Your message dated Sun, 26 Oct 2008 17:49:58 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: [Secure-testing-team] Bug#503532:
send_requested_reply="true" allows all non-reply messages
has caused the Debian Bug report #503532,
regarding send_requested_reply="true" allows all non-reply messages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
503532: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503532
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: dbus
Version: 1.2.1-3
Severity: normal
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I found the following dbus bug. I think it has security implications, but I
can’t
judge it’s impact, therefore I did not set the Severtiy. Security team
is CC’ed.
Upstream bug here https://bugs.freedesktop.org/show_bug.cgi?id=18229
copied text is:
if I understand everything correctly, there is a bad security bug in
dbus:
The default configuration contains the lines
<allow send_requested_reply="true"/>
<allow receive_requested_reply="true"/>
with the valid intention to allow all replies to be send without explicit
permission. Otherwise, dbus claims to have a default-no policy.
But what happens instead is: When a message is considered for sending, it
enters bus_client_policy_check_can_send in policy.c[1]. There, all rules are
looked at, but only SEND rules considered (line 893) – the first of the above
rules is such a rule. Now we check for various conditions that might occur in
such a rule (e.g. destination and the like), but none of these exist besides
send_requested_reply. But in line 909 this is only done for messages which are
replies. This means that for normal messages, we continue with the code and end
up in line 1028, where we set the allowed flag! If no other rule kicks in, this
stays allowed until the end.
A proper fix would be to add an else statement to the if in line 909, which
calls continue, I think.
Thanks,
Joachim
- -- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-486
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dbus depends on:
ii adduser 3.110 add and remove users and groups
ii debianutils 2.30 Miscellaneous utilities specific t
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libdbus-1-3 1.2.1-3 simple interprocess messaging syst
ii libexpat1 2.0.1-4 XML parsing C library - runtime li
ii libselinux1 2.0.65-5 SELinux shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
Versions of packages dbus recommends:
ii dbus-x11 1.2.1-3 simple interprocess messaging syst
dbus suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkEjZYACgkQ9ijrk0dDIGx7nQCdGHBqviTS6SS23c5JoIJYVDeR
HTwAn3oQZFtVm3xI1MwjqoS37cBPauGe
=AvGx
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Version: 1.2.1-4
Hi Joachim,
* Joachim Breitner <[EMAIL PROTECTED]> [2008-10-26 16:43]:
> I found the following dbus bug. I think it has security implications, but I
> can???t
> judge it???s impact, therefore I did not set the Severtiy. Security team
> is CC???ed.
Please see #501443.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpQXPLy6aCHZ.pgp
Description: PGP signature
--- End Message ---
