Bug 585394 (CVE-2010-1172) - CVE-2010-1172 dbus-glib: property access not validated
Summary: CVE-2010-1172 dbus-glib: property access not validated
Status: CLOSED ERRATA
Alias: CVE-2010-1172
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20100810,reported=20100423,sou...
Keywords: Security
Depends On: 585395 585396 588397 833887
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-23 21:16 UTC by Colin Walters
Modified: 2015-10-15 21:11 UTC (History)
11 users (show)

(edit)
Clone Of:
: 585395 (view as bug list)
(edit)
Last Closed: 2012-11-29 16:51:10 UTC


Attachments (Terms of Use)
respect property access flags (33.67 KB, patch)
2010-04-23 21:28 UTC, Colin Walters
no flags Details | Diff
0001-Respect-property-access-flags-for-writing-allow-disa.patch (41.65 KB, patch)
2010-04-27 20:46 UTC, Colin Walters
no flags Details | Diff
patch against dbus-glib git master (41.98 KB, patch)
2010-08-09 15:21 UTC, Colin Walters
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0616 normal SHIPPED_LIVE Moderate: dbus-glib security update 2010-08-10 21:19:32 UTC

Description Colin Walters 2010-04-23 21:16:19 UTC
The desktop team recently discovered a flaw in dbus-glib where it didn't respect the  "access" flag on properties specified.  Basically, core OS services like NetworkManager which use dbus-glib were specifying e.g. the "Ip4Address" as read-only for remote access, but in fact any process could modify it.

I have a patch for dbus-glib (attached).  However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).

This affected list is for F-12; I think for RHEL5 we just need dbus-glib and NetworkManager.

KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager

KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)

KNOWN NOT AFFECTED (because I audited them)
* gnome-panel (no dbus properties)
* gnome-system-monitor (ditto)

PROBABLY NOT AFFECTED
* hal (doesn't claim to handle org.freedesktop.DBus.Properties)
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)

Comment 1 Colin Walters 2010-04-23 21:28:02 UTC
Created attachment 408742 [details]
respect property access flags

Note that affected services will need to be recompiled.

Comment 2 Vincent Danen 2010-04-23 21:46:47 UTC
This has been assigned CVE-2010-1172

Comment 6 Colin Walters 2010-04-27 20:46:43 UTC
Created attachment 409584 [details]
0001-Respect-property-access-flags-for-writing-allow-disa.patch

Updated patch; this one exercises the legacy disabled cased.

Comment 7 Dan Williams 2010-04-27 22:22:28 UTC
Latest patch appears to allow setting properties listed as 'access=read' even though I"ve disabled legacy property access:

NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 1)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)
NetworkManager: object_registration_message: prop lookup name 'ip4_address'
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address  (is set 0)
NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite)

but introspection/nm-device.xml lists Ip4Address as access=read.


Also, you can kill the:

  /* Try both forms of property names: "foo_bar" or "FooBar"; for historical
   * reasons we accept both.
   */
  if (object_info
      && !(property_info_from_object_info (object_info, wincaps_propiface, requested_propname, &access_type)

'object_info' check there now in check_property_access since there's a check for if (!object_info) just above.

Comment 8 Dan Williams 2010-04-27 22:52:58 UTC
Nevermind about the Ip4Address thing, needed a clean rebuild locally.

So the latest patch looks good to me.

Comment 26 Colin Walters 2010-08-09 15:21:00 UTC
Created attachment 437622 [details]
patch against dbus-glib git master

This patch is rebased on dbus-glib git master as of today (commit 9440209e2).

Comment 30 Vincent Danen 2010-08-10 16:07:50 UTC
This is public now.

Comment 31 errata-xmlrpc 2010-08-10 21:19:40 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0616 https://rhn.redhat.com/errata/RHSA-2010-0616.html


Note You need to log in before you can comment on or make changes to this bug.