[ANNOUNCE] CVE-2008-0595 D-Bus Security Releases - D-Bus 1.0.3 and D-Bus 1.1.20

John (J5) Palmieri johnp at redhat.com
Wed Feb 27 09:01:20 PST 2008


This issue just went out of embargo today:

Havoc Pennington discovered a flaw in the way the dbus-daemon applies its security policy.

Ray Strode describes it as such:
    When evaluating whether or not to invoke a method call, the bus daemon
    will look at the security policy and try to determine whether or not
    the caller is allowed access to the method call.

    Many dbus services have lines in their security policy of the form:

    <allow send_interface="some.interface.WithMethods"/>

    to explicitly whitelist the methods of a particular interface for users
    of a specific policy context.

    Normally dbus method calls are invoked fully qualified. That is to say
    the interface the method belongs to is passed to the bus daemon along
    with the method name of the method call. The bus daemon does not
    require method calls to be fully qualified, however. If a caller passes
    just the method with a NULL interface, then the bus daemon will try to
    find the interface with the corresponding method and invoke the method
    call on that interface.

    In these cases, the send_interface attribute of the allow directive is
    ignored.

    <allow send_interface="some.interface.WithMethods"/>

    is interpreted as an implicit <allow/>. This means that if dbus policy
    file contains any <allow send_interface="..." /> directives for a
    particular context, then it implicitly allows that context to invoke
    non-qualified method calls defined for any interface.

Patch and test case are attached.

Releases with this fix can be found here:

Legacy Stable Release - http://dbus.freedesktop.org/releases/dbus/dbus-1.0.3.tar.gz
  - use this one if upgrading from the 1.0.x series of releases

Stable Release - http://dbus.freedesktop.org/releases/dbus/dbus-1.1.20.tar.gz
  - use this one if upgrading from the 1.1.x series of development releases
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dbus-CVE-2008-0595.tar.bz2
Type: application/x-bzip-compressed-tar
Size: 2626 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/dbus/attachments/20080227/8c7a92f5/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2008-0595.patch
Type: text/x-patch
Size: 2244 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/dbus/attachments/20080227/8c7a92f5/attachment-0001.bin 


More information about the dbus mailing list