This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 585394 - (CVE-2010-1172) CVE-2010-1172 dbus-glib: property access not validated
CVE-2010-1172 dbus-glib: property access not validated
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20100810,reported=20100423,sou...
: Security
Depends On: 585395 585396 588397 833887
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-23 17:16 EDT by Colin Walters
Modified: 2015-10-15 17:11 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 585395 (view as bug list)
Environment:
Last Closed: 2012-11-29 11:51:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
respect property access flags (33.67 KB, patch)
2010-04-23 17:28 EDT, Colin Walters
no flags Details | Diff
0001-Respect-property-access-flags-for-writing-allow-disa.patch (41.65 KB, patch)
2010-04-27 16:46 EDT, Colin Walters
no flags Details | Diff
patch against dbus-glib git master (41.98 KB, patch)
2010-08-09 11:21 EDT, Colin Walters
no flags Details | Diff

  None (edit)
Description Colin Walters 2010-04-23 17:16:19 EDT
The desktop team recently discovered a flaw in dbus-glib where it didn't respect the  "access" flag on properties specified.  Basically, core OS services like NetworkManager which use dbus-glib were specifying e.g. the "Ip4Address" as read-only for remote access, but in fact any process could modify it.

I have a patch for dbus-glib (attached).  However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).

This affected list is for F-12; I think for RHEL5 we just need dbus-glib and NetworkManager.

KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager

KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)

KNOWN NOT AFFECTED (because I audited them)
* gnome-panel (no dbus properties)
* gnome-system-monitor (ditto)

PROBABLY NOT AFFECTED
* hal (doesn't claim to handle org.freedesktop.DBus.Properties)
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)
Comment 1 Colin Walters 2010-04-23 17:28:02 EDT
Created attachment 408742 [details]
respect property access flags

Note that affected services will need to be recompiled.
Comment 2 Vincent Danen 2010-04-23 17:46:47 EDT
This has been assigned CVE-2010-1172
Comment 6 Colin Walters 2010-04-27 16:46:43 EDT
Created attachment 409584 [details]
0001-Respect-property-access-flags-for-writing-allow-disa.patch

Updated patch; this one exercises the legacy disabled cased.
Comment 7 Dan Williams 2010-04-27 18:22:28 EDT
Latest patch appears to allow setting properties listed as 'access=read' even though I"ve disabled legacy property access:

NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 1)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)

but introspection/nm-device.xml lists Ip4Address as access=read.


Also, you can kill the:

  /* Try both forms of property names: "foo_bar" or "FooBar"; for historical
   * reasons we accept both.
   */
  if (object_info
      && !(property_info_from_object_info (object_info, wincaps_propiface, requested_propname, &access_type)

'object_info' check there now in check_property_access since there's a check for if (!object_info) just above.
Comment 8 Dan Williams 2010-04-27 18:52:58 EDT
Nevermind about the Ip4Address thing, needed a clean rebuild locally.

So the latest patch looks good to me.
Comment 26 Colin Walters 2010-08-09 11:21:00 EDT
Created attachment 437622 [details]
patch against dbus-glib git master

This patch is rebased on dbus-glib git master as of today (commit 9440209e2).
Comment 30 Vincent Danen 2010-08-10 12:07:50 EDT
This is public now.
Comment 31 errata-xmlrpc 2010-08-10 17:19:40 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0616 https://rhn.redhat.com/errata/RHSA-2010-0616.html

Note You need to log in before you can comment on or make changes to this bug.