[CVE-2008-4311] DBus 1.2.6
Colin Walters
walters at verbum.org
Sun Dec 7 13:06:14 PST 2008
On Sun, Dec 7, 2008 at 9:45 AM, Sjoerd Simons <sjoerd at luon.net> wrote:
> On Fri, Dec 05, 2008 at 02:55:04PM -0500, Colin Walters wrote:
>> A new security release of DBus is now available:
>>
>> http://dbus.freedesktop.org/dbus/releases/dbus-1.2.6.tar.gz
>>
>> This release contains a (partial, see below) fix for:
>> https://bugs.freedesktop.org/show_bug.cgi?id=18229
>
> Unfortunately this seems to break Avahi. Some debugging revealed that the new
> config prevented signals from arriving.
>
> The addition of the following rule in the default context fixed the issue again:
> <allow send_requested_reply="true" send_type="signal"/>
>
> If i understood the CVE fix correctly, it's main intention is to prevent method
> calls. So adding this to the default rules should be fine ?
I believe after looking at this briefly so far that that rule would
effectively allow everything, because a signal is never a reply. See
the docs:
The [send|receive]_requested_reply attribute works similarly to the
eavesdrop attribute. It controls whether the <deny> or <allow> matches
a reply that is expected (corresponds to a previous method call mes-
sage). This attribute only makes sense for reply messages (errors and
method returns), and is ignored for other message types.
Really we should make specifying an incorrect combination like that an error.
Anyways, so we need to figure out the correct rule. Do you have a
dbus-monitor trace?
I should mention here that unfortunately we've found other fallout
from this fix, namely PackageKit:
https://bugzilla.redhat.com/show_bug.cgi?id=475068
If you're an OS vendor please add a comment to
http://bugs.freedesktop.org/show_bug.cgi?id=18229
with anything you've found that needs updating.
More information about the dbus
mailing list