The Plan for CVE-2008-4311

Colin Walters walters at verbum.org
Wed Dec 17 15:10:27 PST 2008 

Here are my current thoughts with regards to CVE-2008-4311 and the
nest of vipers that working on it has stirred up.

== Splitting off a permissive branch ==

Split off a "permissive" branch from the dbus-1.2.4 release.  This
will contain 100% compatible improvements, namely:

 * Improved logging: http://bugs.freedesktop.org/show_bug.cgi?id=19141
 * Workaround for some of the <deny send_interface=""/> pains:
http://bugs.freedesktop.org/show_bug.cgi?id=18961
 * Clarified (but still 100% compatible) security policy:
http://bugs.freedesktop.org/show_bug.cgi?id=19060

This release will have the same even (released) odd (git only) scheme
that I've adopted for dbus and dbus-glib, but branched off of 1.2.4.

dbus-1.2.4.2permissive.tar.gz
dbus-1.2.4.4permissive.tar.gz
etc.

Concurrently, we apply these fixes to continuing the 1.2.X stream.
The primary difference between 1.2.X and 1.2.4.Xpermissive is simply
the default policy for method calls.  In 1.2.X it will be deny (as
intended originally), and 1.2.4.Xpermissive it will be permissive.

New releases from the dbus-1.2.X branch in the near future may also
contain non-CVE-2008-4311 related fixes, but that is dependent on
review cycles etc.

There will still be a dbus-1.3.X branch in git to which all patches
should be applied first before moving to either stable branch.

I expect that vendors currently on 1.2.4 will ship the
1.2.4.Xpermissive stream in their unstable/development trees as soon
as it's released.  If you've already updated to 1.2.8 then you can
continue with that.  1.2.10 will contain the same things as
1.2.4.2permissive.

== Fixing policies ==

Concurrently, we need to continue work on fixing application policies.
 Having vendors ship 1.2.4.Xpermissive immediately should help.

There are two major classes of bug:

* Services which do not work in a default deny world:
https://bugs.freedesktop.org/show_bug.cgi?id=18980
* Services which use <deny send_interface="">:
http://bugs.freedesktop.org/show_bug.cgi?id=18961

My hope is that in no more than a few months we can have most of the
important programs fixed for bug 18980.  At that time, I expect
vendors to switch from dbus-1.2.4.Xpermissive to dbus-1.2.X.

Speaking as a Fedora developer, my tentative plan is to ship
1.2.4.Xpermissive in rawhide as soon as it's released, and ensure that
patches land for core services in the F11 development stream.  The
goal is to get F11 off of dbus-1.2.4.Xpermissive to dbus-1.2.X.

Feedback (and help) from interested people is appreciated.

More information about the dbus mailing list