[CVE-2008-4311] DBus 1.2.6

Sjoerd Simons sjoerd at luon.net
Sun Dec 7 06:45:53 PST 2008

On Fri, Dec 05, 2008 at 02:55:04PM -0500, Colin Walters wrote:
> A new security release of DBus is now available:
> http://dbus.freedesktop.org/dbus/releases/dbus-1.2.6.tar.gz
> This release contains a (partial, see below) fix for:
> https://bugs.freedesktop.org/show_bug.cgi?id=18229

Unfortunately this seems to break Avahi. Some debugging revealed that the new
config prevented signals from arriving.

The addition of the following rule in the default context fixed the issue again:
  <allow send_requested_reply="true" send_type="signal"/>

If i understood the CVE fix correctly, it's main intention is to prevent method
calls. So adding this to the default rules should be fine ?

I have a theory that it's impossible to prove anything, but I can't prove it.

More information about the dbus mailing list