Bug 585394 (CVE-2010-1172)

Summary: CVE-2010-1172 dbus-glib: property access not validated
Product: [Other] Security Response Reporter: Colin Walters <walters>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: antillon.maurizio, bressers, dcbw, eren, hui.zhu, jlieskov, linux, security-response-team, thomas, vdanen, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 585395 (view as bug list) Environment:
Last Closed: 2012-11-29 16:51:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 585395, 585396, 588397, 833887    
Bug Blocks:    
Attachments:
Description Flags
respect property access flags
none
0001-Respect-property-access-flags-for-writing-allow-disa.patch
none
patch against dbus-glib git master none

Description Colin Walters 2010-04-23 21:16:19 UTC 
The desktop team recently discovered a flaw in dbus-glib where it didn't respect the  "access" flag on properties specified.  Basically, core OS services like NetworkManager which use dbus-glib were specifying e.g. the "Ip4Address" as read-only for remote access, but in fact any process could modify it.

I have a patch for dbus-glib (attached).  However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).

This affected list is for F-12; I think for RHEL5 we just need dbus-glib and NetworkManager.

KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager

KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)

KNOWN NOT AFFECTED (because I audited them)
* gnome-panel (no dbus properties)
* gnome-system-monitor (ditto)

PROBABLY NOT AFFECTED
* hal (doesn't claim to handle org.freedesktop.DBus.Properties)
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)
Comment 1 Colin Walters 2010-04-23 21:28:02 UTC 
Created attachment 408742 [details]
respect property access flags

Note that affected services will need to be recompiled.
Comment 2 Vincent Danen 2010-04-23 21:46:47 UTC 
This has been assigned CVE-2010-1172
Comment 6 Colin Walters 2010-04-27 20:46:43 UTC 
Created attachment 409584 [details]
0001-Respect-property-access-flags-for-writing-allow-disa.patch

Updated patch; this one exercises the legacy disabled cased.
Comment 7 Dan Williams 2010-04-27 22:22:28 UTC 
Latest patch appears to allow setting properties listed as 'access=read' even though I"ve disabled legacy property access:

NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 1)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)

but introspection/nm-device.xml lists Ip4Address as access=read.


Also, you can kill the:

  /* Try both forms of property names: "foo_bar" or "FooBar"; for historical
   * reasons we accept both.
   */
  if (object_info
      && !(property_info_from_object_info (object_info, wincaps_propiface, requested_propname, &access_type)

'object_info' check there now in check_property_access since there's a check for if (!object_info) just above.
Comment 8 Dan Williams 2010-04-27 22:52:58 UTC 
Nevermind about the Ip4Address thing, needed a clean rebuild locally.

So the latest patch looks good to me.
Comment 26 Colin Walters 2010-08-09 15:21:00 UTC 
Created attachment 437622 [details]
patch against dbus-glib git master

This patch is rebased on dbus-glib git master as of today (commit 9440209e2).
Comment 30 Vincent Danen 2010-08-10 16:07:50 UTC 
This is public now.
Comment 31 errata-xmlrpc 2010-08-10 21:19:40 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0616 https://rhn.redhat.com/errata/RHSA-2010-0616.html