Attachment 593003 Details for Bug 832532 – util: CVE-2012-2737: Validate SetIconFile caller over bus

[patch] util: CVE-2012-2737: Validate SetIconFile caller over bus

CVE-2012-2737.patch (text/plain), 3.41 KB, created by Ray Strode [halfline] on 2012-06-19 16:21:20 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ray Strode [halfline]

Created: 2012-06-19 16:21:20 UTC

Size: 3.41 KB

patch

obsolete

>From 88f8be0320591e5600c13d1209ecd33fe4438a49 Mon Sep 17 00:00:00 2001
>From: Ray Strode <rstrode@redhat.com>
>Date: Tue, 19 Jun 2012 12:02:24 -0400
>Subject: [PATCH] util: CVE-2012-2737: Validate SetIconFile caller over bus
>
>The AccountsService SetIconFile call associates an icon
>with a user.
>
>This method allows users to have icons at the login screen,
>that don't necessarily originate in globally readable/always
>available locations.  This is accomplished by copying the
>originating icon to the local disk in /var.
>
>Since AccountsService runs with escalated privileges, the
>implemention of the SetIconFile method queres the callers
>uid, forks(), assumes that uid and performs the copy as if
>it were the user.
>
>Unfortunately, the UID look up peformed is done "just in time"
>instead of looking at peer credentials from the time the call
>was initiated. This is a race condition that means a caller
>could invoke the method call, quickly exec a setuid binary, and
>then cause the copy to be performed as the uid of the setuid
>process.
>
>This commit changes the uid look up logic, to query the system
>bus daemon for peer credentials it cached from the caller at the
>time of the call.
>---
> src/util.c |   37 ++++++++++++++++++++++++++-----------
> 1 file changed, 26 insertions(+), 11 deletions(-)
>
>diff --git a/src/util.c b/src/util.c
>index 66ddd98..9d9a402 100644
>--- a/src/util.c
>+++ b/src/util.c
>@@ -251,22 +251,37 @@ get_user_groups (const gchar  *user,
> 
> 
> gboolean
>-get_caller_uid (GDBusMethodInvocation *context, gint *uid)
>+get_caller_uid (GDBusMethodInvocation *context,
>+                gint                  *uid)
> {
>-        PolkitSubject *subject;
>-        PolkitSubject *process;
>+        GVariant      *reply;
>+        GError        *error;
>+
>+        error = NULL;
>+        reply = g_dbus_connection_call_sync (g_dbus_method_invocation_get_connection (context),
>+                                             "org.freedesktop.DBus",
>+                                             "/org/freedesktop/DBus",
>+                                             "org.freedesktop.DBus",
>+                                             "GetConnectionUnixUser",
>+                                             g_variant_new ("(s)",
>+                                                            g_dbus_method_invocation_get_sender (context)),
>+                                             G_VARIANT_TYPE ("(u)"),
>+                                             G_DBUS_CALL_FLAGS_NONE,
>+                                             -1,
>+                                             NULL,
>+                                             &error);
>+
>+        if (reply == NULL) {
>+                g_warning ("Could not talk to message bus to find pid of sender %s: %s",
>+                           g_dbus_method_invocation_get_sender (context),
>+                           error->message);
>+                g_error_free (error);
> 
>-        subject = polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (context));
>-        process = polkit_system_bus_name_get_process_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, NULL);
>-        if (!process) {
>-                g_object_unref (subject);
>                 return FALSE;
>         }
> 
>-        *uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (process));
>-
>-        g_object_unref (subject);
>-        g_object_unref (process);
>+        g_variant_get (reply, "(u)", uid);
>+        g_variant_unref (reply);
> 
>         return TRUE;
> }
>-- 
>1.7.10.2
>

Actions: View | Diff

Attachments on bug 832532: 593003 | 593044