Your message dated Sun, 14 Dec 2008 18:02:05 +0000
with message-id <e1lbvi5-0007ex...@ries.debian.org>
and subject line Bug#508032: fixed in dbus 1.2.8-1
has caused the Debian Bug report #508032,
regarding send_requested_reply="true" allows all non-reply messages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
508032: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508032
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dbus
Version: 1.2.1-3
Severity: normal
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I found the following dbus bug. I think it has security implications, but I
can’t
judge it’s impact, therefore I did not set the Severtiy. Security team
is CC’ed.
Upstream bug here https://bugs.freedesktop.org/show_bug.cgi?id=18229
copied text is:
if I understand everything correctly, there is a bad security bug in
dbus:
The default configuration contains the lines
<allow send_requested_reply="true"/>
<allow receive_requested_reply="true"/>
with the valid intention to allow all replies to be send without explicit
permission. Otherwise, dbus claims to have a default-no policy.
But what happens instead is: When a message is considered for sending, it
enters bus_client_policy_check_can_send in policy.c[1]. There, all rules are
looked at, but only SEND rules considered (line 893) – the first of the above
rules is such a rule. Now we check for various conditions that might occur in
such a rule (e.g. destination and the like), but none of these exist besides
send_requested_reply. But in line 909 this is only done for messages which are
replies. This means that for normal messages, we continue with the code and end
up in line 1028, where we set the allowed flag! If no other rule kicks in, this
stays allowed until the end.
A proper fix would be to add an else statement to the if in line 909, which
calls continue, I think.
Thanks,
Joachim
- -- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-486
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dbus depends on:
ii adduser 3.110 add and remove users and groups
ii debianutils 2.30 Miscellaneous utilities specific t
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libdbus-1-3 1.2.1-3 simple interprocess messaging syst
ii libexpat1 2.0.1-4 XML parsing C library - runtime li
ii libselinux1 2.0.65-5 SELinux shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
Versions of packages dbus recommends:
ii dbus-x11 1.2.1-3 simple interprocess messaging syst
dbus suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkEjZYACgkQ9ijrk0dDIGx7nQCdGHBqviTS6SS23c5JoIJYVDeR
HTwAn3oQZFtVm3xI1MwjqoS37cBPauGe
=AvGx
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: dbus
Source-Version: 1.2.8-1
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:
dbus-1-doc_1.2.8-1_all.deb
to pool/main/d/dbus/dbus-1-doc_1.2.8-1_all.deb
dbus-x11_1.2.8-1_amd64.deb
to pool/main/d/dbus/dbus-x11_1.2.8-1_amd64.deb
dbus_1.2.8-1.diff.gz
to pool/main/d/dbus/dbus_1.2.8-1.diff.gz
dbus_1.2.8-1.dsc
to pool/main/d/dbus/dbus_1.2.8-1.dsc
dbus_1.2.8-1_amd64.deb
to pool/main/d/dbus/dbus_1.2.8-1_amd64.deb
dbus_1.2.8.orig.tar.gz
to pool/main/d/dbus/dbus_1.2.8.orig.tar.gz
libdbus-1-3_1.2.8-1_amd64.deb
to pool/main/d/dbus/libdbus-1-3_1.2.8-1_amd64.deb
libdbus-1-dev_1.2.8-1_amd64.deb
to pool/main/d/dbus/libdbus-1-dev_1.2.8-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 508...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sjoerd Simons <sjo...@debian.org> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 07 Dec 2008 13:30:19 +0000
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev
Architecture: source all amd64
Version: 1.2.8-1
Distribution: experimental
Urgency: low
Maintainer: Utopia Maintenance Team
<pkg-utopia-maintain...@lists.alioth.debian.org>
Changed-By: Sjoerd Simons <sjo...@debian.org>
Description:
dbus - simple interprocess messaging system
dbus-1-doc - simple interprocess messaging system (documentation)
dbus-x11 - simple interprocess messaging system (X11 deps)
libdbus-1-3 - simple interprocess messaging system
libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 503532 508032
Changes:
dbus (1.2.8-1) experimental; urgency=low
.
[ Sjoerd Simons ]
* New upstream release
* Fixes CVE-2008-4311 (Closes: #503532, #508032)
.
[ Michael Biebl ]
* debian/libdbus-1-3.symbols
- Updated, new symbol has been added.
* debian/rules
- Bump shlibs to 1.2.4.
* debian/control
- Bump Standards-Version to 3.8.0. No further changes.
Checksums-Sha1:
de07212c94d0c67b8b041cc8cccb3b08eb23a1f9 1536 dbus_1.2.8-1.dsc
f6a5215b1eb6fee17821beb22f2e934ad383bfbe 1571133 dbus_1.2.8.orig.tar.gz
a5711abfedd4f1241c84c63fc3befe671cf452fa 26581 dbus_1.2.8-1.diff.gz
93f491fc75a86c592fd0c2efcbd8335836955ce8 1803724 dbus-1-doc_1.2.8-1_all.deb
b89523d2b493bf39a5aaaa70eee8393936d5e6f4 225600 dbus_1.2.8-1_amd64.deb
8d6932da06beb77b21345c36196de40ecdc241f1 39920 dbus-x11_1.2.8-1_amd64.deb
430b4798c23f3b4d8a1694e871b90a44c84e10d4 138360 libdbus-1-3_1.2.8-1_amd64.deb
1e98be27d4d3c532b66f238652c9f8df8bd263ba 235100 libdbus-1-dev_1.2.8-1_amd64.deb
Checksums-Sha256:
11429c11e855b38a2e4eb97d538106a60dd96135ac169a1b06ed972f2011126c 1536
dbus_1.2.8-1.dsc
167a06f0236c9d9288dad106e83fb184bbea213c732bb90ae487d6a02b90b105 1571133
dbus_1.2.8.orig.tar.gz
a0200d93e5f14b3df42f78823901aec5d238abc01d074f44aafebbc4c5f416bb 26581
dbus_1.2.8-1.diff.gz
c8f09fb22b740449ceeef27955f432aeab2401ef8974563c1256fb0a655ddffc 1803724
dbus-1-doc_1.2.8-1_all.deb
45afac4fb0053219f6e950baad34f860b687aed6144f9089935aa4dfa20c4c6b 225600
dbus_1.2.8-1_amd64.deb
7eba4d61aeabd47f6e93a90625261be52d3774cc9ae127f74e18547eb97068e4 39920
dbus-x11_1.2.8-1_amd64.deb
cc03cc5a6a6b18a63032195f6c270d3b1db9c277a63c818eabcdfa650ca2897c 138360
libdbus-1-3_1.2.8-1_amd64.deb
255e6d951589cff5f2ba381fa866cd110a8701c7f8e3f3d1b9af540df0973878 235100
libdbus-1-dev_1.2.8-1_amd64.deb
Files:
29d8429e17f598c6478182c1c9eeffb0 1536 devel optional dbus_1.2.8-1.dsc
f8559a7a3b7cf5ec7e3eb80cfe44efe4 1571133 devel optional dbus_1.2.8.orig.tar.gz
f1c001481e9e5c8de491b8ce46f1c928 26581 devel optional dbus_1.2.8-1.diff.gz
2c9b6bc62680ffb992d4d35c964af18e 1803724 doc optional
dbus-1-doc_1.2.8-1_all.deb
0e635e28342acb9cb2833b2c795fd848 225600 devel optional dbus_1.2.8-1_amd64.deb
b1adaed558d8e31dfb5a1321cb259178 39920 x11 optional dbus-x11_1.2.8-1_amd64.deb
07c372f1a057321d5f162c4f8e2556a8 138360 libs optional
libdbus-1-3_1.2.8-1_amd64.deb
b7aa16eba4cf08b51598430883d834c5 235100 libdevel optional
libdbus-1-dev_1.2.8-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklFSVQACgkQgTd+SodosdIjHwCZAZRUgqnGq9iP+UbzzO3y2stz
xI4AoMwvfWMZ6OZ4g9yT1taxeZOYA2GO
=S3SH
-----END PGP SIGNATURE-----
--- End Message ---