diff -pruN 0.20.0-1/debian/changelog 0.20.0-1ubuntu0.1/debian/changelog --- 0.20.0-1/debian/changelog 2020-04-26 07:53:08.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/changelog 2020-10-29 17:53:06.000000000 +0000 @@ -1,3 +1,41 @@ +spice-vdagent (0.20.0-1ubuntu0.1) groovy-security; urgency=medium + + * SECURITY UPDATE: Memory DoS via Arbitrary Entries in active_xfers Hash + Table + - debian/patches/CVE-2020-25650-1.patch: avoid agents allocating file + transfers in src/vdagentd/vdagentd.c. + - debian/patches/CVE-2020-25650-2.patch: avoid uncontrolled + active_xfers allocations in src/vdagentd/vdagentd.c. + - CVE-2020-25650 + * SECURITY UPDATE: Possible File Transfer DoS and Information Leak via + active_xfers Hash Map + - debian/patches/CVE-2020-25651-1.patch: cleanup active_xfers when the + client disconnects in src/vdagentd/vdagentd.c. + - debian/patches/CVE-2020-25651-2.patch: do not allow using an already + used file-xfer id in src/vdagentd/vdagentd.c. + - CVE-2020-25651 + * SECURITY UPDATE: Possibility to Exhaust File Descriptors in vdagentd + - debian/patches/CVE-2020-25652-1.patch: avoid unlimited agent + connections in src/udscs.c. + - debian/patches/CVE-2020-25652-2.patch: limit number of agents per + session to 1 in src/vdagentd/vdagentd.c. + - CVE-2020-25652 + * SECURITY UPDATE: UNIX Domain Socket Peer PID Retrieved via SO_PEERCRED + is Subject to Race Condition + - debian/patches/CVE-2020-25653-1.patch: avoid user session hijacking + in src/vdagent-connection.c, src/vdagent-connection.h, + src/vdagentd/vdagentd.c. + - debian/patches/CVE-2020-25653-2.patch: better check for sessions in + src/vdagentd/console-kit.c, src/vdagentd/dummy-session-info.c, + src/vdagentd/session-info.h, src/vdagentd/systemd-login.c, + src/vdagentd/vdagentd.c. + - CVE-2020-25653 + * Additional fixes: + - debian/patches/CVE-2020-2565x-1.patch: avoid calling chmod in + src/vdagentd/vdagentd.c. + + -- Marc Deslauriers Thu, 29 Oct 2020 13:53:06 -0400 + spice-vdagent (0.20.0-1) unstable; urgency=medium * Team upload. diff -pruN 0.20.0-1/debian/control 0.20.0-1ubuntu0.1/debian/control --- 0.20.0-1/debian/control 2020-04-26 07:53:08.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/control 2020-10-29 17:53:06.000000000 +0000 @@ -1,6 +1,7 @@ Source: spice-vdagent Priority: optional -Maintainer: Liang Guo +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Liang Guo Build-Depends: autoconf, automake, debhelper (>= 12), diff -pruN 0.20.0-1/debian/patches/CVE-2020-25650-1.patch 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25650-1.patch --- 0.20.0-1/debian/patches/CVE-2020-25650-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25650-1.patch 2020-10-29 17:47:55.000000000 +0000 @@ -0,0 +1,78 @@ +From e4a5f60ecbb0248159bc915613359d8f45b49134 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Sat, 19 Sep 2020 15:13:42 +0100 +Subject: [PATCH 02/10] Avoids unchecked file transfer IDs allocation and usage + +Avoid agents allocating file transfers. +The "active_xfers" entries are now inserted when client start sending +files. +Also different agents cannot mess with other agent transfers as a +transfer is bound to a single agent. + +This issue was reported by SUSE security team. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagentd/vdagentd.c | 28 ++++++++++++++++++++++------ + 1 file changed, 22 insertions(+), 6 deletions(-) + +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -373,9 +373,11 @@ static void do_client_file_xfer(VirtioPo + s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0); + return; + } +- udscs_write(active_session_conn, VDAGENTD_FILE_XFER_START, 0, 0, +- data, message_header->size); +- return; ++ msg_type = VDAGENTD_FILE_XFER_START; ++ id = s->id; ++ // associate the id with the active connection ++ g_hash_table_insert(active_xfers, GUINT_TO_POINTER(id), active_session_conn); ++ break; + } + case VD_AGENT_FILE_XFER_STATUS: { + VDAgentFileXferStatusMessage *s = (VDAgentFileXferStatusMessage *)data; +@@ -400,6 +402,12 @@ static void do_client_file_xfer(VirtioPo + return; + } + udscs_write(conn, msg_type, 0, 0, data, message_header->size); ++ ++ // client told that transfer is ended, agents too stop the transfer ++ // and release resources ++ if (message_header->type == VD_AGENT_FILE_XFER_STATUS) { ++ g_hash_table_remove(active_xfers, GUINT_TO_POINTER(id)); ++ } + } + + static void forward_data_to_session_agent(uint32_t type, uint8_t *data, size_t size) +@@ -1007,6 +1015,15 @@ static void do_agent_file_xfer_status(Ud + const gchar *log_msg = NULL; + guint data_size = 0; + ++ UdscsConnection *task_conn = g_hash_table_lookup(active_xfers, task_id); ++ if (task_conn == NULL || task_conn != conn) { ++ // Protect against misbehaving agent. ++ // Ignore the message, but do not disconnect the agent, to protect against ++ // a misbehaving client that tries to disconnect a good agent ++ // e.g. by sending a new task and immediately cancelling it. ++ return; ++ } ++ + /* header->arg1 = file xfer task id, header->arg2 = file xfer status */ + switch (header->arg2) { + case VD_AGENT_FILE_XFER_STATUS_NOT_ENOUGH_SPACE: +@@ -1021,10 +1038,9 @@ static void do_agent_file_xfer_status(Ud + send_file_xfer_status(virtio_port, log_msg, header->arg1, header->arg2, + data, data_size); + +- if (header->arg2 == VD_AGENT_FILE_XFER_STATUS_CAN_SEND_DATA) +- g_hash_table_insert(active_xfers, task_id, conn); +- else ++ if (header->arg2 != VD_AGENT_FILE_XFER_STATUS_CAN_SEND_DATA) { + g_hash_table_remove(active_xfers, task_id); ++ } + } + + static void agent_read_complete(UdscsConnection *conn, diff -pruN 0.20.0-1/debian/patches/CVE-2020-25650-2.patch 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25650-2.patch --- 0.20.0-1/debian/patches/CVE-2020-25650-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25650-2.patch 2020-10-29 17:53:06.000000000 +0000 @@ -0,0 +1,48 @@ +Backport of: + +From 53a5266e90ea09a5522f5ed867150a75c74052c3 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Fri, 2 Oct 2020 12:27:59 +0100 +Subject: [PATCH 03/10] Avoids uncontrolled "active_xfers" allocations + +Limit the number of active file transfers possibly causing DoSes +consuming memory in "active_xfers". + +This issue was reported by SUSE security team. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagentd/vdagentd.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -46,6 +46,14 @@ + + #define DEFAULT_UINPUT_DEVICE "/dev/uinput" + ++// Maximum number of transfers active at any time. ++// Avoid DoS from client. ++// As each transfer could likely end up taking a file descriptor ++// it is good to have a limit less than the number of file descriptors ++// in the process (by default 1024). The daemon do not open file ++// descriptors for the transfers but the agents do. ++#define MAX_ACTIVE_TRANSFERS 128 ++ + struct agent_data { + char *session; + int width; +@@ -372,6 +380,12 @@ static void do_client_file_xfer(VirtioPo + "Cancelling client file-xfer request %u", + s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0); + return; ++ } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) { ++ send_file_xfer_status(vport, ++ "Too many transfers ongoing. " ++ "Cancelling client file-xfer request %u", ++ s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, NULL, 0); ++ return; + } + msg_type = VDAGENTD_FILE_XFER_START; + id = s->id; diff -pruN 0.20.0-1/debian/patches/CVE-2020-25651-1.patch 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25651-1.patch --- 0.20.0-1/debian/patches/CVE-2020-25651-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25651-1.patch 2020-10-29 17:48:08.000000000 +0000 @@ -0,0 +1,21 @@ +From 2e7760735696beab903d14bfe17202d60dd3b043 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Wed, 7 Oct 2020 19:34:57 +0300 +Subject: [PATCH 08/10] cleanup active_xfers when the client disconnects + +Signed-off-by: Uri Lublin +Acked-by: Frediano Ziglio +--- + src/vdagentd/vdagentd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -160,6 +160,7 @@ static void send_capabilities(VirtioPort + + static void do_client_disconnect(void) + { ++ g_hash_table_remove_all(active_xfers); + if (client_connected) { + udscs_server_write_all(server, VDAGENTD_CLIENT_DISCONNECTED, 0, 0, + NULL, 0); diff -pruN 0.20.0-1/debian/patches/CVE-2020-25651-2.patch 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25651-2.patch --- 0.20.0-1/debian/patches/CVE-2020-25651-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25651-2.patch 2020-10-29 17:53:06.000000000 +0000 @@ -0,0 +1,28 @@ +From c120b431b7ccda0a0a1076e31f2f1367dbee656f Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Sun, 11 Oct 2020 20:59:17 +0300 +Subject: [PATCH 09/10] vdagentd: do not allow to use an already used file-xfer + id + +Signed-off-by: Uri Lublin +Acked-by: Frediano Ziglio +--- + src/vdagentd/vdagentd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -387,6 +387,13 @@ static void do_client_file_xfer(VirtioPo + "Cancelling client file-xfer request %u", + s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, NULL, 0); + return; ++ } else if (g_hash_table_lookup(active_xfers, GUINT_TO_POINTER(s->id)) != NULL) { ++ // id is already used -- client is confused ++ send_file_xfer_status(vport, ++ "File transfer ID is already used. " ++ "Cancelling client file-xfer request %u", ++ s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, NULL, 0); ++ return; + } + msg_type = VDAGENTD_FILE_XFER_START; + id = s->id; diff -pruN 0.20.0-1/debian/patches/CVE-2020-25652-1.patch 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25652-1.patch --- 0.20.0-1/debian/patches/CVE-2020-25652-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25652-1.patch 2020-10-29 17:48:16.000000000 +0000 @@ -0,0 +1,50 @@ +From e0ba1d640e2cac883ed1a0065aaea8764501b07c Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Sun, 20 Sep 2020 08:05:37 +0100 +Subject: [PATCH 04/10] Avoids unlimited agent connections + +Limit the number of agents that can be connected. +Avoids reaching the maximum number of files in a process. +Beside one file descriptor per agent the daemon open just some +other fixed number of files. + +This issue was reported by SUSE security team. + +Signed-off-by: Frediano Ziglio +--- + src/udscs.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/udscs.c b/src/udscs.c +index 7c99eed..3df67b3 100644 +--- a/src/udscs.c ++++ b/src/udscs.c +@@ -30,6 +30,12 @@ + #include "vdagentd-proto-strings.h" + #include "vdagent-connection.h" + ++// Maximum number of connected agents. ++// Avoid DoS from agents. ++// As each connection end up taking a file descriptor is good to have a limit ++// less than the number of file descriptors in the process (by default 1024). ++#define MAX_CONNECTED_AGENTS 128 ++ + struct _UdscsConnection { + VDAgentConnection parent_instance; + int debug; +@@ -254,6 +260,12 @@ static gboolean udscs_server_accept_cb(GSocketService *service, + struct udscs_server *server = user_data; + UdscsConnection *new_conn; + ++ /* prevents DoS having too many agents attached */ ++ if (g_list_length(server->connections) >= MAX_CONNECTED_AGENTS) { ++ syslog(LOG_ERR, "Too many agents connected"); ++ return TRUE; ++ } ++ + new_conn = g_object_new(UDSCS_TYPE_CONNECTION, NULL); + new_conn->debug = server->debug; + new_conn->read_callback = server->read_callback; +-- +2.28.0 + diff -pruN 0.20.0-1/debian/patches/CVE-2020-25652-2.patch 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25652-2.patch --- 0.20.0-1/debian/patches/CVE-2020-25652-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25652-2.patch 2020-10-29 17:53:06.000000000 +0000 @@ -0,0 +1,53 @@ +Backport of: + +From cb15e7c8052cae75272bbd0d6a5cac37efa360f8 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 24 Sep 2020 12:13:44 +0100 +Subject: [PATCH 07/10] vdagentd: Limit number of agents per session to 1 + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagentd/vdagentd.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -959,6 +959,20 @@ static gboolean check_uid_of_pid(pid_t p + return TRUE; + } + ++/* Check if this connection matches the passed session */ ++static int connection_matches_session(UdscsConnection *conn, void *priv) ++{ ++ const char *session = priv; ++ const struct agent_data *agent_data = g_object_get_data(G_OBJECT(conn), "agent_data"); ++ ++ if (!agent_data || !agent_data->session || ++ strcmp(agent_data->session, session) != 0) { ++ return 0; ++ } ++ ++ return 1; ++} ++ + static void agent_connect(UdscsConnection *conn) + { + struct agent_data *agent_data; +@@ -997,6 +1011,16 @@ static void agent_connect(UdscsConnectio + udscs_server_destroy_connection(server, conn); + return; + } ++ ++ // Check there are no other connection for this session ++ // Note that "conn" is not counted as "agent_data" is still not attached to it ++ if (udscs_server_for_all_clients(server, connection_matches_session, ++ agent_data->session) > 0) { ++ syslog(LOG_ERR, "An agent is already connected for this session"); ++ g_free(agent_data); ++ udscs_server_destroy_connection(server, conn); ++ return; ++ } + } + + g_object_set_data(G_OBJECT(conn), "agent_data", agent_data); diff -pruN 0.20.0-1/debian/patches/CVE-2020-25653-1.patch 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25653-1.patch --- 0.20.0-1/debian/patches/CVE-2020-25653-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25653-1.patch 2020-10-29 17:53:06.000000000 +0000 @@ -0,0 +1,136 @@ +Backport of: + +From 9d011f9787e93e3ceb5541ddcb242f5fba9ac2e6 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Sun, 20 Sep 2020 08:06:16 +0100 +Subject: [PATCH 05/10] Avoids user session hijacking + +Avoids user hijacking sessions by reusing PID. +In theory an attacker could: +- open a connection to the daemon; +- fork and exit the process but keep the file descriptor open + (inheriting or duplicating it in forked process); +- force OS to recycle the initial PID, by creating many short lived + processes. +Daemon would detect the old PID as having the new session. +Check the user to avoid such replacements. + +This issue was reported by SUSE security team. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagent-connection.c | 13 +++++++------ + src/vdagent-connection.h | 13 +++++++++---- + src/vdagentd/vdagentd.c | 31 +++++++++++++++++++++++++++---- + 3 files changed, 43 insertions(+), 14 deletions(-) + +--- a/src/vdagent-connection.c ++++ b/src/vdagent-connection.c +@@ -142,24 +142,25 @@ void vdagent_connection_destroy(gpointer + g_object_unref(self); + } + +-gint vdagent_connection_get_peer_pid(VDAgentConnection *self, +- GError **err) ++PidUid vdagent_connection_get_peer_pid_uid(VDAgentConnection *self, ++ GError **err) + { + VDAgentConnectionPrivate *priv = vdagent_connection_get_instance_private(self); + GSocket *sock; + GCredentials *cred; +- gint pid = -1; ++ PidUid pid_uid = { -1, -1 }; + +- g_return_val_if_fail(G_IS_SOCKET_CONNECTION(priv->io_stream), pid); ++ g_return_val_if_fail(G_IS_SOCKET_CONNECTION(priv->io_stream), pid_uid); + + sock = g_socket_connection_get_socket(G_SOCKET_CONNECTION(priv->io_stream)); + cred = g_socket_get_credentials(sock, err); + if (cred) { +- pid = g_credentials_get_unix_pid(cred, NULL); ++ pid_uid.pid = g_credentials_get_unix_pid(cred, err); ++ pid_uid.uid = g_credentials_get_unix_user(cred, err); + g_object_unref(cred); + } + +- return pid; ++ return pid_uid; + } + + /* Performs single write operation, +--- a/src/vdagent-connection.h ++++ b/src/vdagent-connection.h +@@ -92,10 +92,15 @@ void vdagent_connection_write(VDAgentCon + /* Synchronously write all queued messages to the output stream. */ + void vdagent_connection_flush(VDAgentConnection *self); + +-/* Returns the PID of the foreign process connected to the socket +- * or -1 with @err set. */ +-gint vdagent_connection_get_peer_pid(VDAgentConnection *self, +- GError **err); ++typedef struct PidUid { ++ pid_t pid; ++ uid_t uid; ++} PidUid; ++ ++/* Returns the PID and UID of the foreign process connected to the socket ++ * or fill @err set. */ ++PidUid vdagent_connection_get_peer_pid_uid(VDAgentConnection *self, ++ GError **err); + + G_END_DECLS + +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -946,6 +946,19 @@ static gboolean remove_active_xfers(gpoi + return 0; + } + ++/* Check a given process has a given UID */ ++static gboolean check_uid_of_pid(pid_t pid, uid_t uid) ++{ ++ char fn[128]; ++ struct stat st; ++ ++ snprintf(fn, sizeof(fn), "/proc/%u/status", (unsigned) pid); ++ if (stat(fn, &st) != 0 || st.st_uid != uid) { ++ return FALSE; ++ } ++ return TRUE; ++} ++ + static void agent_connect(UdscsConnection *conn) + { + struct agent_data *agent_data; +@@ -954,8 +967,8 @@ static void agent_connect(UdscsConnectio + gint pid; + + if (session_info) { +- pid = vdagent_connection_get_peer_pid(VDAGENT_CONNECTION(conn), &err); +- if (err) { ++ PidUid pid_uid = vdagent_connection_get_peer_pid_uid(VDAGENT_CONNECTION(conn), &err); ++ if (err || pid_uid.pid <= 0) { + syslog(LOG_ERR, "Could not get peer PID, disconnecting new client: %s", + err->message); + g_error_free(err); +@@ -964,7 +977,18 @@ static void agent_connect(UdscsConnectio + return; + } + +- agent_data->session = session_info_session_for_pid(session_info, pid); ++ agent_data->session = session_info_session_for_pid(session_info, pid_uid.pid); ++ ++ /* Check that the UID of the PID did not change, this should be done after ++ * computing the session to avoid race conditions. ++ * This can happen as vdagent_connection_get_peer_pid_uid get information ++ * from the time of creating the socket, but the process in the meantime ++ * have been replaced */ ++ if (!check_uid_of_pid(pid_uid.pid, pid_uid.uid)) { ++ g_free(agent_data); ++ udscs_server_destroy_connection(server, conn); ++ return; ++ } + } + + g_object_set_data(G_OBJECT(conn), "agent_data", agent_data); diff -pruN 0.20.0-1/debian/patches/CVE-2020-25653-2.patch 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25653-2.patch --- 0.20.0-1/debian/patches/CVE-2020-25653-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-25653-2.patch 2020-10-29 17:53:06.000000000 +0000 @@ -0,0 +1,151 @@ +From 438aaef5f308b6c0a8bd184db776d415ededcc73 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 21 Sep 2020 07:06:09 +0100 +Subject: [PATCH 06/10] Better check for sessions + +Do not allow other users to hijack a session checking that +the process is launched by the owner of the session. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagentd/console-kit.c | 67 +++++++++++++++++++++++++++++++ + src/vdagentd/dummy-session-info.c | 5 +++ + src/vdagentd/session-info.h | 3 ++ + src/vdagentd/systemd-login.c | 9 +++++ + src/vdagentd/vdagentd.c | 10 ++++- + 5 files changed, 93 insertions(+), 1 deletion(-) + +--- a/src/vdagentd/console-kit.c ++++ b/src/vdagentd/console-kit.c +@@ -568,3 +568,70 @@ exit: + } + return ret; + } ++ ++uid_t session_info_uid_for_session(struct session_info *info, const char *session) ++{ ++ DBusError error; ++ DBusMessage *message = NULL; ++ DBusMessage *reply = NULL; ++ uint32_t uid; ++ uid_t ret = -1; ++ const char *err_msg; ++ ++ g_return_val_if_fail(info != NULL, ret); ++ g_return_val_if_fail(info->connection != NULL, ret); ++ g_return_val_if_fail(info->active_session != NULL, ret); ++ ++ dbus_error_init(&error); ++ ++ err_msg = "(console-kit) Unable to create dbus message for GetUnixUser"; ++ message = dbus_message_new_method_call(INTERFACE_CONSOLE_KIT, ++ session, ++ INTERFACE_CONSOLE_KIT_SESSION, ++ "GetUnixUser"); ++ if (message == NULL) { ++ goto exit; ++ } ++ ++ err_msg = "(console-kit) GetUnixUser failed"; ++ reply = dbus_connection_send_with_reply_and_block(info->connection, ++ message, ++ -1, ++ &error); ++ if (reply == NULL || dbus_error_is_set(&error)) { ++ goto exit; ++ } ++ ++ dbus_error_init(&error); ++ err_msg = "(console-kit) fail to get session-type from reply"; ++ if (!dbus_message_get_args(reply, ++ &error, ++ DBUS_TYPE_UINT32, &uid, ++ DBUS_TYPE_INVALID)) { ++ goto exit; ++ } ++ ++ if (info->verbose) { ++ syslog(LOG_DEBUG, "(console-kit) unix user is '%u'", (unsigned) uid); ++ } ++ ++ err_msg = NULL; ++ ret = uid; ++ ++exit: ++ if (err_msg) { ++ if (dbus_error_is_set(&error)) { ++ syslog(LOG_ERR, "%s: %s", err_msg, error.message); ++ dbus_error_free(&error); ++ } else { ++ syslog(LOG_ERR, "%s", err_msg); ++ } ++ } ++ if (reply != NULL) { ++ dbus_message_unref(reply); ++ } ++ if (message != NULL) { ++ dbus_message_unref(message); ++ } ++ return ret; ++} +--- a/src/vdagentd/dummy-session-info.c ++++ b/src/vdagentd/dummy-session-info.c +@@ -55,3 +55,8 @@ gboolean session_info_session_is_locked( + { + return FALSE; + } ++ ++uid_t session_info_uid_for_session(struct session_info *si, const char *session) ++{ ++ return -1; ++} +--- a/src/vdagentd/session-info.h ++++ b/src/vdagentd/session-info.h +@@ -40,4 +40,7 @@ char *session_info_session_for_pid(struc + gboolean session_info_session_is_locked(struct session_info *si); + gboolean session_info_is_user(struct session_info *si); + ++/* get owner of a given session */ ++uid_t session_info_uid_for_session(struct session_info *si, const char *session); ++ + #endif +--- a/src/vdagentd/systemd-login.c ++++ b/src/vdagentd/systemd-login.c +@@ -394,3 +394,12 @@ gboolean session_info_is_user(struct ses + + return ret; + } ++ ++uid_t session_info_uid_for_session(struct session_info *si, const char *session) ++{ ++ uid_t ret = -1; ++ if (sd_session_get_uid(session, &ret) < 0) { ++ return -1; ++ } ++ return ret; ++} +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -979,12 +979,20 @@ static void agent_connect(UdscsConnectio + + agent_data->session = session_info_session_for_pid(session_info, pid_uid.pid); + ++ uid_t session_uid = session_info_uid_for_session(session_info, agent_data->session); ++ + /* Check that the UID of the PID did not change, this should be done after + * computing the session to avoid race conditions. + * This can happen as vdagent_connection_get_peer_pid_uid get information + * from the time of creating the socket, but the process in the meantime + * have been replaced */ +- if (!check_uid_of_pid(pid_uid.pid, pid_uid.uid)) { ++ if (!check_uid_of_pid(pid_uid.pid, pid_uid.uid) || ++ /* Check that the user launching the Agent is the same as session one ++ * or root user. ++ * This prevents session hijacks from other users. */ ++ (pid_uid.uid != 0 && pid_uid.uid != session_uid)) { ++ syslog(LOG_ERR, "UID mismatch: UID=%u PID=%u suid=%u", pid_uid.uid, ++ pid_uid.pid, session_uid); + g_free(agent_data); + udscs_server_destroy_connection(server, conn); + return; diff -pruN 0.20.0-1/debian/patches/CVE-2020-2565x-1.patch 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-2565x-1.patch --- 0.20.0-1/debian/patches/CVE-2020-2565x-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/patches/CVE-2020-2565x-1.patch 2020-10-29 17:53:06.000000000 +0000 @@ -0,0 +1,46 @@ +Backport of: + +From f5f4506f6cb25bfd556f815565090a57296771ee Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 24 Sep 2020 12:13:24 +0100 +Subject: [PATCH 01/10] vdagentd: Avoid calling chmod + +Create the socket with the right permissions using umask. +This also prevents possible symlink exploitation in case socket +path is not secure. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagentd/vdagentd.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -1297,7 +1297,9 @@ int main(int argc, char *argv[]) + /* systemd socket activation not enabled, create our own */ + #endif /* WITH_SYSTEMD_SOCKET_ACTIVATION */ + { ++ mode_t mode = umask(0111); + udscs_server_listen_to_address(server, vdagentd_socket, &err); ++ umask(mode); + } + + if (err) { +@@ -1308,16 +1310,6 @@ int main(int argc, char *argv[]) + return 1; + } + +- /* no need to set permissions on a socket that was provided by systemd */ +- if (own_socket) { +- if (chmod(vdagentd_socket, 0666)) { +- syslog(LOG_CRIT, "Fatal could not change permissions on %s: %m", +- vdagentd_socket); +- udscs_destroy_server(server); +- return 1; +- } +- } +- + if (do_daemonize) + daemonize(); + diff -pruN 0.20.0-1/debian/patches/series 0.20.0-1ubuntu0.1/debian/patches/series --- 0.20.0-1/debian/patches/series 2020-04-26 07:53:08.000000000 +0000 +++ 0.20.0-1ubuntu0.1/debian/patches/series 2020-10-29 17:53:06.000000000 +0000 @@ -1,3 +1,12 @@ systemd_service_default_file.patch vdagentd-work-around-GLib-s-fork-issues.patch systemd-login-Avoid-a-crash-on-container.patch +CVE-2020-25650-1.patch +CVE-2020-25650-2.patch +CVE-2020-25651-1.patch +CVE-2020-25651-2.patch +CVE-2020-25653-1.patch +CVE-2020-25653-2.patch +CVE-2020-25652-1.patch +CVE-2020-25652-2.patch +CVE-2020-2565x-1.patch