
Status in dbus-glib source package in Hardy:
  Fix Released
Status in modemmanager source package in Hardy:
  Invalid
Status in network-manager source package in Hardy:
  Fix Released
Status in dbus-glib source package in Karmic:
  Won't Fix
Status in modemmanager source package in Karmic:
  Won't Fix
Status in network-manager source package in Karmic:
  Won't Fix
Status in dbus-glib package in Debian:
  Fix Released
Status in dbus-glib package in Fedora:
  Fix Released

Bug description:
  As also reported in RedHat:
  https://bugzilla.redhat.com/show_bug.cgi?id=585394

  A flaw was recently discovered in dbus-glib where it didn't
  respect the  "access" flag on properties specified.  Basically, core OS
  services like NetworkManager which use dbus-glib were specifying e.g. the
  "Ip4Address" as read-only for remote access, but in fact any process could
  modify it.

  A patch is available.  However, due to the nature of the way
  dbus-glib works where at build time services generate a C data structure from
  XML and embed it into their binary, affected services will need to be rebuilt
  (though not patched).

  KNOWN AFFECTED SERVICES:
  * DeviceKit-Power
  * NetworkManager
  * ModemManager

  KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
  * ConsoleKit (it denies all Properties access using dbus policy)
  * gdm (ditto)
  * PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)

  KNOWN NOT AFFECTED (because I audited them)
  * gnome-panel (no dbus properties)
  * gnome-system-monitor (ditto)

  PROBABLY NOT AFFECTED
  * hal (doesn't claim to handle org.freedesktop.DBus.Properties)
  * polkit (uses eggdbus)
  * rtkit (doesn't use dbus-glib)
  * DeviceKit-disks (all its properties appear to be readonly)
  * wpa_supplicant (doesn't implement Properties)
  * upstart (doesn't use dbus-glib)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus-glib/+bug/616517/+subscriptions

More information about the foundations-bugs mailing list