dbus_activation_systemd_failure: do not use non-literal format string

In principle this could lead to arbitrary memory overwrite via
a format string attack in the message received from systemd,
resulting in arbitrary code execution.

This is not believed to be an exploitable security vulnerability on the
system bus in practice: it can only be exploited by the owner of the
org.freedesktop.systemd1 bus name, which is restricted to uid 0, so
if systemd is attacker-controlled then the system is already doomed.
Similarly, if a systemd system unit mentioned in the activation failure
message has an attacker-controlled name, then the attacker likely already
has sufficient access to execute arbitrary code as root in any case.

However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for
systemd's identity, unprivileged processes could forge activation
failure messages which would have gone through this code path.
We thought at the time that this was a denial of service vulnerability
(CVE-2015-0245); this bug means that it was in fact potentially an
arbitrary code execution vulnerability.

Bug found using -Wsuggest-attribute=format and -Wformat-security.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157

diff --git a/bus/activation.c b/bus/activation.c
index ecd19bb48d5a8a64f63dfe79d22a971d08242e3b..fb603467799e2ac058cdac5a3ed1dd1f3795b7f7 100644 (file)
--- a/bus/activation.c
+++ b/bus/activation.c
@@ -2249,7 +2249,7 @@ dbus_activation_systemd_failure (BusActivation *activation,
                              DBUS_TYPE_STRING, &code,
                              DBUS_TYPE_STRING, &str,
                              DBUS_TYPE_INVALID))
-    dbus_set_error(&error, code, str);
+    dbus_set_error (&error, code, "%s", str);
 
 
   if (unit)