From 91ec6a05612492b845c8cbde3ad42b29569fe7af Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Fri, 7 Oct 2016 19:13:01 +0100 Subject: [PATCH] dbus_activation_systemd_failure: do not use non-literal format string In principle this could lead to arbitrary memory overwrite via a format string attack in the message received from systemd, resulting in arbitrary code execution. This is not believed to be an exploitable security vulnerability on the system bus in practice: it can only be exploited by the owner of the org.freedesktop.systemd1 bus name, which is restricted to uid 0, so if systemd is attacker-controlled then the system is already doomed. Similarly, if a systemd system unit mentioned in the activation failure message has an attacker-controlled name, then the attacker likely already has sufficient access to execute arbitrary code as root in any case. However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for systemd's identity, unprivileged processes could forge activation failure messages which would have gone through this code path. We thought at the time that this was a denial of service vulnerability (CVE-2015-0245); this bug means that it was in fact potentially an arbitrary code execution vulnerability. Bug found using -Wsuggest-attribute=format and -Wformat-security. Signed-off-by: Simon McVittie Reviewed-by: Colin Walters Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157 --- bus/activation.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bus/activation.c b/bus/activation.c index 2c5ef9d..1e59190 100644 --- a/bus/activation.c +++ b/bus/activation.c @@ -2222,7 +2222,7 @@ dbus_activation_systemd_failure (BusActivation *activation, DBUS_TYPE_STRING, &code, DBUS_TYPE_STRING, &str, DBUS_TYPE_INVALID)) - dbus_set_error(&error, code, str); + dbus_set_error (&error, code, "%s", str); if (unit) -- 2.9.3