Launchpad has imported 9 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=585394.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2010-04-23T21:16:19+00:00 Colin wrote: The desktop team recently discovered a flaw in dbus-glib where it didn't respect the "access" flag on properties specified. Basically, core OS services like NetworkManager which use dbus-glib were specifying e.g. the "Ip4Address" as read-only for remote access, but in fact any process could modify it. I have a patch for dbus-glib (attached). However, due to the nature of the way dbus-glib works where at build time services generate a C data structure from XML and embed it into their binary, affected services will need to be rebuilt (though not patched). This affected list is for F-12; I think for RHEL5 we just need dbus-glib and NetworkManager. KNOWN AFFECTED SERVICES: * DeviceKit-Power * NetworkManager * ModemManager KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties: * ConsoleKit (it denies all Properties access using dbus policy) * gdm (ditto) * PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY) KNOWN NOT AFFECTED (because I audited them) * gnome-panel (no dbus properties) * gnome-system-monitor (ditto) PROBABLY NOT AFFECTED * hal (doesn't claim to handle org.freedesktop.DBus.Properties) * polkit (uses eggdbus) * rtkit (doesn't use dbus-glib) * DeviceKit-disks (all its properties appear to be readonly) * wpa_supplicant (doesn't implement Properties) * upstart (doesn't use dbus-glib) Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus- glib/+bug/616517/comments/0 ------------------------------------------------------------------------ On 2010-04-23T21:28:02+00:00 Colin wrote: Created attachment 408742 respect property access flags Note that affected services will need to be recompiled. Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus- glib/+bug/616517/comments/1 ------------------------------------------------------------------------ On 2010-04-23T21:46:47+00:00 Vincent wrote: This has been assigned CVE-2010-1172 Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus- glib/+bug/616517/comments/2 ------------------------------------------------------------------------ On 2010-04-27T20:46:43+00:00 Colin wrote: Created attachment 409584 0001-Respect-property-access-flags-for-writing-allow-disa.patch Updated patch; this one exercises the legacy disabled cased. Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus- glib/+bug/616517/comments/3 ------------------------------------------------------------------------ On 2010-04-27T22:22:28+00:00 Dan wrote: Latest patch appears to allow setting properties listed as 'access=read' even though I"ve disabled legacy property access: NetworkManager: object_registration_message: prop lookup name 'ip4_address' NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (is set 0) NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite) NetworkManager: object_registration_message: prop lookup name 'ip4_address' NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (is set 1) NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite) NetworkManager: object_registration_message: prop lookup name 'ip4_address' NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (is set 0) NetworkManager: check_property_access: iface org.freedesktop.NetworkManager.Device name Ip4Address (access type readwrite) but introspection/nm-device.xml lists Ip4Address as access=read. Also, you can kill the: /* Try both forms of property names: "foo_bar" or "FooBar"; for historical * reasons we accept both. */ if (object_info && !(property_info_from_object_info (object_info, wincaps_propiface, requested_propname, &access_type) 'object_info' check there now in check_property_access since there's a check for if (!object_info) just above. Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus- glib/+bug/616517/comments/4 ------------------------------------------------------------------------ On 2010-04-27T22:52:58+00:00 Dan wrote: Nevermind about the Ip4Address thing, needed a clean rebuild locally. So the latest patch looks good to me. Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus- glib/+bug/616517/comments/5 ------------------------------------------------------------------------ On 2010-08-09T15:21:00+00:00 Colin wrote: Created attachment 437622 patch against dbus-glib git master This patch is rebased on dbus-glib git master as of today (commit 9440209e2). Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus- glib/+bug/616517/comments/6 ------------------------------------------------------------------------ On 2010-08-10T16:07:50+00:00 Vincent wrote: This is public now. Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus- glib/+bug/616517/comments/7 ------------------------------------------------------------------------ On 2010-08-10T21:19:40+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0616 https://rhn.redhat.com/errata/RHSA-2010-0616.html Reply at: https://bugs.launchpad.net/ubuntu/+source/dbus- glib/+bug/616517/comments/8 ** Changed in: dbus-glib (Fedora) Status: Unknown => Fix Released ** Changed in: dbus-glib (Fedora) Importance: Unknown => Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to modemmanager in Ubuntu. https://bugs.launchpad.net/bugs/616517 Title: CVE-2010-1172 dbus-glib: property access not validated Status in dbus-glib package in Ubuntu: Fix Released Status in modemmanager package in Ubuntu: Fix Released Status in network-manager package in Ubuntu: Fix Released Status in dbus-glib source package in Lucid: Fix Released Status in modemmanager source package in Lucid: Fix Released Status in network-manager source package in Lucid: Fix Released Status in dbus-glib source package in Hardy: Fix Released Status in modemmanager source package in Hardy: Invalid Status in network-manager source package in Hardy: Fix Released Status in dbus-glib source package in Karmic: Won't Fix Status in modemmanager source package in Karmic: Won't Fix Status in network-manager source package in Karmic: Won't Fix Status in dbus-glib package in Debian: Fix Released Status in dbus-glib package in Fedora: Fix Released Bug description: As also reported in RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=585394 A flaw was recently discovered in dbus-glib where it didn't respect the "access" flag on properties specified. Basically, core OS services like NetworkManager which use dbus-glib were specifying e.g. the "Ip4Address" as read-only for remote access, but in fact any process could modify it. A patch is available. However, due to the nature of the way dbus-glib works where at build time services generate a C data structure from XML and embed it into their binary, affected services will need to be rebuilt (though not patched). KNOWN AFFECTED SERVICES: * DeviceKit-Power * NetworkManager * ModemManager KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties: * ConsoleKit (it denies all Properties access using dbus policy) * gdm (ditto) * PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY) KNOWN NOT AFFECTED (because I audited them) * gnome-panel (no dbus properties) * gnome-system-monitor (ditto) PROBABLY NOT AFFECTED * hal (doesn't claim to handle org.freedesktop.DBus.Properties) * polkit (uses eggdbus) * rtkit (doesn't use dbus-glib) * DeviceKit-disks (all its properties appear to be readonly) * wpa_supplicant (doesn't implement Properties) * upstart (doesn't use dbus-glib) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus-glib/+bug/616517/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
