Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 593003 Details for
Bug 832532
CVE-2012-2737 accountsservice: local file disclosure flaw
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
util: CVE-2012-2737: Validate SetIconFile caller over bus
CVE-2012-2737.patch (text/plain), 3.41 KB, created by
Ray Strode [halfline]
on 2012-06-19 16:21:20 UTC
(
hide
)
Description:
util: CVE-2012-2737: Validate SetIconFile caller over bus
Filename:
MIME Type:
Creator:
Ray Strode [halfline]
Created:
2012-06-19 16:21:20 UTC
Size:
3.41 KB
patch
obsolete
>From 88f8be0320591e5600c13d1209ecd33fe4438a49 Mon Sep 17 00:00:00 2001 >From: Ray Strode <rstrode@redhat.com> >Date: Tue, 19 Jun 2012 12:02:24 -0400 >Subject: [PATCH] util: CVE-2012-2737: Validate SetIconFile caller over bus > >The AccountsService SetIconFile call associates an icon >with a user. > >This method allows users to have icons at the login screen, >that don't necessarily originate in globally readable/always >available locations. This is accomplished by copying the >originating icon to the local disk in /var. > >Since AccountsService runs with escalated privileges, the >implemention of the SetIconFile method queres the callers >uid, forks(), assumes that uid and performs the copy as if >it were the user. > >Unfortunately, the UID look up peformed is done "just in time" >instead of looking at peer credentials from the time the call >was initiated. This is a race condition that means a caller >could invoke the method call, quickly exec a setuid binary, and >then cause the copy to be performed as the uid of the setuid >process. > >This commit changes the uid look up logic, to query the system >bus daemon for peer credentials it cached from the caller at the >time of the call. >--- > src/util.c | 37 ++++++++++++++++++++++++++----------- > 1 file changed, 26 insertions(+), 11 deletions(-) > >diff --git a/src/util.c b/src/util.c >index 66ddd98..9d9a402 100644 >--- a/src/util.c >+++ b/src/util.c >@@ -251,22 +251,37 @@ get_user_groups (const gchar *user, > > > gboolean >-get_caller_uid (GDBusMethodInvocation *context, gint *uid) >+get_caller_uid (GDBusMethodInvocation *context, >+ gint *uid) > { >- PolkitSubject *subject; >- PolkitSubject *process; >+ GVariant *reply; >+ GError *error; >+ >+ error = NULL; >+ reply = g_dbus_connection_call_sync (g_dbus_method_invocation_get_connection (context), >+ "org.freedesktop.DBus", >+ "/org/freedesktop/DBus", >+ "org.freedesktop.DBus", >+ "GetConnectionUnixUser", >+ g_variant_new ("(s)", >+ g_dbus_method_invocation_get_sender (context)), >+ G_VARIANT_TYPE ("(u)"), >+ G_DBUS_CALL_FLAGS_NONE, >+ -1, >+ NULL, >+ &error); >+ >+ if (reply == NULL) { >+ g_warning ("Could not talk to message bus to find pid of sender %s: %s", >+ g_dbus_method_invocation_get_sender (context), >+ error->message); >+ g_error_free (error); > >- subject = polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (context)); >- process = polkit_system_bus_name_get_process_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, NULL); >- if (!process) { >- g_object_unref (subject); > return FALSE; > } > >- *uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (process)); >- >- g_object_unref (subject); >- g_object_unref (process); >+ g_variant_get (reply, "(u)", uid); >+ g_variant_unref (reply); > > return TRUE; > } >-- >1.7.10.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 832532
:
593003
|
593044