From 166978a09cf5edff4028e670b6074215a4c75eca Mon Sep 17 00:00:00 2001

From: Colin Walters <walters@verbum.org>

Date: Thu, 14 Feb 2013 10:19:34 -0500

Subject: [PATCH] CVE-2013-0292: dbus-gproxy: Verify sender of NameOwnerChanged signals to be o.f.DBus

Anyone can hop on the bus and emit a signal whose interface is

o.f.DBus; it's expected at the moments that clients (and notably DBus

libraries) check the sender.

This could previously be used to trick a system service using dbus-glib

into thinking a malicious signal came from a privileged source, by

claiming that ownership of the privileged source's well-known name had

changed from the privileged source's real unique name to the attacker's

unique name.

[altered to be NULL-safe so it won't crash on peer connections -smcv]

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

---

 dbus/dbus-gproxy.c |    7 ++++---

 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c

index 2fc52f9..c3ae9ec 100644

--- a/dbus/dbus-gproxy.c

+++ b/dbus/dbus-gproxy.c

@@ -1250,8 +1250,11 @@ dbus_g_proxy_manager_filter (DBusConnection    *connection,

       GSList *tmp;

       const char *sender;

+      sender = dbus_message_get_sender (message);

+

       /* First we handle NameOwnerChanged internally */

-      if (dbus_message_is_signal (message,

+      if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 &&

+	  dbus_message_is_signal (message,

 				  DBUS_INTERFACE_DBUS,

 				  "NameOwnerChanged"))

 	{

@@ -1280,8 +1283,6 @@ dbus_g_proxy_manager_filter (DBusConnection    *connection,

 	    }

 	}

-      sender = dbus_message_get_sender (message);

-

       /* dbus spec requires these, libdbus validates */

       g_assert (dbus_message_get_path (message) != NULL);

       g_assert (dbus_message_get_interface (message) != NULL);

-- 

1.7.1