From 9c557063e661c0322f3a4545e23562a0995baeac Mon Sep 17 00:00:00 2001 From: houyingchao <1348375921@qq.com> Date: Mon, 7 Mar 2022 17:36:22 +0800 Subject: [PATCH] Fix CVE-2019-25058 --- CVE-2019-25058-1.patch | 32 ++++++ CVE-2019-25058-2.patch | 49 ++++++++ CVE-2019-25058-3.patch | 43 +++++++ CVE-2019-25058-4.patch | 22 ++++ CVE-2019-25058-5.patch | 56 +++++++++ CVE-2019-25058-6.patch | 84 ++++++++++++++ CVE-2019-25058-7.patch | 250 +++++++++++++++++++++++++++++++++++++++++ usbguard.spec | 12 +- 8 files changed, 547 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-25058-1.patch create mode 100644 CVE-2019-25058-2.patch create mode 100644 CVE-2019-25058-3.patch create mode 100644 CVE-2019-25058-4.patch create mode 100644 CVE-2019-25058-5.patch create mode 100644 CVE-2019-25058-6.patch create mode 100644 CVE-2019-25058-7.patch diff --git a/CVE-2019-25058-1.patch b/CVE-2019-25058-1.patch new file mode 100644 index 0000000..69b7e65 --- /dev/null +++ b/CVE-2019-25058-1.patch @@ -0,0 +1,32 @@ +From 0db713da6c44426902961b023a925563f40b6ec7 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 6 Feb 2022 01:15:26 +0100 +Subject: [PATCH] dbus: Replace unsupported "auth_self_keep_session" by + "auth_self_keep" + +--- + src/DBus/org.usbguard.policy | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy +index ce842393..f1bed538 100644 +--- a/src/DBus/org.usbguard.policy ++++ b/src/DBus/org.usbguard.policy +@@ -11,7 +11,7 @@ + Prevents from listing the USBGuard policy + + no +- auth_self_keep_session ++ auth_self_keep + + + +@@ -38,7 +38,7 @@ + Prevents from listing USB devices recognized by the USBGuard daemon + + no +- auth_self_keep_session ++ auth_self_keep + + + diff --git a/CVE-2019-25058-2.patch b/CVE-2019-25058-2.patch new file mode 100644 index 0000000..a7f9422 --- /dev/null +++ b/CVE-2019-25058-2.patch @@ -0,0 +1,49 @@ +From d2839e8f6f9096c889c4fbd09b08dc6deff5eab2 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sat, 5 Feb 2022 21:40:17 +0100 +Subject: [PATCH] dbus: Drop policies of removed D-Bus methods + +--- + src/DBus/org.usbguard.policy | 27 --------------------------- + 1 file changed, 27 deletions(-) + +diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy +index 7704583..b89c96e 100644 +--- a/src/DBus/org.usbguard.policy ++++ b/src/DBus/org.usbguard.policy +@@ -41,32 +41,5 @@ + auth_self_keep + + +- +- +- Authorize a USB device via the USBGuard daemon to interact with the system +- Prevents from authorizing USB devices via the USBGuard daemon +- +- no +- auth_admin +- +- +- +- +- Deauthorize a USB device via the USBGuard daemon +- Prevents from deauthorizing USB devices via the USBGuard daemon +- +- no +- auth_admin +- +- +- +- +- Remove a USB device via the USBGuard daemon +- Prevents from removing USB devices via the USBGuard daemon +- +- no +- auth_admin +- +- + + +-- +2.23.0 + diff --git a/CVE-2019-25058-3.patch b/CVE-2019-25058-3.patch new file mode 100644 index 0000000..f07f88c --- /dev/null +++ b/CVE-2019-25058-3.patch @@ -0,0 +1,43 @@ +From d8a1b1ff967864a6cd8531c57e027c903ee31c23 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 6 Feb 2022 01:17:15 +0100 +Subject: [PATCH] dbus: Improve language in tags + +--- + src/DBus/org.usbguard.policy | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy +index b89c96e..28206bd 100644 +--- a/src/DBus/org.usbguard.policy ++++ b/src/DBus/org.usbguard.policy +@@ -8,7 +8,7 @@ + + + List the rule set (policy) used by the USBGuard daemon +- Prevents from listing the USBGuard policy ++ Prevents listing the USBGuard policy + + no + auth_self_keep +@@ -17,7 +17,7 @@ + + + Append a new rule to the policy +- Prevents from appending rules to the USBGuard policy ++ Prevents appending rules to the USBGuard policy + + no + auth_admin +@@ -35,7 +35,7 @@ + + + List all USB devices recognized by the USBGuard deaemon +- Prevents from listing USB devices recognized by the USBGuard daemon ++ Prevents listing USB devices recognized by the USBGuard daemon + + no + auth_self_keep +-- +2.23.0 + diff --git a/CVE-2019-25058-4.patch b/CVE-2019-25058-4.patch new file mode 100644 index 0000000..39a8082 --- /dev/null +++ b/CVE-2019-25058-4.patch @@ -0,0 +1,22 @@ +From 17f04c6088c1b05618db99733ff8152e43206004 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 6 Feb 2022 00:00:11 +0100 +Subject: [PATCH] dbus: Fix whitespace in file "org.usbguard1.policy" + +--- + src/DBus/org.usbguard.policy | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy +index ff504b54..75119606 100644 +--- a/src/DBus/org.usbguard.policy ++++ b/src/DBus/org.usbguard.policy +@@ -1,7 +1,7 @@ + + +- ++ + + The USBGuard Project + https://github.org/USBGuard/usbguard diff --git a/CVE-2019-25058-5.patch b/CVE-2019-25058-5.patch new file mode 100644 index 0000000..86810d7 --- /dev/null +++ b/CVE-2019-25058-5.patch @@ -0,0 +1,56 @@ +From 23c44b90ff9a49eb6bc91210b6668519ad421865 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 6 Feb 2022 01:19:08 +0100 +Subject: [PATCH] dbus: Add missing action policies + +--- + src/DBus/org.usbguard.policy | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy +index e326c5a..4fc33c5 100644 +--- a/src/DBus/org.usbguard.policy ++++ b/src/DBus/org.usbguard.policy +@@ -33,6 +33,15 @@ + + + ++ Apply a policy to a device in USBGuard ++ Prevents applying a policy to a device in USBGuard ++ ++ no ++ auth_admin ++ ++ ++ + + List all USB devices recognized by the USBGuard deaemon + Prevents listing USB devices recognized by the USBGuard daemon +@@ -41,5 +50,23 @@ + auth_self_keep + + ++ ++ ++ Get the value of a runtime parameter ++ Prevents getting values of runtime USBGuard parameters ++ ++ no ++ auth_self_keep ++ ++ ++ ++ ++ Set the value of a runtime parameter ++ Prevents setting values of runtime USBGuard parameters ++ ++ no ++ auth_admin ++ ++ + + +-- +2.23.0 + diff --git a/CVE-2019-25058-6.patch b/CVE-2019-25058-6.patch new file mode 100644 index 0000000..038870f --- /dev/null +++ b/CVE-2019-25058-6.patch @@ -0,0 +1,84 @@ +From d3e7d6609a8e63c21e85abf135d237a3bdd30913 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Tue, 8 Feb 2022 16:13:48 +0100 +Subject: [PATCH] polkit.yml: Make GitHub Actions detect Polkit policy parse + error regressions + +--- + .github/workflows/polkit.yml | 67 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 67 insertions(+) + create mode 100644 .github/workflows/polkit.yml + +diff --git a/.github/workflows/polkit.yml b/.github/workflows/polkit.yml +new file mode 100644 +index 00000000..fc4b4fe3 +--- /dev/null ++++ b/.github/workflows/polkit.yml +@@ -0,0 +1,67 @@ ++## ++## Copyright (c) 2022 Sebastian Pipping ++## ++## This program is free software; you can redistribute it and/or modify ++## it under the terms of the GNU General Public License as published by ++## the Free Software Foundation; either version 2 of the License, or ++## (at your option) any later version. ++## ++## This program is distributed in the hope that it will be useful, ++## but WITHOUT ANY WARRANTY; without even the implied warranty of ++## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++## GNU General Public License for more details. ++## ++## You should have received a copy of the GNU General Public License ++## along with this program. If not, see . ++ ++name: Check for Polkit policy parse errors ++ ++on: ++ push: ++ pull_request: ++ ++jobs: ++ polkit_policies: ++ ++ name: Check for Polkit policy parse errors ++ runs-on: ubuntu-20.04 ++ ++ steps: ++ - uses: actions/checkout@v2 ++ ++ - name: Install runtime dependencies ++ run: | ++ set -x ++ sudo apt-get update ++ sudo apt-get install --no-install-recommends --yes -V expat ++ ++ - name: Check for Polkit policy parse errors ++ run: | ++ # This will work around pkaction exiting with unjustified(?) ++ # code 1 on Ubuntu 20.04 ++ check_polkit_action() { pkaction -v -a "$1" | tee /dev/stderr | fgrep -q 'implicit any' ; } ++ ++ set -x ++ actions=( ++ org.usbguard.Devices.listDevices ++ org.usbguard.Devices.applyDevicePolicy ++ org.usbguard.Policy.appendRule ++ org.usbguard.Policy.listRules ++ org.usbguard.Policy.removeRule ++ org.usbguard.getParameter ++ org.usbguard.setParameter ++ ) ++ ++ # Self-test: Assert that prior to installation, our Polkit "actions" ++ # are unknown to PolKit. ++ ! check_polkit_action "${actions[0]}" ++ ++ # Install the policy so that polkin can find it ++ xmlwf src/DBus/org.usbguard.policy ++ sudo cp -v src/DBus/org.usbguard.policy /usr/share/polkit-1/actions/ ++ ++ # Assert that after installation, all of our Polkit "actions" are known. ++ # This detects parse error regressions. ++ for action in "${actions[@]}"; do ++ check_polkit_action "${action}" ++ done diff --git a/CVE-2019-25058-7.patch b/CVE-2019-25058-7.patch new file mode 100644 index 0000000..db04462 --- /dev/null +++ b/CVE-2019-25058-7.patch @@ -0,0 +1,250 @@ +From df5f01c6ed0c20d269f7239901d21883cc871bbb Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 9 Feb 2022 02:10:40 +0100 +Subject: [PATCH] dbus: Add missing checks for authorization using Polkit + +--- + configure.ac | 2 +- + src/DBus/DBusBridge.cpp | 137 ++++++++++++++++++++++++++++++++++++++++ + src/DBus/DBusBridge.hpp | 2 + + 3 files changed, 140 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index f565b87..a45174a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -405,7 +405,7 @@ if test "x$with_dbus" = xyes; then + # + # Check for required D-Bus modules + # +- PKG_CHECK_MODULES([dbus], [dbus-1 dbus-glib-1 >= 0.100 gio-2.0], ++ PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 polkit-gobject-1], + [AC_DEFINE([HAVE_DBUS], [1], [Required GLib DBus API available]) + dbus_summary="system-wide; $dbus_CFLAGS $dbus_LIBS"], + [AC_MSG_FAILURE([Required D-Bus modules (dbus-1, dbus-glib-1, gio-2.0) not found!])] +diff --git a/src/DBus/DBusBridge.cpp b/src/DBus/DBusBridge.cpp +index f9209f7..696d906 100644 +--- a/src/DBus/DBusBridge.cpp ++++ b/src/DBus/DBusBridge.cpp +@@ -15,12 +15,14 @@ + // along with this program. If not, see . + // + // Authors: Daniel Kopecek ++// Authors: Sebastian Pipping + // + #ifdef HAVE_BUILD_CONFIG_H + #include + #endif + + #include "DBusBridge.hpp" ++#include + + namespace usbguard + { +@@ -78,6 +80,10 @@ namespace usbguard + void DBusBridge::handleRootMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation) + { + if (method_name == "getParameter") { ++ if (! isAuthorizedByPolkit(invocation)) { ++ return; ++ } ++ + const char* name_cstr = nullptr; + g_variant_get(parameters, "(&s)", &name_cstr); + std::string name(name_cstr); +@@ -87,6 +93,10 @@ namespace usbguard + } + + if (method_name == "setParameter") { ++ if (! isAuthorizedByPolkit(invocation)) { ++ return; ++ } ++ + const char* name_cstr = nullptr; + const char* value_cstr = nullptr; + g_variant_get(parameters, "(&s&s)", &name_cstr, &value_cstr); +@@ -105,6 +115,10 @@ namespace usbguard + void DBusBridge::handlePolicyMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation) + { + if (method_name == "listRules") { ++ if (! isAuthorizedByPolkit(invocation)) { ++ return; ++ } ++ + const char* query_cstr = nullptr; + g_variant_get(parameters, "(&s)", &query_cstr); + std::string query(query_cstr); +@@ -138,6 +152,10 @@ namespace usbguard + } + + if (method_name == "appendRule") { ++ if (! isAuthorizedByPolkit(invocation)) { ++ return; ++ } ++ + const char* rule_spec_cstr = nullptr; + uint32_t parent_id = 0; + g_variant_get(parameters, "(&su)", &rule_spec_cstr, &parent_id); +@@ -148,6 +166,10 @@ namespace usbguard + } + + if (method_name == "removeRule") { ++ if (! isAuthorizedByPolkit(invocation)) { ++ return; ++ } ++ + uint32_t rule_id = 0; + g_variant_get(parameters, "(u)", &rule_id); + removeRule(rule_id); +@@ -164,6 +186,10 @@ namespace usbguard + GDBusMethodInvocation* invocation) + { + if (method_name == "listDevices") { ++ if (! isAuthorizedByPolkit(invocation)) { ++ return; ++ } ++ + const char* query_cstr = nullptr; + g_variant_get(parameters, "(&s)", &query_cstr); + std::string query(query_cstr); +@@ -196,6 +222,10 @@ namespace usbguard + } + + if (method_name == "applyDevicePolicy") { ++ if (! isAuthorizedByPolkit(invocation)) { ++ return; ++ } ++ + uint32_t device_id = 0; + uint32_t target_integer = 0; + gboolean permanent = false; +@@ -327,6 +357,113 @@ namespace usbguard + with_interface_string.c_str()); + return builder; + } ++ ++ std::string DBusBridge::formatGError(GError* error) ++ { ++ if (error) { ++ std::stringstream formatGError; ++ formatGError << error->message << " (code " << error->code << ")"; ++ return formatGError.str(); ++ } ++ else { ++ return "unknown error"; ++ } ++ } ++ ++ bool DBusBridge::isAuthorizedByPolkit(GDBusMethodInvocation* invocation) ++ { ++ GError* error = NULL; ++ USBGUARD_LOG(Trace) << "Extracting bus name..."; ++ const gchar* const /*no-free!*/ bus_name = g_dbus_method_invocation_get_sender (invocation); ++ ++ if (! bus_name) { ++ USBGUARD_LOG(Trace) << "Failed to extract bus name."; ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Extracted bus name \"" << bus_name << "\"."; ++ USBGUARD_LOG(Trace) << "Extracting interface name..."; ++ const gchar* const /*no-free!*/ interfaceName = g_dbus_method_invocation_get_interface_name(invocation); ++ ++ if (! interfaceName) { ++ USBGUARD_LOG(Trace) << "Failed to extract interface name."; ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Extracted interface name \"" << interfaceName << "\"."; ++ USBGUARD_LOG(Trace) << "Extracting method name..."; ++ const gchar* const /*no-free!*/ methodName = g_dbus_method_invocation_get_method_name(invocation); ++ ++ if (! methodName) { ++ USBGUARD_LOG(Trace) << "Failed to extract method name."; ++ return false; ++ } ++ ++ std::stringstream action_id; ++ action_id << interfaceName << "." << methodName; ++ USBGUARD_LOG(Trace) << "Extracted method name \"" << methodName << "\"."; ++ USBGUARD_LOG(Trace) << "Creating a system bus Polkit subject..."; ++ PolkitSubject* const subject = polkit_system_bus_name_new(bus_name); ++ ++ if (! subject) { ++ USBGUARD_LOG(Trace) << "Failed to create Polkit subject."; ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Created."; ++ USBGUARD_LOG(Trace) << "Connecting with Polkit authority..."; ++ PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error); ++ ++ if (! authority || error) { ++ USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << "."; ++ g_error_free(error); ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Connected."; ++ USBGUARD_LOG(Trace) << "Customizing Polkit authentification dialog..."; ++ PolkitDetails* const details = polkit_details_new(); ++ ++ if (! details) { ++ USBGUARD_LOG(Trace) << "Failed to customize the Polkit authentification dialog."; ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return false; ++ } ++ ++ polkit_details_insert (details, "polkit.message", "This USBGuard action needs authorization"); ++ USBGUARD_LOG(Trace) << "Customized."; ++ USBGUARD_LOG(Trace) << "Checking authorization of action \"" << action_id.str() << "\" with Polkit ..."; ++ const PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION; ++ PolkitAuthorizationResult* const result = polkit_authority_check_authorization_sync ++ (authority, ++ subject, ++ action_id.str().c_str(), ++ details, ++ flags, ++ /*cancellable=*/ NULL, ++ &error); ++ ++ if (! result || error) { ++ USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << "."; ++ g_error_free(error); ++ g_object_unref(result); ++ g_object_unref(details); ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return false; ++ } ++ ++ gboolean isAuthorized = polkit_authorization_result_get_is_authorized(result); ++ USBGUARD_LOG(Trace) << (isAuthorized ? "Authorized" : "Not authorized") << "."; ++ g_object_unref(result); ++ g_object_unref(details); ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return isAuthorized; ++ } + } /* namespace usbguard */ + + /* vim: set ts=2 sw=2 et */ +diff --git a/src/DBus/DBusBridge.hpp b/src/DBus/DBusBridge.hpp +index bb9d96a..838ab34 100644 +--- a/src/DBus/DBusBridge.hpp ++++ b/src/DBus/DBusBridge.hpp +@@ -71,6 +71,8 @@ namespace usbguard + bool rule_match, + uint32_t rule_id); + ++ static std::string formatGError(GError* error); ++ static bool isAuthorizedByPolkit(GDBusMethodInvocation* invocation); + + GDBusConnection* const p_gdbus_connection; + void(*p_ipc_callback)(bool); +-- +2.23.0 + diff --git a/usbguard.spec b/usbguard.spec index 933be09..b007842 100644 --- a/usbguard.spec +++ b/usbguard.spec @@ -2,13 +2,20 @@ Name: usbguard Version: 0.7.2 -Release: 6 +Release: 7 Summary: A tool for computer usb guard License: GPLv2+ URL: https://usbguard.github.io/ Source0: https://github.com/USBGuard/usbguard/releases/download/usbguard-%{version}/usbguard-%{version}.tar.gz Source1: usbguard-daemon.conf Patch0000: 0001-Update-to-latest-PEGTL-API.patch +Patch0001: CVE-2019-25058-1.patch +Patch0002: CVE-2019-25058-2.patch +Patch0003: CVE-2019-25058-3.patch +Patch0004: CVE-2019-25058-4.patch +Patch0005: CVE-2019-25058-5.patch +Patch0006: CVE-2019-25058-6.patch +Patch0007: CVE-2019-25058-7.patch BuildRequires: libqb-devel libgcrypt-devel libstdc++-devel protobuf-devel protobuf-compiler PEGTL-static BuildRequires: catch1-devel autoconf automake libtool bash-completion asciidoctor audit-libs-devel systemd BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist dbus-glib-devel dbus-devel glib2-devel @@ -138,5 +145,8 @@ chmod 644 %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf %{_mandir}/*/* %changelog +* Mon Mar 07 2022 houyingchao - 0.7.2-7 +- Fix CVE-2019-25058 + * Mon Apr 27 2020 lizhenhua - 0.7.2-6 - Package init