[CVE-2008-4311] DBus 1.2.8
walters at verbum.org
Tue Dec 9 08:09:27 PST 2008
A new release of DBus is now available:
This release is a continuation of work on:
== Overview ==
I think we're finally arriving at general consensus for where the line
for bugs in the core is versus in external programs for this issue.
DBus 1.2.8 has one behavioral change, which is to allow all signals by
default on the system bus. There is also a documentation update for
the system bus:
"Currently, the system bus has a default-deny policy for sending method calls
and owning bus names. Everything else, in particular reply messages, receive
checks, and signals has a default allow policy."
There are two major things to be aware of, in order of importance:
== Services ==
Now, corresponding with this issue, some services must be updated. A
tracking bug has been created:
The above bug is for services which fail with the policy for DBus
1.2.8 (i.e. not 1.2.6).
== <deny send_interface=""/>
Besides services which must be updated to work, there are also
services whose config breaks *other* services or introduces erroneous
permissions. This kind of flaw is really the fault of the policy
language - it's incredibly easy to introduce these kinds of flaws. In
general, every rule in a system.d/foo.conf should include
"send_destination". If it doesn't, it's almost certainly a bug.
The most insidious is this one:
Effectively, this will deny all messages sent with no interface - even
those *not sent to your service* - as occurs when using e.g. Python
and not using the dbus.Interface cast. The correct rule looks like
<deny send_destination="org.foo.Service" send_interface="org.foo.Iface"/>
Bottom line - use send_destination in *every* rule unless you know
explicitly what you're doing, and avoid putting two services in the
same process (if you do, use PolicyKit).
More information about the dbus