Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Part of the D-Bus patch for CVE-2014-3639 was to reduce an arbitrary timeout to make denial of service more difficult. Unfortunately it seems to have caused failed or slow boot for some users, particularly on older or slower systems while doing an aggressively parallel boot: https://bugs.debian.org/769069 I would like to revert the problematic timeout change, and also add a syslog message when it is hit, so we can diagnose the problem. I'm also going to talk to the security team about reverting the timeout change for wheezy, and possibly adding the syslog message there too. In addition, the upstream 1.8.x stable branch has a one-line fix for error reporting when security policy denies permission to receive a message, and some new notes about security contact points. I would like to release 1.8.12 with these in and upload that to Debian. The final diff does not exist yet, but I intend it to be functionally equivalent to the attached (it will gain the usual version-bump / Autotools noise but shouldn't need code changes). Permission to upload when ready? Thanks, S
diff --git a/HACKING b/HACKING index 8c993b6..2fed9e6 100644 --- a/HACKING +++ b/HACKING @@ -11,6 +11,11 @@ of patches, etc. should go there. Security === +If you find a security vulnerability that is not known to the public, +please report it privately to dbus-secur...@lists.freedesktop.org +or by reporting a freedesktop.org bug that is marked as +restricted to the "D-BUS security group". + Most of D-Bus is security sensitive. Guidelines related to that: - avoid memcpy(), sprintf(), strlen(), snprintf, strlcat(), diff --git a/NEWS b/NEWS index aa821fe..a58ad59 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,30 @@ +D-Bus 1.8.12 (UNRELEASED) +== + +Fixes: + +• Partially revert the CVE-2014-3639 patch by increasing the default + authentication timeout on the system bus from 5 seconds back to 30 + seconds, since this has been reported to cause boot regressions for + some users, mostly with parallel boot (systemd) on slower hardware. + + On fast systems where local users are considered particularly hostile, + administrators can return to the 5 second timeout (or any other value) + by writing this into /etc/dbus-1/system-local.conf: + + <busconfig> + <limit name="auth_timeout">5000</limit> + </busconfig> + + (fd.o #86431, Simon McVittie) + +• Add a message in syslog/the Journal when the auth_timeout is exceeded + (fd.o #86431, Simon McVittie) + +• Send back an AccessDenied error if the addressed recipient is not allowed + to receive a message (and in builds with assertions enabled, don't + assert under the same conditions). (fd.o #86194, Jacek Bukarewicz) + D-Bus 1.8.10 (2014-11-10) == diff --git a/README b/README index aea8330..0257e69 100644 --- a/README +++ b/README @@ -29,6 +29,25 @@ If your use-case isn't one of these, D-Bus may still be useful, but only by accident; so you should evaluate carefully whether D-Bus makes sense for your project. +Security +== + +If you find a security vulnerability that is not known to the public, +please report it privately to dbus-secur...@lists.freedesktop.org +or by reporting a freedesktop.org bug that is marked as +restricted to the "D-BUS security group" (you might need to "Show +Advanced Fields" to have that option). + +On Unix systems, the system bus (dbus-daemon --system) is designed +to be a security boundary between users with different privileges. + +On Unix systems, the session bus (dbus-daemon --session) is designed +to be used by a single user, and only accessible by that user. + +We do not currently consider D-Bus on Windows to be security-supported, +and we do not recommend allowing untrusted users to access Windows +D-Bus via TCP. + Note: low-level API vs. high-level binding APIs === diff --git a/bus/bus.c b/bus/bus.c index 47cc345..f0d980e 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -1660,7 +1660,7 @@ bus_context_check_security_policy (BusContext *context, complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, "Rejected receive message", toggles, message, sender, proposed_recipient, requested_reply, - (addressed_recipient == proposed_recipient), NULL); + (addressed_recipient == proposed_recipient), error); _dbus_verbose ("security policy disallowing message due to recipient policy\n"); return FALSE; } diff --git a/bus/config-parser.c b/bus/config-parser.c index 7bc9c01..ee2d4e7 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c @@ -438,7 +438,7 @@ bus_config_parser_new (const DBusString *basedir, * and legitimate auth will fail. If interactive auth (ask user for * password) is allowed, then potentially it has to be quite long. */ - parser->limits.auth_timeout = 5000; /* 5 seconds */ + parser->limits.auth_timeout = 30000; /* 30 seconds */ /* Do not allow a fd to stay forever in dbus-daemon * https://bugs.freedesktop.org/show_bug.cgi?id=80559 diff --git a/bus/connection.c b/bus/connection.c index 519122c..7107434 100644 --- a/bus/connection.c +++ b/bus/connection.c @@ -860,6 +860,14 @@ bus_connections_expire_incomplete (BusConnections *connections) if (elapsed >= (double) auth_timeout) { + /* Unfortunately, we can't identify the connection: it doesn't + * have a unique name yet, we don't know its uid/pid yet, + * and so on. */ + bus_context_log (connections->context, DBUS_SYSTEM_LOG_INFO, + "Connection has not authenticated soon enough, closing it " + "(auth_timeout=%dms, elapsed: %.0fms)", + auth_timeout, elapsed); + _dbus_verbose ("Timing out authentication for connection %p\n", connection); dbus_connection_close (connection); } diff --git a/configure.ac b/configure.ac index df32f23..3727b1b 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ AC_PREREQ([2.63]) m4_define([dbus_major_version], [1]) m4_define([dbus_minor_version], [8]) -m4_define([dbus_micro_version], [10]) +m4_define([dbus_micro_version], [11]) m4_define([dbus_version], [dbus_major_version.dbus_minor_version.dbus_micro_version]) AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])