Your message dated Sat, 10 Jan 2009 23:02:06 +0000
with message-id <e1llmqe-0004ow...@ries.debian.org>
and subject line Bug#503532: fixed in dbus 1.2.1-5
has caused the Debian Bug report #503532,
regarding send_requested_reply="true" allows all non-reply messages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
503532: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dbus
Version: 1.2.1-3
Severity: normal
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I found the following dbus bug. I think it has security implications, but I
can’t
judge it’s impact, therefore I did not set the Severtiy. Security team
is CC’ed.
Upstream bug here https://bugs.freedesktop.org/show_bug.cgi?id=18229
copied text is:
if I understand everything correctly, there is a bad security bug in
dbus:
The default configuration contains the lines
<allow send_requested_reply="true"/>
<allow receive_requested_reply="true"/>
with the valid intention to allow all replies to be send without explicit
permission. Otherwise, dbus claims to have a default-no policy.
But what happens instead is: When a message is considered for sending, it
enters bus_client_policy_check_can_send in policy.c[1]. There, all rules are
looked at, but only SEND rules considered (line 893) – the first of the above
rules is such a rule. Now we check for various conditions that might occur in
such a rule (e.g. destination and the like), but none of these exist besides
send_requested_reply. But in line 909 this is only done for messages which are
replies. This means that for normal messages, we continue with the code and end
up in line 1028, where we set the allowed flag! If no other rule kicks in, this
stays allowed until the end.
A proper fix would be to add an else statement to the if in line 909, which
calls continue, I think.
Thanks,
Joachim
- -- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-486
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dbus depends on:
ii adduser 3.110 add and remove users and groups
ii debianutils 2.30 Miscellaneous utilities specific t
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libdbus-1-3 1.2.1-3 simple interprocess messaging syst
ii libexpat1 2.0.1-4 XML parsing C library - runtime li
ii libselinux1 2.0.65-5 SELinux shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
Versions of packages dbus recommends:
ii dbus-x11 1.2.1-3 simple interprocess messaging syst
dbus suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkEjZYACgkQ9ijrk0dDIGx7nQCdGHBqviTS6SS23c5JoIJYVDeR
HTwAn3oQZFtVm3xI1MwjqoS37cBPauGe
=AvGx
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: dbus
Source-Version: 1.2.1-5
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:
dbus-1-doc_1.2.1-5_all.deb
to pool/main/d/dbus/dbus-1-doc_1.2.1-5_all.deb
dbus-x11_1.2.1-5_i386.deb
to pool/main/d/dbus/dbus-x11_1.2.1-5_i386.deb
dbus_1.2.1-5.diff.gz
to pool/main/d/dbus/dbus_1.2.1-5.diff.gz
dbus_1.2.1-5.dsc
to pool/main/d/dbus/dbus_1.2.1-5.dsc
dbus_1.2.1-5_i386.deb
to pool/main/d/dbus/dbus_1.2.1-5_i386.deb
libdbus-1-3_1.2.1-5_i386.deb
to pool/main/d/dbus/libdbus-1-3_1.2.1-5_i386.deb
libdbus-1-dev_1.2.1-5_i386.deb
to pool/main/d/dbus/libdbus-1-dev_1.2.1-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 503...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 10 Jan 2009 21:43:16 +0000
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev
Architecture: source all i386
Version: 1.2.1-5
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team
<pkg-utopia-maintain...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Description:
dbus - simple interprocess messaging system
dbus-1-doc - simple interprocess messaging system (documentation)
dbus-x11 - simple interprocess messaging system (X11 deps)
libdbus-1-3 - simple interprocess messaging system
libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 503532 508032
Changes:
dbus (1.2.1-5) unstable; urgency=high
.
[ Sjoerd Simons ]
* debian/patches/CVE-2008-4311.patch:
+ Added, Fixes CVE-2008-4311. A mistake in the default configuration for
the system bus (system.conf) which made the default policy for both sent
and received messages effectively *allow*, and not deny as intended. This
patch fixes the send side permissions (Closes: #503532, #508032)
* Urgency high for the security fix
.
[ Simon McVittie ]
* Rename CVE-*.patch to prefix them with a sequence number so it's clear
what order they should apply in
* Add 51-CVE-2008-4311-but-allow-signals.patch, cherry-picked from upstream
git commit d899734475: after fixing CVE-2008-4311, re-allow emitting
signals
* debian/patches/3[0-4]*.patch, cherry-picked from upstream git (see patches
for commit IDs): add logging when permission to send a message is denied
* debian/patches/35-syslog-h.patch: #include <syslog.h> to fix compilation
with the logging patches applied
* Add myself to Uploaders
Checksums-Sha1:
c6bbeaf6adaf8bfaab2c29a3673ae06f13bdc27b 1538 dbus_1.2.1-5.dsc
d6487cdd1e7642d4e8c85b70c22194f65485dc09 38407 dbus_1.2.1-5.diff.gz
5322db4f0b383668cb103c7bd8bb0f3f2adbb388 1822318 dbus-1-doc_1.2.1-5_all.deb
33ca15975f3c69d5cfb633b5ab17b335c836ef07 229016 dbus_1.2.1-5_i386.deb
bfde3c36e2e14b97af81953b710f51c40d1e4d7b 63448 dbus-x11_1.2.1-5_i386.deb
0f96acf34bd4fe478d3b7edeb12a2200c6e18b5c 147732 libdbus-1-3_1.2.1-5_i386.deb
006669638cb49e7c067d0fb7bfecde44ed1fcc3f 235596 libdbus-1-dev_1.2.1-5_i386.deb
Checksums-Sha256:
4e93374fe27ff43852fa38ddad38238192f9f0a3bedecb62d15d988368320cfb 1538
dbus_1.2.1-5.dsc
a7e86a2034de58e1d5b41f963b27c791386b59269a9204ff988045eb889d9905 38407
dbus_1.2.1-5.diff.gz
0d6ffcb9ac4855d220f8bf4038c9ba8f03e247bba7943ada83cbdc1c12385070 1822318
dbus-1-doc_1.2.1-5_all.deb
00820f2ee73ce296adb5980a6a1862b0ea6e28c9a524cb70b951a2f1c0bacd2c 229016
dbus_1.2.1-5_i386.deb
645a4e5841ee3e3fbe9907233ddc8ea3f8a302e98633e11051edb85bcb6c2aa3 63448
dbus-x11_1.2.1-5_i386.deb
c96b6e2b0b32a40f12075eb34d5d820f0d01414cc3d5942e440aac26e66fbb8d 147732
libdbus-1-3_1.2.1-5_i386.deb
08167b75a3de06f592e778593393244ed280d26e391f4373f21c7ad5148e28bc 235596
libdbus-1-dev_1.2.1-5_i386.deb
Files:
52f7ccdff41e06473f6156268b37e3fa 1538 devel optional dbus_1.2.1-5.dsc
5c3158b6e63b83d717f5dd8081b44e5c 38407 devel optional dbus_1.2.1-5.diff.gz
65d3cb630ada231a1b09b991da64bf0c 1822318 doc optional
dbus-1-doc_1.2.1-5_all.deb
f3b65b62ff6d67379d0aef23bba5d5d6 229016 devel optional dbus_1.2.1-5_i386.deb
868e7115ced3c6196c0e8bc249afa37e 63448 x11 optional dbus-x11_1.2.1-5_i386.deb
e20b7d548c4d4ef9407d83726ab62ffa 147732 libs optional
libdbus-1-3_1.2.1-5_i386.deb
37a6786eb691800198fb81941e016a8b 235596 libdevel optional
libdbus-1-dev_1.2.1-5_i386.deb
-----BEGIN PGP SIGNATURE-----
iD8DBQFJaSXuWSc8zVUw7HYRApELAJ9xeiYY+SKB2YSEkGS1wMNkoKnMUACg5wvH
QlPFufHhxIR4RrQCTVVcljU=
=X1ZZ
-----END PGP SIGNATURE-----
--- End Message ---
