D-Bus CVE aftermath
David Zeuthen
david at fubar.dk
Mon Dec 8 10:42:58 PST 2008
Hi,
As many of you are probably aware, there's a new D-Bus release with a
fix for CVE-2008-4311
http://lists.freedesktop.org/archives/dbus/2008-December/010702.html
One nasty side effect of this D-Bus bug fix is that many many system
services needs updating. PolicyKit is one of them; here's the patch and
related bug
https://bugs.freedesktop.org/show_bug.cgi?id=18948#c7
Note that this is not a PolicyKit security issue; the lack of this patch
merely means that no-one can access the org.freedesktop.PolicyKit
service on the system bus. So no extra access / permissions are granted
by this. Second, not a lot of software using PolicyKit is using the
D-Bus service (they use the shared library libpolkit.so instead) so most
things should work correctly.
If someone wants to do a 0.9.x release with this patch I'm fine with
that (but I don't think it's necessary); point me to a git tree to pull
from and I'll roll some tarballs.
David
More information about the polkit-devel
mailing list