[CVE-2008-4311] DBus 1.2.6

Colin Walters walters at verbum.org
Sun Dec 7 13:06:14 PST 2008


On Sun, Dec 7, 2008 at 9:45 AM, Sjoerd Simons <sjoerd at luon.net> wrote:
> On Fri, Dec 05, 2008 at 02:55:04PM -0500, Colin Walters wrote:
>> A new security release of DBus is now available:
>>
>> http://dbus.freedesktop.org/dbus/releases/dbus-1.2.6.tar.gz
>>
>> This release contains a (partial, see below) fix for:
>> https://bugs.freedesktop.org/show_bug.cgi?id=18229
>
> Unfortunately this seems to break Avahi. Some debugging revealed that the new
> config prevented signals from arriving.
>
> The addition of the following rule in the default context fixed the issue again:
>  <allow send_requested_reply="true" send_type="signal"/>
>
> If i understood the CVE fix correctly, it's main intention is to prevent method
> calls. So adding this to the default rules should be fine ?

I believe after looking at this briefly so far that that rule would
effectively allow everything, because a signal is never a reply.  See
the docs:

       The [send|receive]_requested_reply attribute works  similarly  to  the
       eavesdrop attribute. It controls whether the <deny> or <allow> matches
       a reply that is expected (corresponds to a previous method  call  mes-
       sage).  This attribute only makes sense for reply messages (errors and
       method returns), and is ignored for other message types.

Really we should make specifying an incorrect combination like that an error.
Anyways, so we need to figure out the correct rule.  Do you have a
dbus-monitor trace?

I should mention here that unfortunately we've found other fallout
from this fix, namely PackageKit:

https://bugzilla.redhat.com/show_bug.cgi?id=475068

If you're an OS vendor please add a comment to
http://bugs.freedesktop.org/show_bug.cgi?id=18229

with anything you've found that needs updating.


More information about the dbus mailing list