From 166978a09cf5edff4028e670b6074215a4c75eca Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Thu, 14 Feb 2013 10:19:34 -0500 Subject: [PATCH] CVE-2013-0292: dbus-gproxy: Verify sender of NameOwnerChanged signals to be o.f.DBus Anyone can hop on the bus and emit a signal whose interface is o.f.DBus; it's expected at the moments that clients (and notably DBus libraries) check the sender. This could previously be used to trick a system service using dbus-glib into thinking a malicious signal came from a privileged source, by claiming that ownership of the privileged source's well-known name had changed from the privileged source's real unique name to the attacker's unique name. [altered to be NULL-safe so it won't crash on peer connections -smcv] Signed-off-by: Simon McVittie Reviewed-by: Simon McVittie --- dbus/dbus-gproxy.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c index 2fc52f9..c3ae9ec 100644 --- a/dbus/dbus-gproxy.c +++ b/dbus/dbus-gproxy.c @@ -1250,8 +1250,11 @@ dbus_g_proxy_manager_filter (DBusConnection *connection, GSList *tmp; const char *sender; + sender = dbus_message_get_sender (message); + /* First we handle NameOwnerChanged internally */ - if (dbus_message_is_signal (message, + if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 && + dbus_message_is_signal (message, DBUS_INTERFACE_DBUS, "NameOwnerChanged")) { @@ -1280,8 +1283,6 @@ dbus_g_proxy_manager_filter (DBusConnection *connection, } } - sender = dbus_message_get_sender (message); - /* dbus spec requires these, libdbus validates */ g_assert (dbus_message_get_path (message) != NULL); g_assert (dbus_message_get_interface (message) != NULL); -- 1.7.1