Bug 1220215

Summary: VUL-0: kauth: kauth >= version v5.245.0 generates too open D-Bus configuration files that weaken global D-Bus security
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: AuditsAssignee: Fabian Vogt <fabian>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: christophe, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1217076    

Description Matthias Gerstner 2024-02-22 14:29:54 UTC 
+++ This bug was initially created as a clone of Bug #1217191

This was found via the kde6 reviews and whitelistings going on currently.

The new kauth starting with version v5.245.0 generates D-Bus configuration
files containing the following default access policy:

    <policy context="default">
      <allow send_destination="*"/>
    </policy>

This affects _all_ D-Bus services not only the one that the configuration file
is about. Instead this would need to read something like

    <allow send_destination="org.kde.some.destination"/>

This bad configuration has the effect that everybody may now talk to _all_
D-Bus services, even if this shouldn't be the case. Most D-Bus services on the
system bus are accessible to all users, but not all. A simple reproducer on
current Tumbleweed is testing with ratbagd:

    root# zypper in zypper in ratbagd

    nobody$ gdbus introspect -y -d org.freedesktop.ratbag1 -o /org/freedesktop/ratbag1
    Error: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied
    [...]

This is the _expected_ output. But once one of the KDE6 configuration files
e.g. from kde-inotify-survey is installed, the access is granted. The outcome
for other packages may vary also depending on the alphabetical order in which
files are processed in /usr/share/dbus-1/system.d.

The change in kauth that introduced this is this commit:

    https://invent.kde.org/frameworks/kauth/-/commit/d7916401a335d3a71d617333a471d3c5f20d5cf5

And the merge request for this commit is found here:

    https://invent.kde.org/frameworks/kauth/-/merge_requests/44

A reviewer even suggested to do the right thing, but it still wasn't done.

KDE security needs to be involved to fix this.

I already wrongly whitelisted a bunch of KDE6 services using these bad
configuration files. They should not hit Factory yet though, hopefully.
Comment 1 Matthias Gerstner 2024-02-22 14:31:34 UTC 
I assigned this to Fabian, the current kauth maintainer. Reassign as you see
fit.

I will contact KDE security upstream about this by email.
Comment 2 Christophe Marin 2024-02-22 16:37:12 UTC 
https://invent.kde.org/frameworks/kauth/-/merge_requests/62 adds the change suggested months ago
Comment 3 Marcus Meissner 2024-02-23 08:43:26 UTC 
seems semi public already.
Comment 4 Matthias Gerstner 2024-02-23 09:30:28 UTC 
Upstream confirmed that this only affects pre-release versions. So no extended
vulnerability handling is necessary. Making bug public.
Comment 5 Christophe Marin 2024-02-25 12:01:35 UTC 
The package was updated in KDE:Frameworks and submitted to factory: https://build.opensuse.org/request/show/1150322
Comment 6 Matthias Gerstner 2024-02-26 13:28:41 UTC 
I verified the already whitelisted packages for their new hash digests. It all
looks proper now. I guess we can close this bug once the adjusted
whitelistings are through.
Comment 7 Matthias Gerstner 2024-02-28 10:52:32 UTC 
Adjusted whitelistings are in Factory, I guess this can be closed.