Bug 1076467

Summary: AUDIT-0: libratbag: suse-dbus-unauthorized-service
Product: [Novell Products] SUSE Security Incidents Reporter: Jan Engelhardt <jengelh>
Component: AuditsAssignee: Jan Engelhardt <jengelh>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: dimstar, krahmer, marix, matthias.gerstner, RBrownCCB, tchvatal
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1078842    

Description Jan Engelhardt 2018-01-17 23:42:49 UTC
The new libratbag update (package /hardware/libratbag) gained a new D-Bus service, and openSUSE:Factory rpmlint warns about it.

[   65s] libratbag-tools.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /usr/share/dbus-1/system-services/org.freedesktop.ratbag1.service
[   65s] The package installs a DBUS system service file. If the package is intended
[   65s] for inclusion in any SUSE product please open a bug report to request review
[   65s] of the service by the security team.
[   65s] 
[   65s] (none): E: badness 10000 exceeds threshold 1000, aborting.
[   65s] 4 packages and 0 specfiles checked; 1 errors, 4 warnings.
Comment 1 Matthias Gerstner 2018-01-18 17:35:02 UTC
I will take this review.
Comment 2 Matthias Gerstner 2018-01-19 17:03:33 UTC
A quick note for the start: The `ratbagctl` utility requires python-evdev
which is currently not packaged for openSUSE.

I've installed it locally after installing 'python3-devel':

$ pip install evdev --user
Comment 3 Matthias Gerstner 2018-01-24 14:14:28 UTC
I'm mostly finished with this audit.

Sadly I can't accept the version 0.9.900 that you've packaged. It contains
multiple security issues:

- a stack buffer overflow not handled in ratbagd/ratbagd-device.c:179 which
  can be triggered via the following command line:

> dbus-send --system --print-reply --dest=org.freedesktop.ratbag1 \
>     /org/freedesktop/ratbag1/device/test_5fdevice \
>     org.freedesktop.ratbag1.Device.GetSvg \
>     string:`python3 -c "print('a'*5000)"`

  fixed by upstream commit 89aff23c

- multiple D-Bus calls cause a three byte stack overwrite and result in a
  SEGFAULT

  fixed by upstream commit cbcdc4b72477aee5d98cbee43c9528d2fbc741ab

- ratbagd_button_set_key() D-Bus callback allows a stack buffer overflow

  was completely removed in upstream commits afaf3fa83ddeeffce6a911225f7170afeba71be5 and 77847f570ce6ce9d3ed8d66cd0e47d4f5682bbeb

The good news is that all of these issues are already fixed in the available
upstream release 0.9.901. Also the general code quality of libratbag is good,
despite the issues found above.

So can you please package version 0.9.901 and give me an update? I will then
do a quick follow-up review of the new version.
Comment 4 Matthias Gerstner 2018-01-24 14:23:40 UTC
Apart from the security perspective some thoughts about the package:

- as noted in comment 1 the ratbagctl script doesn't work currently due to the
  missing python-evdev module.
- it might be worth a thought to package the dbus service ratbagd in a
  separate subpackage.
- the ratbagd binary currently only works when executed by the root user. So
  placing it in /usr/sbin would actually make more sense than in /usr/bin.
Comment 5 Matthias Gerstner 2018-01-24 14:36:09 UTC
One more thing about the D-Bus security of ratbagd:

What I don't like is that every user with access to the D-Bus system bus can
issue arbitrary commands without further verification. I understand that from
a usability perspective the user should be able to configure the mice easily.

Still the available commands like modifying mouse resolution etc. make it
possible to kind of DoS a daemon running as root. Since this goes down to the
USB hardware there will also be some kernel code that is accessible to regular
users.

To improve the situation it would be better to only allows members of a
certain group e.g. "games" to be allowed talking to ratbagd. To achieve this
the D-Bus configuration file "org.freedesktop.ratbag1.conf" would need to be
adjusted. Instead of the line '<policy context="default">' we would need
'<policy group="games">'.

Do you think you can patch the configuration accordingly?

I could try to make an upstream pull request that allows build time
configuration of the policy. This would make packaging easier for the next
releases of libratbag.
Comment 6 Matthias Gerstner 2018-01-29 14:50:12 UTC
I've managed to get this commit merge into the upstream project:

https://github.com/libratbag/libratbag/commit/6c182b8e9bb191dae8d308873732c860041f0719

When you backport this patch into the most recent libratbag release you can
simply pass '-Ddbus-group=games' to meson.
Comment 7 Jan Engelhardt 2018-01-31 16:50:36 UTC
>What I don't like is that every user with access to the D-Bus system bus can issue arbitrary commands without further verification.

Can we make it such that only local users get that permissions?
Comment 8 Matthias Gerstner 2018-01-31 17:41:30 UTC
(In reply to jengelh@inai.de from comment #7)
> Can we make it such that only local users get that permissions?

That would be acceptible security wise. However D-Bus on itself doesn't
support such a policy. There is 'at_console' but it is deprecated.

libratbag would need to implement polkit for this to work which is not
currently the case.

Also see here:

https://lintian.debian.org/tags/dbus-policy-at-console.html
Comment 9 Jan Engelhardt 2018-02-12 12:00:03 UTC
Thanks for the review. But it seems now something is completely messed up in ratbag itself. Were you actually able to start it at all in your review? Because I am not.

12:57 zap:~ > ratbagd
ratbagd error: Failed to start ratbagd: Permission denied
12:57 zap:~ > su1
12:57 zap:/home/jengelh # ratbagd
ratbagd error: Failed to start ratbagd: Permission denied
Comment 10 Matthias Gerstner 2018-02-12 12:54:05 UTC
Yes I was able to start it. It will only run as root. But that should work.
Maybe something wrong with the permissions?

Check `ls -l /usr/bin/ratbagd`. Otherwise look at what `strace -f ratbagd`
shows.
Comment 11 Matthias Bach 2018-06-04 20:25:51 UTC
I wanted to take a look at this package. Sadly I can't find it anywhere but in Leap 42.2 and 42.3. If you could provide me with a link to the devel project this would be highly appreciated.
Comment 12 Jan Engelhardt 2018-06-04 20:52:38 UTC
All that OBS tells me is


$ sosc log -D hardware/libratbag
----------------------------------------------------------------------------
r20 | scarabeus_iv | 2018-03-19 12:15:42 | 1284455f3ff6d1b2c8e891985f9d13aa | unknown |

1


Given that openSUSE:Factory log entries look like


----------------------------------------------------------------------------
r5 | dimstar_suse | 2018-02-13 09:28:29 | 354726eb0292306cbd7290a0a9f779fe | 0.9 | rq573927

ftbfs; daemon startup is broken too


this suggests that the package was deleted from the hardware project without a proper request.

(Has opensuse come that far already?!)
Comment 13 Tomáš Chvátal 2018-06-05 08:18:16 UTC
(In reply to Jan Engelhardt from comment #12)
> All that OBS tells me is
> 
> 
> $ sosc log -D hardware/libratbag
> ----------------------------------------------------------------------------
> r20 | scarabeus_iv | 2018-03-19 12:15:42 | 1284455f3ff6d1b2c8e891985f9d13aa
> | unknown |
> 
> 1
> 
> 
> Given that openSUSE:Factory log entries look like
> 
> 
> ----------------------------------------------------------------------------
> r5 | dimstar_suse | 2018-02-13 09:28:29 | 354726eb0292306cbd7290a0a9f779fe |
> 0.9 | rq573927
> 
> ftbfs; daemon startup is broken too
> 
> 
> this suggests that the package was deleted from the hardware project without
> a proper request.
> 
> (Has opensuse come that far already?!)

Since the package was broken in hardware repo for >1month I just deleted the package.

There were 40 packages unresolvable or broken in the harware project, I can't hand review all of them, I checked history of commits and if there was no activity for > 60 days and the package was not in tumbleweed it was pruned.

You can restore the package quite easily and make it work.
Comment 14 Matthias Gerstner 2018-06-29 08:38:05 UTC
Jan, I'm assigning this bug to you, since there is nothing I can do at the
moment. You may close the bug if you don't have time for it.
Comment 15 Matthias Bach 2018-07-10 20:34:16 UTC
FYI, I have recovered the package, cleaned it up a little and requested re-addition to the hardware project: https://build.opensuse.org/request/show/621956.
Comment 16 Matthias Bach 2018-07-19 20:36:27 UTC
The package has been re-accepted into the hardware project. It would be cool if you could pick up the review process again, Matthias.

BTW: I have split the daemon into a separate package as you suggested earlier.
Comment 17 Matthias Gerstner 2018-07-20 15:46:19 UTC
(In reply to marix@marix.org from comment #16)
> The package has been re-accepted into the hardware project. It would be cool
> if you could pick up the review process again, Matthias.
> 
> BTW: I have split the daemon into a separate package as you suggested earlier.

Thank you very much for taking care of this.

Well we have the new upstream version containing the bugfixes. Only members of
the group games can access the service. Looks good to me. I will take care of
the whitelisting.

There is still a functional issue: The package doesn't create the group
"games" so I had to create that group manually. You should add some logic
to the spec file to handle that. You can look in other game packages like
rocksndiamonds or crawl that do something similar.
Comment 18 Matthias Gerstner 2018-07-20 16:21:45 UTC
The whitelisting is on the way via sr#624309

Please refer to the explanations in the wiki:

https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_whitelisting

for more information about when the whitelisting will become active.
Comment 19 Swamp Workflow Management 2018-08-02 21:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1076467) was mentioned in
https://build.opensuse.org/request/show/627184 Factory / libratbag
Comment 21 Swamp Workflow Management 2019-01-15 20:11:52 UTC
SUSE-RU-2019:0097-1: An update that has 14 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1015141,1076467,1089114,1089340,1095769,1097339,1102836,1104110,1108037,1109938,1111254,1116686,1116758,1119975
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    rpmlint-1.10-7.3.1, rpmlint-mini-1.10-5.2.1
Comment 22 Swamp Workflow Management 2019-01-17 23:35:39 UTC
openSUSE-RU-2019:0059-1: An update that has 14 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1015141,1076467,1089114,1089340,1095769,1097339,1102836,1104110,1108037,1109938,1111254,1116686,1116758,1119975
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    rpmlint-1.10-lp150.6.3.1, rpmlint-mini-1.10-lp150.4.3.1