CVE-2008-0595 dbus security policy circumvention

* CVE-2008-0595 - security policy of the type <allow send_interface=
  "some.interface.WithMethods"/> work as an implicit allow for
  messages sent without an interface bypassing the default deny rules
  and potentially allowing restricted methods exported on the bus to be
  executed by unauthorized users.  This patch fixes the issue.
* bus/policy.c (bus_client_policy_check_can_send,
  bus_client_policy_check_can_receive): skip messages without an
  interface when evaluating an allow rule, and thus pass it to the
  default deny rules

diff --git a/ChangeLog b/ChangeLog
index e4a3237426ec95cdbd6d3fb312cb3ee8e4d2df0d..4b68cb3796b190fb763b035698d4dfc4ccaed3ca 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2008-02-26  John (J5) Palmieri  <johnp@redhat.com>
+
+       * CVE-2008-0595 - security policy of the type <allow send_interface=
+         "some.interface.WithMethods"/> work as an implicit allow for
+         messages sent without an interface bypassing the default deny rules
+         and potentially allowing restricted methods exported on the bus to be
+         executed by unauthorized users.  This patch fixes the issue.
+       * bus/policy.c (bus_client_policy_check_can_send,
+         bus_client_policy_check_can_receive): skip messages without an 
+         interface when evaluating an allow rule, and thus pass it to the
+         default deny rules
+
 2008-02-26  John (J5) Palmieri  <johnp@redhat.com>
 
        * correctly unref connections without guids during shutdown

diff --git a/bus/policy.c b/bus/policy.c
index 383b2b185e980d72450995733dd59bcc4b0630da..caa544e7a4f041e0cc9b250dc8c814a7b06e927b 100644 (file)
--- a/bus/policy.c
+++ b/bus/policy.c
@@ -942,9 +942,19 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
       
       if (rule->d.send.interface != NULL)
         {
-          if (dbus_message_get_interface (message) != NULL &&
-              strcmp (dbus_message_get_interface (message),
-                      rule->d.send.interface) != 0)
+          /* The interface is optional in messages. For allow rules, if the message
+           * has no interface we want to skip the rule (and thus not allow);
+           * for deny rules, if the message has no interface we want to use the
+           * rule (and thus deny).
+           */
+          dbus_bool_t no_interface;
+
+          no_interface = dbus_message_get_interface (message) == NULL;
+          
+          if ((no_interface && rule->allow) ||
+              (!no_interface && 
+               strcmp (dbus_message_get_interface (message),
+                       rule->d.send.interface) != 0))
             {
               _dbus_verbose ("  (policy) skipping rule for different interface\n");
               continue;
@@ -1128,9 +1138,19 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
       
       if (rule->d.receive.interface != NULL)
         {
-          if (dbus_message_get_interface (message) != NULL &&
-              strcmp (dbus_message_get_interface (message),
-                      rule->d.receive.interface) != 0)
+          /* The interface is optional in messages. For allow rules, if the message
+           * has no interface we want to skip the rule (and thus not allow);
+           * for deny rules, if the message has no interface we want to use the
+           * rule (and thus deny).
+           */
+          dbus_bool_t no_interface;
+
+          no_interface = dbus_message_get_interface (message) == NULL;
+          
+          if ((no_interface && rule->allow) ||
+              (!no_interface &&
+               strcmp (dbus_message_get_interface (message),
+                       rule->d.receive.interface) != 0))
             {
               _dbus_verbose ("  (policy) skipping rule for different interface\n");
               continue;