#47576 [security] ibus-daemon launches ungrafted subprocesses

Message #28 received at 47576@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47576) by debbugs.gnu.org; 9 Apr 2021 09:07:02 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 09 05:07:02 2021
Received: from localhost ([127.0.0.1]:49078 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lUn6O-0003q6-Q8
	for submit@debbugs.gnu.org; Fri, 09 Apr 2021 05:07:02 -0400
Received: from eggs.gnu.org ([209.51.188.92]:34170)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1lUn6M-0003po-P8
 for 47576@debbugs.gnu.org; Fri, 09 Apr 2021 05:06:55 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:34294)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1lUn6H-0000cj-2f; Fri, 09 Apr 2021 05:06:49 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=35842 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1lUn64-0006XX-FL; Fri, 09 Apr 2021 05:06:41 -0400
From: Ludovic Courtès <ludo@gnu.org>
To: Mark H Weaver <mhw@netris.org>
Subject: Re: bug#47576: [security] ibus-daemon launches ungrafted subprocesses
References: <87pmzcdljm.fsf@netris.org> <877dljdenq.fsf@netris.org>
 <874kgndds4.fsf@netris.org>
Date: Fri, 09 Apr 2021 11:06:34 +0200
In-Reply-To: <874kgndds4.fsf@netris.org> (Mark H. Weaver's message of "Sat, 03
 Apr 2021 03:31:44 -0400")
Message-ID: <87pmz37rol.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47576
Cc: 47576@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

[Message part 1 (text/plain, inline)]

Hi,

Mark H Weaver <mhw@netris.org> skribis:

> I found them:
>
>   ~/.cache/ibus/bus/registry
>   /var/lib/gdm/.cache/ibus/bus/registry
>
> On my system, those files include absolute pathnames to programs in
> /gnu/store/a4r6q1fbfqapy5hrrxap1yg96rjgln6q-ibus-1.5.22, which I
> compiled last December.

Looks like <https://issues.guix.gnu.org/22707>.

The problem seems to generally affect GLib/GNOME-ish caches.

From a quick look at ibusregistry.c & co, I think the values that end up
in the cache are taken from these XML files:

--8<---------------cut here---------------start------------->8---
$ grep /gnu/store $(find $(guix build ibus) -name \*.xml)
/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/share/ibus/component/gtkpanel.xml:	<exec>/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/libexec/ibus-ui-gtk3</exec>
/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/share/ibus/component/dconf.xml:	<exec>/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/libexec/ibus-dconf</exec>
/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/share/ibus/component/simple.xml:	<exec>/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/libexec/ibus-engine-simple</exec>
/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/share/ibus/component/gtkextension.xml:	<exec>/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/libexec/ibus-extension-gtk3</exec>
--8<---------------cut here---------------end--------------->8---

It’s the ‘components’ field of _IBusRegistryPrivate:

--8<---------------cut here---------------start------------->8---
struct _IBusRegistryPrivate {
    /* a list of IBusObservedPath objects. */
    GList *observed_paths;

    /* a list of IBusComponent objects that are created from component XML
     * files (or from the cache of them). */
    GList *components;

    gboolean changed;

    /* a mapping from GFile to GFileMonitor. */
    GHashTable *monitor_table;

    guint monitor_timeout_id;
};
--8<---------------cut here---------------end--------------->8---

The attached patch does the following:

  1. change the above <exec> file names in XML files to relative file
     names;

  2. change ibuscomponent.c to automatically prepend $libexecdir to
     <exec> items that are relative file names.

That way, XML files and thus caches should only contain relative file
names for ibus’ own executables.

The attached patch builds with:

  guix build ibus --with-patch=ibus=/tmp/ibus.patch

… but I don’t know if it actually works.  Testing welcome.  :-)

Unfortunately this strategy doesn’t help with IBus extensions:

--8<---------------cut here---------------start------------->8---
$ grep exec $(find $(guix build ibus-anthy) -name \*.xml)
/gnu/store/d3mfffz41as1blfb28m8n461j42i6zjr-ibus-anthy-1.5.9/share/ibus/component/anthy.xml:	<exec>/gnu/store/d3mfffz41as1blfb28m8n461j42i6zjr-ibus-anthy-1.5.9/libexec/ibus-engine-anthy --ibus</exec>
/gnu/store/d3mfffz41as1blfb28m8n461j42i6zjr-ibus-anthy-1.5.9/share/ibus/component/anthy.xml:	<engines exec="/gnu/store/d3mfffz41as1blfb28m8n461j42i6zjr-ibus-anthy-1.5.9/libexec/ibus-engine-anthy --xml" />
--8<---------------cut here---------------end--------------->8---

Thoughts?

Ludo’.

[ibus.patch (text/x-patch, inline)]

diff --git a/conf/dconf/dconf.xml.in b/conf/dconf/dconf.xml.in
index 4205cb0..538f500 100644
--- a/conf/dconf/dconf.xml.in
+++ b/conf/dconf/dconf.xml.in
@@ -3,7 +3,7 @@
 <component>
 	<name>org.freedesktop.IBus.Config</name>
 	<description>Dconf Config Component</description>
-	<exec>@libexecdir@/ibus-dconf</exec>
+	<exec>ibus-dconf</exec>
 	<version>@VERSION@</version>
 	<author>Daiki Ueno &lt;ueno@unixuser.org&gt;</author>
 	<license>GPL</license>
diff --git a/conf/memconf/memconf.xml.in b/conf/memconf/memconf.xml.in
index d6ea690..9f51bcc 100644
--- a/conf/memconf/memconf.xml.in
+++ b/conf/memconf/memconf.xml.in
@@ -2,7 +2,7 @@
 <component>
 	<name>org.freedesktop.IBus.Config</name>
 	<description>On-memory Config Component</description>
-	<exec>@libexecdir@/ibus-memconf</exec>
+	<exec>ibus-memconf</exec>
 	<version>@VERSION@</version>
 	<author>Peng Huang &lt;shawn.p.huang@gmail.com&gt;, modified by the Chromium OS Authors</author>
 	<license>GPL</license>
diff --git a/engine/simple.xml.in b/engine/simple.xml.in
index fc1541e..47cbea1 100644
--- a/engine/simple.xml.in
+++ b/engine/simple.xml.in
@@ -2,7 +2,7 @@
 <component>
 	<name>org.freedesktop.IBus.Simple</name>
 	<description>A table based simple engine</description>
-	<exec>@libexecdir@/ibus-engine-simple</exec>
+	<exec>ibus-engine-simple</exec>
 	<version>@VERSION@</version>
 	<author>Peng Huang &lt;shawn.p.huang@gmail.com&gt;</author>
 	<license>GPL</license>
diff --git a/src/Makefile.am b/src/Makefile.am
index a8e3d07..2c461ee 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -49,6 +49,7 @@ AM_CPPFLAGS =                                           \
     @GLIB2_CFLAGS@                                      \
     @GOBJECT2_CFLAGS@                                   \
     @GIO2_CFLAGS@                                       \
+    -DLIBEXECDIR=\"$(libexecdir)\"			\
     -DIBUS_CACHE_DIR=\""$(localstatedir)/cache/ibus"\"  \
     -DIBUS_DATA_DIR=\"$(pkgdatadir)\"                   \
     -DIBUS_DISABLE_DEPRECATION_WARNINGS                 \
diff --git a/src/Makefile.in b/src/Makefile.in
index 2a9c2ab..c3dfd87 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -613,6 +613,7 @@ CLEANFILES = $(am__append_2) $(BUILT_SOURCES) stamp-ibusmarshalers.h \
 # C preprocessor flags
 AM_CPPFLAGS = -DG_LOG_DOMAIN=\"IBUS\" @GLIB2_CFLAGS@ @GOBJECT2_CFLAGS@ \
 	@GIO2_CFLAGS@ \
+	-DLIBEXECDIR=\"$(libexecdir)\" \
 	-DIBUS_CACHE_DIR=\""$(localstatedir)/cache/ibus"\" \
 	-DIBUS_DATA_DIR=\"$(pkgdatadir)\" \
 	-DIBUS_DISABLE_DEPRECATION_WARNINGS -DIBUS_COMPILATION \
diff --git a/src/ibuscomponent.c b/src/ibuscomponent.c
index 9837f47..4b55a66 100644
--- a/src/ibuscomponent.c
+++ b/src/ibuscomponent.c
@@ -614,6 +614,18 @@ ibus_component_parse_engines (IBusComponent *component,
 
     if (exec != NULL) {
         gchar *output = NULL;
+
+        if (exec[0] != '/') {
+            /* EXEC is a relative file name, so assume it's the name of an
+               executable in $libexecdir and expand it.  */
+            GString *absolute = g_string_new (LIBEXECDIR);
+            g_string_append (absolute, "/");
+            g_string_append (absolute, exec);
+
+            g_free (exec);
+            exec = g_string_free (absolute, FALSE);
+        }
+
         if (g_spawn_command_line_sync (exec, &output, NULL, NULL, NULL)) {
             engines_node = ibus_xml_parse_buffer (output);
             g_free (output);
diff --git a/ui/gtk3/gtkextension.xml.in b/ui/gtk3/gtkextension.xml.in
index b8157c9..fc945ab 100644
--- a/ui/gtk3/gtkextension.xml.in
+++ b/ui/gtk3/gtkextension.xml.in
@@ -3,7 +3,7 @@
 <component>
 	<name>org.freedesktop.IBus.Panel.Extension</name>
 	<description>Gtk Panel Extension Component</description>
-	<exec>@libexecdir@/ibus-extension-gtk3</exec>
+	<exec>ibus-extension-gtk3</exec>
 	<version>@VERSION@</version>
 	<author>Takao Fujiwara &lt;takao.fujiwara1@gmail.com&gt;</author>
 	<license>GPL</license>
diff --git a/ui/gtk3/gtkpanel.xml.in b/ui/gtk3/gtkpanel.xml.in
index b61f400..2175b93 100644
--- a/ui/gtk3/gtkpanel.xml.in
+++ b/ui/gtk3/gtkpanel.xml.in
@@ -3,7 +3,7 @@
 <component>
 	<name>org.freedesktop.IBus.Panel</name>
 	<description>Gtk Panel Component</description>
-	<exec>@libexecdir@/ibus-ui-gtk3</exec>
+	<exec>ibus-ui-gtk3</exec>
 	<version>@VERSION@</version>
 	<author>Peng Huang &lt;shawn.p.huang@gmail.com&gt;</author>
 	<license>GPL</license>

Send a report that this bug log contains spam.