[Bug 2015538] Re: [MIR] dbus-broker
Mark Esler
2015538 at bugs.launchpad.net
Mon Jun 5 15:52:20 UTC 2023
I partially reviewed dbus-broker 33-1 as checked into lunar. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
> The dbus-broker project is an implementation of a message bus as
defined by the D-Bus specification. Its aim is to provide high
performance and reliability, while keeping compatibility to the D-Bus
reference implementation. It is exclusively written for Linux systems,
and makes use of many modern features provided by recent linux kernel
releases.
- CVE History:
- previous CVEs (CVE-2022-31212 and CVE-2022-31213) based on using untrusted input
- https://sec-consult.com/vulnerability-lab/advisory/memory-corruption-vulnerabilities-dbus-broker/
- upstream responded quickly to report
- some security relevant commits
- private disclosure is bad for downstream security maintenance
- e.g., b08cc9dab51eab5a4b10c147ecd4cbd8efc238d6
- upstream is using static analyzers and fuzzers with github actions \o/
- upstream does not have a Security Policy
- Build-Depends?
- debhelper-compat
- libapparmor-dev
- libaudit-dev
- libcap-ng-dev
- libdbus-1-dev
- libexpat1-dev
- libselinux1-dev
- libsystemd-dev
- linux-libc-dev
- meson
- pkg-config
- python3-docutils
- systemd
- dbus-broker itself is not dependent on systemd, but dbus-broker-launch is
- pre/post inst/rm scripts?
- adds or removes systemd services, reloads services, and requests reboots when needed
- init scripts?
- none
- systemd units?
- systemd service for main dbus-broker
- owning team: check syslog for deprecation warnings that need to be fixed outside fo dbus-broker !
- dbus services?
- minimizing global state and other design principals makes the security of dbus-broker more robust than dbus-daemon
- see developers post https://dvdhrm.github.io/rethinking-the-dbus-message-bus/
- setuid binaries?
- none
- binaries in PATH?
- ./usr/bin/dbus-broker
- ./usr/bin/dbus-broker-launch
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- includes build tests
- autopkgtests seem sparse
- dbus programs like gnome-shell don't have autopkgtests
- cron jobs?
- none
- Build logs:
- looks okay
- Processes spawned?
- only in launcher
- for process and systemd
- Memory management?
- **very** heavy use
- cursory view looks o-k
- File IO?
- use appears safe
- Logging?
- written with logging mind
- Environment variable usage?
- only XDG_* for launcher
- Use of privileged functions?
- setuid/setgid/setgroups used to drop permissions
- log_stream_send() contains a SIOCOUTQ ioctl for lossy D-Bus messages
- Use of cryptography / random number sources etc?
- includes SASL wrapper to allow SASL D-Bus
- Use of temp files?
- none
- Use of networking?
- heavy socket use
- heavily uses c-dvar for stream encoding/decoding D-Bus
- https://github.com/c-util/c-dvar
- same developer as dbus-broker
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- nothing Coverity did not catch
- Any significant Coverity results?
- reported upstream
- upstream also runs https://scan.coverity.com/projects/dbus-broker
- last scanned on June 18, 2022
- could use git action
- upstream triages reports well https://github.com/bus1/dbus-broker/issues/294
- false-positives not set on coverity webapp for future scans
- Any significant shellcheck results?
- none
- Any significant bandit results?
- none
- Any significant govulncheck results?
- none
dbus-broker has a much more convincing security story than dbus-daemon.
In the 2014 paper "Dfuzzer: A D-Bus Service Fuzzing Tool"
(10.1109/ICSTW.2014.51) the authors describe finding many security holes
in projects which use D-Bus since these projects poorly sanitized input
data from D-Bus. Some FOSS projects argued that there were no security
issues, as their project expect safe input data from D-Bus. GNOME Shell
argued that these were not vulnerabilities "because D-Bus interface is
intended to be used only by certain GNOME components which behave
nicely". Running dfuzzer with a default Lunar install and either dbus-
daemon or dbus-broker is destructive.
Could autopkgtests be added for GNOME Shell and other critical program
which heavily use D-Bus? (accountsservice, avahi, gdm, gnome-shell, etc)
Authentication and a tight LSM profile using dbus-broker's peers could
mitigate many D-Bus security issues. dbus-broker creates a bus for each
unique set of peers, which the LSM should be aware of.
dbus-broker logging includes
`org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown`. There is no
equivalent DBusBindError for AppArmor:
https://freedesktop.org/wiki/Software/DBusBindingErrors/ !
AppArmor has plans to protect dbus-broker and there is a pull-request to
add features.
As written, dbus-broker is tightly bound to systemd.
- https://groups.google.com/g/bus1-devel/c/9BZPVEGc1Qc
dbus-broker is not POSIX compatible.
A replacement for dbus-run-session is required for Security team to
complete this review. AppArmor should work to land patches before
promotion.
** Bug watch added: github.com/bus1/dbus-broker/issues #294
https://github.com/bus1/dbus-broker/issues/294
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-31212
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-31213
** Changed in: dbus-broker (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: dbus-broker (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus-broker in Ubuntu.
https://bugs.launchpad.net/bugs/2015538
Title:
[MIR] dbus-broker
Status in dbus-broker package in Ubuntu:
Incomplete
Bug description:
[Availability]
The package dbus-broker is already in Ubuntu universe.
The package dbus-broker build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/dbus-broker
[Rationale]
- The package dbus-broker is required in Ubuntu main to replace dbus-daemon.
- The package dbus-broker will generally from server to desktop.
- Package dbus-broker covers the same use case as dbus-daemon but is a better alternative for the reason described in https://dvdhrm.github.io/rethinking-the-dbus-message-bus/. Other distributions are using it for years, Fedora for example, https://fedoraproject.org/wiki/Changes/DbusBrokerAsTheDefaultDbusImplementation
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this.
- The package dbus-broker is required in Ubuntu main no later than
august due to FF, ideally we would like land it earlier in the cycle
[Security]
- Had 2 security issues in the past
1.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212
https://ubuntu.com/security/CVE-2022-31212
https://security-tracker.debian.org/tracker/CVE-2022-31212
2.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31213
https://ubuntu.com/security/CVE-2022-31213
https://security-tracker.debian.org/tracker/CVE-2022-31212
Those reports seem to have been fixed in timelined fashion upstream.
The issues are resolved in Ubuntu in series > Kinetic
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does install services, timers or recurring jobs
/lib/systemd/system/dbus-broker.service
/usr/lib/systemd/user/dbus-broker.service
The system unit use the following systemd security features
OOMScoreAdjust=-900
LimitNOFILE=16384
ProtectSystem=full
PrivateTmp=true
PrivateDevices=true
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail
https://launchpadlibrarian.net/650445725/buildlog_ubuntu-lunar-
amd64.dbus-broker_33-1_BUILDING.txt.gz
Ok: 46
Expected Fail: 0
Fail: 0
Unexpected Pass: 0
Skipped: 0
Timeout: 0
- The package runs an autopkgtest, and is currently passing on
amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
https://autopkgtest.ubuntu.com/packages/dbus-broker
- The package does have not failing autopkgtests right now
- The autopkgtest is the running the upstream testsuite so is not trivial
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer since it's in sync from
Debian
- The package has no lintian warnings
# lintian --pedantic
#
- Please link to a recent build log of the package
https://launchpadlibrarian.net/650445725/buildlog_ubuntu-lunar-amd64.dbus-broker_33-1_BUILDING.txt.gz
`lintian --pedantic` as an extra post to this bug.
- Lintian overrides are present
# dbus-broker only supports systemd
dbus-broker: maintainer-script-calls-systemctl
dbus-broker: package-supports-alternative-init-but-no-init.d-script [lib/systemd/system/dbus-broker.service]
# need to override dh_installsystemd
dbus-broker: maintainer-script-empty [prerm]
dbus-broker: maintainer-script-ignores-errors [prerm]
# matches dbus-daemon package, activated by socket
dbus-broker: systemd-service-file-missing-install-key [lib/systemd/system/dbus-broker.service]
Those have to do with the fact that package is set to work only with systemd, that's not an issue in Ubuntu since we don't support alternative init systems anyway
Also the service shouldn't be stopped on package removal to avoid seeing the user session close
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980541
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions
- Packaging and build is easy, https://salsa.debian.org/utopia-
team/dbus-broker/-/blob/debian/sid/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Teams will be foundations and desktop
- desktop-packages is already subscribed to the package, we will get foundations added
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package successfully built during the most recent test rebuild
[Background information]
The Package description explains the package well
Upstream Name is dbus-broker
Link to upstream project https://github.com/bus1/dbus-broker
The apparmor integration patch in review upstream on
https://github.com/bus1/dbus-broker/pull/286 has got a +1 from our
security team, we will include the change either by distro patching or
through a newer upstream version since that's required for our
confinement story, especially in snaps.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538/+subscriptions
More information about the foundations-bugs
mailing list