[CVE-2008-4311] DBus 1.2.6

Colin Walters walters at verbum.org
Sat Dec 13 14:06:41 PST 2008

This issue turned out to be quite a lot more wide ranging than I'd
initially thought.  It didn't help of course inadvertently pushing
what should have been a testing update into Fedora stable.

Anyways, I think we're going to effectively have a flag day.  Some
things were relatively easy to fix, but others are subtle and tricky,
requiring examination of service code.

My current plan on this now, given how much needs to be fixed, is to
do a new upstream release (let's call it which reverts the
default back to open, *but* adds logging support such that we get a
syslog message when something would have been denied.  This should be
a relatively straightforward tweak of the current syslog patch.

In the meantime, there's no reason not to fix your service files now.
Please do so!  This mail still applies:


*with the exception* that you must not use bare <deny
send_interface="foo"/> as I initially suggested there.  Instead use:
<deny send_destination="org.foo.MyService"

So in summary, get a new release out that lets people (other than me)
figure out more easily what's broken and work on fixing it, without
breaking compatibility for now.  Thoughts/opinions?

More information about the dbus mailing list