[Pkg-utopia-maintainers] Bug#503532: D-Bus security issue
Simon McVittie
smcv at debian.org
Sun Jan 4 17:01:18 UTC 2009
On Sat, 03 Jan 2009 at 17:58:47 +0000, Matthew Johnson wrote:
> In order to fix CVE-2008-4311 the default permissions on the system bus
> have been tightened up. This has revealed bugs in the configurations
> shipped with a number of services using the system bus which relied on
> the broken behaviour and will now break.
I've uploaded source and i386 binaries for a "release candidate" which has
deny-by-default and all of upstream's logging improvements:
http://people.debian.org/~smcv/dbus-cve-2008-4311/
codehelp is compiling amd64 binaries which we'll upload to the same place when
they're ready. Please use this and try out your packages. If things are
denied, you'll get syslog spam like this:
Jan 4 16:56:34 carbon dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.4" (uid=0 pid=18344 comm="/usr/sbin/NetworkManager --pid-file /var/run/Netwo") interface="org.freedesktop.Hal.Device.KillSwitch" member="GetPower" error name="(unset)" requested_reply=0 destination="org.freedesktop.Hal" (uid=0 pid=18252 comm="/usr/sbin/hald "))
We're still looking into the fallout from this, so we're not uploading
to unstable right now. http://wiki.debian.org/DBusPermissions has the
gory details.
(1.2.8 in experimental has the deny-by-default and some (but not all) of
the logging improvements; I think you're better off with my version for
debugging.)
Regards,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 30-Add-syslog-of-security-denials-and-configuration-fil.patch
Type: text/x-diff
Size: 21028 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090104/bf3046ff/attachment-0008.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 31-Add-message-type-to-security-syslog-entries.patch
Type: text/x-diff
Size: 3466 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090104/bf3046ff/attachment-0009.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 32-Add-optional-logging-on-allow-rules.patch
Type: text/x-diff
Size: 8629 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090104/bf3046ff/attachment-0010.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 33-Add-uid-pid-and-command-to-security-logs.patch
Type: text/x-diff
Size: 16376 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090104/bf3046ff/attachment-0011.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 34-Add-requested_reply-to-send-denials-and-connection.patch
Type: text/x-diff
Size: 7913 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090104/bf3046ff/attachment-0012.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 35-syslog-h.patch
Type: text/x-diff
Size: 433 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090104/bf3046ff/attachment-0013.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 50-CVE-2008-4311.patch
Type: text/x-diff
Size: 1248 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090104/bf3046ff/attachment-0014.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 51-CVE-2008-4311-but-allow-signals.patch
Type: text/x-diff
Size: 1032 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090104/bf3046ff/attachment-0015.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090104/bf3046ff/attachment-0001.pgp
More information about the Pkg-utopia-maintainers
mailing list