Project

General

Profile

Bug #14612

Pidgin exposes everything through its D-Bus service

Added by anonym about 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
09/07/2017
Due date:
% Done:

100%

Feature Branch:
bugfix/14612-deny-access-to-pidgin-dbus-service
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Instant Messaging

Description

See e.g.: https://developer.pidgin.im/wiki/DbusHowto

So Tor Browser can totally sniff your buddy list and send your friends creepy messages.

Disabling this interface some how would solve this, but we're gonna use it in Tails Server's client application, to automate account creation, joining the right chat, etc. intrigeri tells me we could do D-Bus mediation with AppArmor once Linux 4.16 is available to us (unless it's delayed) which sounds ideal.


Related issues

Blocks Tails - Feature #13234: Core work 2017Q3: Foundations Team Resolved 06/29/2017

Associated revisions

Revision b2aabb12 (diff)
Added by intrigeri about 2 years ago

Deny access to Pidgin's D-Bus service (refs: #14612).

That D-Bus interface is dangerous because it allows any application
running as `amnesia' that has access to the session bus to extract
basically any information from Pidgin and to reconfigure it:
https://developer.pidgin.im/wiki/DbusHowto

Revision 565ed099 (diff)
Added by anonym about 2 years ago

Test suite: workaround Pidgin's DBus interface being blocked.

We actually depend on it for some tests.

Refs: #14612

Revision fab65dc9 (diff)
Added by anonym about 2 years ago

Test suite: Make sure Pidgin's DBus interface is blocked.

Refs: #14612

Revision dd12d608
Added by anonym about 2 years ago

Merge remote-tracking branch 'origin/bugfix/14612-deny-access-to-pidgin-dbus-service' into devel

Fix-committed: #14612

History

#1 Updated by anonym about 2 years ago

Apparently there is a 5 year old (but unpublished?) CVE for this: https://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/

Upstream ticket: https://developer.pidgin.im/ticket/14830

I think it can be disabled with something like: DBUS_SESSION_BUS_ADDRESS= pidgin. Otherwise we could always recompile with --disable-dbus...

#2 Updated by intrigeri about 2 years ago

I think it can be disabled with something like: DBUS_SESSION_BUS_ADDRESS= pidgin.

This would likely break input methods and a11y.

#3 Updated by intrigeri about 2 years ago

I think we can forbid all access to that D-Bus interface via D-Bus "security policy" mechanism: see dbus-daemon(1) and e.g. /usr/share/dbus-1/session.conf.

#4 Updated by intrigeri about 2 years ago

  • Assignee set to intrigeri
  • Target version changed from Tails_3.3 to Tails_3.2
  • Type of work changed from Research to Code
  • Affected tool set to Instant Messaging

#5 Updated by intrigeri about 2 years ago

#6 Updated by intrigeri about 2 years ago

(Seems more urgent than #12460 => replace it on my plate for this release.)

#7 Updated by intrigeri about 2 years ago

  • Subject changed from Pidgin exposes everything through its D-Bus interface to Pidgin exposes everything through its D-Bus service

Note to myself: dbus-send --session --print-reply --dest=im.pidgin.purple.PurpleService /im/pidgin/purple/PurpleObject im.pidgin.purple.PurpleInterface.PurpleAccountsGetAll returns exit code 0 iff. Pidgin is running and I am allowed to talk to its D-Bus service.

#8 Updated by intrigeri about 2 years ago

  • Status changed from Confirmed to In Progress
  • Assignee changed from intrigeri to anonym
  • % Done changed from 0 to 50
  • QA Check set to Ready for QA
  • Feature Branch set to bugfix/14612-deny-access-to-pidgin-dbus-service

Thankfully that was trivial :) Once Tails Server has some kind of proper privileged backend / unprivileged frontend separation (#12297) I expect it'll be feasible to give its backend access to the D-Bus interface without broadening the attack surface more than needed.

#9 Updated by anonym about 2 years ago

  • Assignee changed from anonym to intrigeri

Woah, apparently we're already using Pigin's DBus interface in the automated test suite, see 0bc56936a7134f6140df440d1de042d9df9ffada. Fixed with 565ed09904b7bbf59359f886cf4cdf5d7cac4203.

I understand if you'd rather have me split that out into a separate branch/ticket for later. What do you think?

#10 Updated by intrigeri about 2 years ago

  • Assignee changed from intrigeri to anonym

LGTM

#11 Updated by anonym about 2 years ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

#12 Updated by anonym about 2 years ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF