Debian Bug report logs - #503532
send_requested_reply="true" allows all non-reply messages

version graph

Package: dbus; Maintainer for dbus is Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>; Source for dbus is src:dbus.

Reported by: Joachim Breitner <nomeata@debian.org>

Date: Sun, 26 Oct 2008 15:36:14 UTC

Severity: grave

Tags: security

Merged with 508032

Found in versions dbus/1.2.1-3, dbus/1.2.4-1

Fixed in versions dbus/1.2.8-1, dbus/1.2.1-5

Done: Simon McVittie <smcv@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#503532; Package dbus. (Sun, 26 Oct 2008 15:36:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 26 Oct 2008 15:36:16 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: send_requested_reply="true" allows all non-reply messages
Date: Sun, 26 Oct 2008 16:32:43 +0100
Package: dbus
Version: 1.2.1-3
Severity: normal
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I found the following dbus bug. I think it has security implications, but I can’t
judge it’s impact, therefore I did not set the Severtiy. Security team
is CC’ed.

Upstream bug here https://bugs.freedesktop.org/show_bug.cgi?id=18229
copied text is:

if I understand everything correctly, there is a bad security bug in
dbus:

The default configuration contains the lines
    <allow send_requested_reply="true"/>
    <allow receive_requested_reply="true"/>
with the valid intention to allow all replies to be send without explicit
permission. Otherwise, dbus claims to have a default-no policy.

But what happens instead is: When a message is considered for sending, it
enters bus_client_policy_check_can_send in policy.c[1]. There, all rules are
looked at, but only SEND rules considered (line 893) – the first of the above
rules is such a rule. Now we check for various conditions that might occur in
such a rule (e.g. destination and the like), but none of these exist besides
send_requested_reply. But in line 909 this is only done for messages which are
replies. This means that for normal messages, we continue with the code and end
up in line 1028, where we set the allowed flag! If no other rule kicks in, this
stays allowed until the end.

A proper fix would be to add an else statement to the if in line 909, which
calls continue, I think.


Thanks,
Joachim

- -- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-486
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dbus depends on:
ii  adduser                       3.110      add and remove users and groups
ii  debianutils                   2.30       Miscellaneous utilities specific t
ii  libc6                         2.7-15     GNU C Library: Shared libraries
ii  libdbus-1-3                   1.2.1-3    simple interprocess messaging syst
ii  libexpat1                     2.0.1-4    XML parsing C library - runtime li
ii  libselinux1                   2.0.65-5   SELinux shared libraries
ii  lsb-base                      3.2-20     Linux Standard Base 3.2 init scrip

Versions of packages dbus recommends:
ii  dbus-x11                      1.2.1-3    simple interprocess messaging syst

dbus suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkEjZYACgkQ9ijrk0dDIGx7nQCdGHBqviTS6SS23c5JoIJYVDeR
HTwAn3oQZFtVm3xI1MwjqoS37cBPauGe
=AvGx
-----END PGP SIGNATURE-----




Noted your statement that Bug has been forwarded to http://bugs.freedesktop.org/show_bug.cgi?id=18229. Request was from Joachim Breitner <nomeata@debian.org> to control@bugs.debian.org. (Sun, 26 Oct 2008 15:51:03 GMT) Full text and rfc822 format available.

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Sun, 26 Oct 2008 16:51:07 GMT) Full text and rfc822 format available.

Notification sent to Joachim Breitner <nomeata@debian.org>:
Bug acknowledged by developer. (Sun, 26 Oct 2008 16:51:07 GMT) Full text and rfc822 format available.

Message #12 received at 503532-done@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Joachim Breitner <nomeata@debian.org>, 503532-done@bugs.debian.org
Subject: Re: [Secure-testing-team] Bug#503532: send_requested_reply="true" allows all non-reply messages
Date: Sun, 26 Oct 2008 17:49:58 +0100
[Message part 1 (text/plain, inline)]
Version: 1.2.1-4

Hi Joachim,
* Joachim Breitner <nomeata@debian.org> [2008-10-26 16:43]:
> I found the following dbus bug. I think it has security implications, but I can???t
> judge it???s impact, therefore I did not set the Severtiy. Security team
> is CC???ed.

Please see #501443.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#503532; Package dbus. (Sun, 26 Oct 2008 17:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 26 Oct 2008 17:27:03 GMT) Full text and rfc822 format available.

Message #17 received at 503532@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: 503532@bugs.debian.org
Cc: nion@debian.org
Subject: Re: Bug#503532 closed by Nico Golde <nion@debian.org> (Re: [Secure-testing-team] Bug#503532: send_requested_reply="true" allows all non-reply messages)
Date: Sun, 26 Oct 2008 18:24:30 +0100
[Message part 1 (text/plain, inline)]
Hi Nico,

Am Sonntag, den 26.10.2008, 16:51 +0000 schrieb Debian Bug Tracking
System:
> This is an automatic notification regarding your Bug report
> which was filed against the dbus package:
> 
> #503532: send_requested_reply="true" allows all non-reply messages
> 
> It has been closed by Nico Golde <nion@debian.org>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Nico Golde <nion@debian.org> by
> replying to this email.
> 
> 
> E-Mail-Nachricht-Anlage
> > -------- Weitergeleitete Nachricht --------
> > Von: Nico Golde <nion@debian.org>
> > An: Joachim Breitner <nomeata@debian.org>,
> > 503532-done@bugs.debian.org
> > Betreff: Re: [Secure-testing-team] Bug#503532:
> > send_requested_reply="true" allows all non-reply messages
> > Datum: Sun, 26 Oct 2008 17:49:58 +0100
> > 
> > Version: 1.2.1-4
> > 
> > Hi Joachim,
> > * Joachim Breitner <nomeata@debian.org> [2008-10-26 16:43]:
> > > I found the following dbus bug. I think it has security implications, but I can???t
> > > judge it???s impact, therefore I did not set the Severtiy. Security team
> > > is CC???ed.
> > 
> > Please see #501443.

Hi Nico,

I fail to see the connection between the two bugs. Was that a mistake?
In that case, please re-open my again.

BTW, upstream has confirmed the bug:
https://bugs.freedesktop.org/show_bug.cgi?id=18229#c2

Greetings,
Joachim


-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#503532; Package dbus. (Sun, 26 Oct 2008 17:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 26 Oct 2008 17:48:08 GMT) Full text and rfc822 format available.

Message #22 received at 503532@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Joachim Breitner <nomeata@debian.org>, 503532@bugs.debian.org
Cc: nion@debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#503532: closed by Nico Golde <nion@debian.org> (Re: [Secure-testing-team] Bug#503532: send_requested_reply="true" allows all non-reply messages)
Date: Sun, 26 Oct 2008 18:46:14 +0100
[Message part 1 (text/plain, inline)]
Joachim Breitner wrote:

> BTW, upstream has confirmed the bug:
> https://bugs.freedesktop.org/show_bug.cgi?id=18229#c2

I can't access the upstream bug report

I only get access denied error messages (although I'm logged in with my
bugs.fd.o account)

Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#503532; Package dbus. (Sun, 26 Oct 2008 18:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 26 Oct 2008 18:00:03 GMT) Full text and rfc822 format available.

Message #27 received at 503532@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: Michael Biebl <biebl@debian.org>
Cc: 503532@bugs.debian.org, nion@debian.org
Subject: Bug#503532: send_requested_reply="true" allows all non-reply messages
Date: Sun, 26 Oct 2008 17:56:15 +0000
[Message part 1 (text/plain, inline)]
Hi,

Am Sonntag, den 26.10.2008, 18:46 +0100 schrieb Michael Biebl:
> Joachim Breitner wrote:
> 
> > BTW, upstream has confirmed the bug:
> > https://bugs.freedesktop.org/show_bug.cgi?id=18229#c2
> 
> I can't access the upstream bug report
> 
> I only get access denied error messages (although I'm logged in with my
> bugs.fd.o account)

they made it security-only, it seems. I guess I should tell them that I
already put this on bugs.debian.org.

Anyways, here is the result from Havoc Pennington (which does not seem
to contain anything more secret than the original post):

> Good catch. I've marked the bug security group only in case people want to do a
> coordinated update under embargo.
> 
> I think the patch is not quite right because <allow> and <deny> should be
> treated differently.
> 
> The requested_reply arg to check_can_send already incorporates whether the
> message is a reply. So I think perhaps simply removing the "if
> (dbus_message_get_reply_serial (message) != 0)" check would fix this bug,
> except the eavesdrop test may need to now look at whether it's a reply, so
> something like:
> 
> if (!requested_reply && rule->allow && rule->d.send.requested_reply)
>  {
>    if (dbus_message_get_reply_serial (message) != 0 && rule->d.send.eavesdrop)
>     {
>       /* it's a reply, but was not requested; if eavesdrop is true, allow
> anyway */
>     }
>   else 
>     {
>       /* skip rule, do not allow */
>       continue;
>     }
> }
> 
> I am not 100% sure though. Clearly more test cases are needed, ideally unit
> tests for the full matrix of (reply vs. not reply) * (requested vs. not
> requested) * (allow vs. deny) etc., basically try to cover all the code paths.


Greetings,
Joachim
-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#503532; Package dbus. (Sun, 26 Oct 2008 18:48:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 26 Oct 2008 18:48:06 GMT) Full text and rfc822 format available.

Message #32 received at 503532@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Joachim Breitner <nomeata@debian.org>, 503532@bugs.debian.org
Subject: Re: Bug#503532: closed by Nico Golde <nion@debian.org> (Re: [Secure-testing-team] Bug#503532: send_requested_reply="true" allows all non-reply messages)
Date: Sun, 26 Oct 2008 19:42:20 +0100
[Message part 1 (text/plain, inline)]
reopen 503532
thanks

Hi Joachim,
* Joachim Breitner <nomeata@debian.org> [2008-10-26 19:37]:
> Am Sonntag, den 26.10.2008, 16:51 +0000 schrieb Debian Bug Tracking
> System:
> > This is an automatic notification regarding your Bug report
> > which was filed against the dbus package:
> > 
> > #503532: send_requested_reply="true" allows all non-reply messages
> > 
> > It has been closed by Nico Golde <nion@debian.org>.
> > 
> > Their explanation is attached below along with your original report.
> > If this explanation is unsatisfactory and you have not received a
> > better one in a separate message then please contact Nico Golde <nion@debian.org> by
> > replying to this email.
[...] 
> > > Please see #501443.
> 
> I fail to see the connection between the two bugs. Was that a mistake?

Args, yes. I misread the bug number 18229 vs 19288. Sorry!

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 26 Oct 2008 18:48:07 GMT) Full text and rfc822 format available.

Forcibly Merged 503532 508032. Request was from Joachim Breitner <nomeata@debian.org> to control@bugs.debian.org. (Mon, 08 Dec 2008 00:18:02 GMT) Full text and rfc822 format available.

Reply sent to Sjoerd Simons <sjoerd@debian.org>:
You have taken responsibility. (Sun, 14 Dec 2008 18:18:06 GMT) Full text and rfc822 format available.

Notification sent to Joachim Breitner <nomeata@debian.org>:
Bug acknowledged by developer. (Sun, 14 Dec 2008 18:18:06 GMT) Full text and rfc822 format available.

Message #41 received at 503532-close@bugs.debian.org (full text, mbox):

From: Sjoerd Simons <sjoerd@debian.org>
To: 503532-close@bugs.debian.org
Subject: Bug#503532: fixed in dbus 1.2.8-1
Date: Sun, 14 Dec 2008 18:02:05 +0000
Source: dbus
Source-Version: 1.2.8-1

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-doc_1.2.8-1_all.deb
  to pool/main/d/dbus/dbus-1-doc_1.2.8-1_all.deb
dbus-x11_1.2.8-1_amd64.deb
  to pool/main/d/dbus/dbus-x11_1.2.8-1_amd64.deb
dbus_1.2.8-1.diff.gz
  to pool/main/d/dbus/dbus_1.2.8-1.diff.gz
dbus_1.2.8-1.dsc
  to pool/main/d/dbus/dbus_1.2.8-1.dsc
dbus_1.2.8-1_amd64.deb
  to pool/main/d/dbus/dbus_1.2.8-1_amd64.deb
dbus_1.2.8.orig.tar.gz
  to pool/main/d/dbus/dbus_1.2.8.orig.tar.gz
libdbus-1-3_1.2.8-1_amd64.deb
  to pool/main/d/dbus/libdbus-1-3_1.2.8-1_amd64.deb
libdbus-1-dev_1.2.8-1_amd64.deb
  to pool/main/d/dbus/libdbus-1-dev_1.2.8-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 503532@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sjoerd Simons <sjoerd@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 07 Dec 2008 13:30:19 +0000
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev
Architecture: source all amd64
Version: 1.2.8-1
Distribution: experimental
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Sjoerd Simons <sjoerd@debian.org>
Description: 
 dbus       - simple interprocess messaging system
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 503532 508032
Changes: 
 dbus (1.2.8-1) experimental; urgency=low
 .
   [ Sjoerd Simons ]
   * New upstream release
   * Fixes CVE-2008-4311 (Closes: #503532, #508032)
 .
   [ Michael Biebl ]
   * debian/libdbus-1-3.symbols
     - Updated, new symbol has been added.
   * debian/rules
     - Bump shlibs to 1.2.4.
   * debian/control
     - Bump Standards-Version to 3.8.0. No further changes.
Checksums-Sha1: 
 de07212c94d0c67b8b041cc8cccb3b08eb23a1f9 1536 dbus_1.2.8-1.dsc
 f6a5215b1eb6fee17821beb22f2e934ad383bfbe 1571133 dbus_1.2.8.orig.tar.gz
 a5711abfedd4f1241c84c63fc3befe671cf452fa 26581 dbus_1.2.8-1.diff.gz
 93f491fc75a86c592fd0c2efcbd8335836955ce8 1803724 dbus-1-doc_1.2.8-1_all.deb
 b89523d2b493bf39a5aaaa70eee8393936d5e6f4 225600 dbus_1.2.8-1_amd64.deb
 8d6932da06beb77b21345c36196de40ecdc241f1 39920 dbus-x11_1.2.8-1_amd64.deb
 430b4798c23f3b4d8a1694e871b90a44c84e10d4 138360 libdbus-1-3_1.2.8-1_amd64.deb
 1e98be27d4d3c532b66f238652c9f8df8bd263ba 235100 libdbus-1-dev_1.2.8-1_amd64.deb
Checksums-Sha256: 
 11429c11e855b38a2e4eb97d538106a60dd96135ac169a1b06ed972f2011126c 1536 dbus_1.2.8-1.dsc
 167a06f0236c9d9288dad106e83fb184bbea213c732bb90ae487d6a02b90b105 1571133 dbus_1.2.8.orig.tar.gz
 a0200d93e5f14b3df42f78823901aec5d238abc01d074f44aafebbc4c5f416bb 26581 dbus_1.2.8-1.diff.gz
 c8f09fb22b740449ceeef27955f432aeab2401ef8974563c1256fb0a655ddffc 1803724 dbus-1-doc_1.2.8-1_all.deb
 45afac4fb0053219f6e950baad34f860b687aed6144f9089935aa4dfa20c4c6b 225600 dbus_1.2.8-1_amd64.deb
 7eba4d61aeabd47f6e93a90625261be52d3774cc9ae127f74e18547eb97068e4 39920 dbus-x11_1.2.8-1_amd64.deb
 cc03cc5a6a6b18a63032195f6c270d3b1db9c277a63c818eabcdfa650ca2897c 138360 libdbus-1-3_1.2.8-1_amd64.deb
 255e6d951589cff5f2ba381fa866cd110a8701c7f8e3f3d1b9af540df0973878 235100 libdbus-1-dev_1.2.8-1_amd64.deb
Files: 
 29d8429e17f598c6478182c1c9eeffb0 1536 devel optional dbus_1.2.8-1.dsc
 f8559a7a3b7cf5ec7e3eb80cfe44efe4 1571133 devel optional dbus_1.2.8.orig.tar.gz
 f1c001481e9e5c8de491b8ce46f1c928 26581 devel optional dbus_1.2.8-1.diff.gz
 2c9b6bc62680ffb992d4d35c964af18e 1803724 doc optional dbus-1-doc_1.2.8-1_all.deb
 0e635e28342acb9cb2833b2c795fd848 225600 devel optional dbus_1.2.8-1_amd64.deb
 b1adaed558d8e31dfb5a1321cb259178 39920 x11 optional dbus-x11_1.2.8-1_amd64.deb
 07c372f1a057321d5f162c4f8e2556a8 138360 libs optional libdbus-1-3_1.2.8-1_amd64.deb
 b7aa16eba4cf08b51598430883d834c5 235100 libdevel optional libdbus-1-dev_1.2.8-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklFSVQACgkQgTd+SodosdIjHwCZAZRUgqnGq9iP+UbzzO3y2stz
xI4AoMwvfWMZ6OZ4g9yT1taxeZOYA2GO
=S3SH
-----END PGP SIGNATURE-----





Reply sent to Sjoerd Simons <sjoerd@debian.org>:
You have taken responsibility. (Sun, 14 Dec 2008 18:18:07 GMT) Full text and rfc822 format available.

Notification sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sun, 14 Dec 2008 18:18:07 GMT) Full text and rfc822 format available.

Tags added: security Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Wed, 17 Dec 2008 02:03:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#503532; Package dbus. (Thu, 18 Dec 2008 12:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Patrick Schoenfeld <schoenfeld@in-medias-res.com>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Thu, 18 Dec 2008 12:42:02 GMT) Full text and rfc822 format available.

Message #53 received at 503532@bugs.debian.org (full text, mbox):

From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
To: 508032@bugs.debian.org, 503532@bugs.debian.org, sjoerd@debian.org
Subject: Security vulnerability in dbus
Date: Thu, 18 Dec 2008 13:39:18 +0100
Hi,

I saw that you made an upload for bug #503532 and #508032 to
experimental. Now I wonder if you plan to make an upload to unstable
suitable for lenny?

Best Regards,
Patrick




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#503532; Package dbus. (Sat, 20 Dec 2008 12:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sjoerd Simons <sjoerd@luon.net>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sat, 20 Dec 2008 12:51:04 GMT) Full text and rfc822 format available.

Message #58 received at 503532@bugs.debian.org (full text, mbox):

From: Sjoerd Simons <sjoerd@luon.net>
To: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
Cc: 508032@bugs.debian.org, 503532@bugs.debian.org
Subject: Re: Security vulnerability in dbus
Date: Sat, 20 Dec 2008 12:48:50 +0000
On Thu, Dec 18, 2008 at 01:39:18PM +0100, Patrick Schoenfeld wrote:
> Hi,
> 
> I saw that you made an upload for bug #503532 and #508032 to
> experimental. Now I wonder if you plan to make an upload to unstable
> suitable for lenny?

Unfortunately the situation is a little bit more complicated then that.
Tightening up the security of the dbus config is known to break various other
programs. D-Bus upstream just released a permissive version which will allow
the same things as the older dbus versions did, but logs about things that
would break with the new rules. We intend to upload that to unstable rsn, so we
can find and fix most if not all issues before uploading the final, secure verison.

  Sjoerd
-- 
If you can survive death, you can probably survive anything.




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#503532; Package dbus. (Mon, 22 Dec 2008 11:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Patrick Schoenfeld <schoenfeld@in-medias-res.com>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Mon, 22 Dec 2008 11:36:03 GMT) Full text and rfc822 format available.

Message #63 received at 503532@bugs.debian.org (full text, mbox):

From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
To: Sjoerd Simons <sjoerd@luon.net>
Cc: 508032@bugs.debian.org, 503532@bugs.debian.org
Subject: Re: Security vulnerability in dbus
Date: Mon, 22 Dec 2008 12:33:00 +0100
On Sat, Dec 20, 2008 at 12:48:50PM +0000, Sjoerd Simons wrote:
> > I saw that you made an upload for bug #503532 and #508032 to
> > experimental. Now I wonder if you plan to make an upload to unstable
> > suitable for lenny?
> 
> Unfortunately the situation is a little bit more complicated then that.

More complicated then what? I did not say "do you intend to upload
the experimental version to unstable", I've asked weither you plan to
make a suitable leny upload.

> Tightening up the security of the dbus config is known to break various other
> programs. D-Bus upstream just released a permissive version which will allow
> the same things as the older dbus versions did, but logs about things that
> would break with the new rules. We intend to upload that to unstable rsn, so we
> can find and fix most if not all issues before uploading the final, secure verison.

OK. I just wanted to know if there is any progress going, when I went
through the list of RC bugs, before looking deeper into the issue.

Regards,
Patrick




Blocking bugs of 503532 added: 510628 Request was from Matthew Johnson <mjj29@debian.org> to control@bugs.debian.org. (Sat, 03 Jan 2009 21:51:03 GMT) Full text and rfc822 format available.

Blocking bugs of 503532 added: 510633 Request was from Matthew Johnson <mjj29@debian.org> to control@bugs.debian.org. (Sat, 03 Jan 2009 22:33:02 GMT) Full text and rfc822 format available.

Blocking bugs of 503532 added: 510646 Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Sun, 04 Jan 2009 13:39:02 GMT) Full text and rfc822 format available.

Blocking bugs of 503532 added: 510639 Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Sun, 04 Jan 2009 13:39:04 GMT) Full text and rfc822 format available.

Blocking bugs of 503532 added: 510644 Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Sun, 04 Jan 2009 13:39:06 GMT) Full text and rfc822 format available.

Blocking bugs of 503532 added: 510698 Request was from Matthew Johnson <mjj29@debian.org> to control@bugs.debian.org. (Sun, 04 Jan 2009 13:57:09 GMT) Full text and rfc822 format available.

Blocking bugs of 503532 added: 510709 Request was from Matthew Johnson <mjj29@debian.org> to control@bugs.debian.org. (Sun, 04 Jan 2009 14:21:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#503532; Package dbus. (Sun, 04 Jan 2009 17:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 04 Jan 2009 17:06:03 GMT) Full text and rfc822 format available.

Message #82 received at 503532@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: debian-release@lists.debian.org, 503532@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: D-Bus security issue
Date: Sun, 4 Jan 2009 17:01:18 +0000
[Message part 1 (text/plain, inline)]
On Sat, 03 Jan 2009 at 17:58:47 +0000, Matthew Johnson wrote:
> In order to fix CVE-2008-4311 the default permissions on the system bus
> have been tightened up. This has revealed bugs in the configurations
> shipped with a number of services using the system bus which relied on
> the broken behaviour and will now break.

I've uploaded source and i386 binaries for a "release candidate" which has
deny-by-default and all of upstream's logging improvements:

  http://people.debian.org/~smcv/dbus-cve-2008-4311/

codehelp is compiling amd64 binaries which we'll upload to the same place when
they're ready. Please use this and try out your packages. If things are
denied, you'll get syslog spam like this:

Jan  4 16:56:34 carbon dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.4" (uid=0 pid=18344 comm="/usr/sbin/NetworkManager --pid-file /var/run/Netwo") interface="org.freedesktop.Hal.Device.KillSwitch" member="GetPower" error name="(unset)" requested_reply=0 destination="org.freedesktop.Hal" (uid=0 pid=18252 comm="/usr/sbin/hald "))

We're still looking into the fallout from this, so we're not uploading
to unstable right now. http://wiki.debian.org/DBusPermissions has the
gory details.

(1.2.8 in experimental has the deny-by-default and some (but not all) of
the logging improvements; I think you're better off with my version for
debugging.)

Regards,
    Simon
[30-Add-syslog-of-security-denials-and-configuration-fil.patch (text/x-diff, attachment)]
[31-Add-message-type-to-security-syslog-entries.patch (text/x-diff, attachment)]
[32-Add-optional-logging-on-allow-rules.patch (text/x-diff, attachment)]
[33-Add-uid-pid-and-command-to-security-logs.patch (text/x-diff, attachment)]
[34-Add-requested_reply-to-send-denials-and-connection.patch (text/x-diff, attachment)]
[35-syslog-h.patch (text/x-diff, attachment)]
[50-CVE-2008-4311.patch (text/x-diff, attachment)]
[51-CVE-2008-4311-but-allow-signals.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Blocking bugs of 503532 added: 510744 Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Sun, 04 Jan 2009 19:48:06 GMT) Full text and rfc822 format available.

Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Sat, 10 Jan 2009 23:12:05 GMT) Full text and rfc822 format available.

Notification sent to Joachim Breitner <nomeata@debian.org>:
Bug acknowledged by developer. (Sat, 10 Jan 2009 23:12:05 GMT) Full text and rfc822 format available.

Message #89 received at 503532-close@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 503532-close@bugs.debian.org
Subject: Bug#503532: fixed in dbus 1.2.1-5
Date: Sat, 10 Jan 2009 23:02:06 +0000
Source: dbus
Source-Version: 1.2.1-5

We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:

dbus-1-doc_1.2.1-5_all.deb
  to pool/main/d/dbus/dbus-1-doc_1.2.1-5_all.deb
dbus-x11_1.2.1-5_i386.deb
  to pool/main/d/dbus/dbus-x11_1.2.1-5_i386.deb
dbus_1.2.1-5.diff.gz
  to pool/main/d/dbus/dbus_1.2.1-5.diff.gz
dbus_1.2.1-5.dsc
  to pool/main/d/dbus/dbus_1.2.1-5.dsc
dbus_1.2.1-5_i386.deb
  to pool/main/d/dbus/dbus_1.2.1-5_i386.deb
libdbus-1-3_1.2.1-5_i386.deb
  to pool/main/d/dbus/libdbus-1-3_1.2.1-5_i386.deb
libdbus-1-dev_1.2.1-5_i386.deb
  to pool/main/d/dbus/libdbus-1-dev_1.2.1-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 503532@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated dbus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 10 Jan 2009 21:43:16 +0000
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev
Architecture: source all i386
Version: 1.2.1-5
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 dbus       - simple interprocess messaging system
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system
 libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 503532 508032
Changes: 
 dbus (1.2.1-5) unstable; urgency=high
 .
   [ Sjoerd Simons ]
   * debian/patches/CVE-2008-4311.patch:
     + Added, Fixes CVE-2008-4311. A mistake in the default configuration for
       the system bus (system.conf) which made the default policy for both sent
       and received messages effectively *allow*, and not deny as intended. This
       patch fixes the send side permissions (Closes: #503532, #508032)
   * Urgency high for the security fix
 .
   [ Simon McVittie ]
   * Rename CVE-*.patch to prefix them with a sequence number so it's clear
     what order they should apply in
   * Add 51-CVE-2008-4311-but-allow-signals.patch, cherry-picked from upstream
     git commit d899734475: after fixing CVE-2008-4311, re-allow emitting
     signals
   * debian/patches/3[0-4]*.patch, cherry-picked from upstream git (see patches
     for commit IDs): add logging when permission to send a message is denied
   * debian/patches/35-syslog-h.patch: #include <syslog.h> to fix compilation
     with the logging patches applied
   * Add myself to Uploaders
Checksums-Sha1: 
 c6bbeaf6adaf8bfaab2c29a3673ae06f13bdc27b 1538 dbus_1.2.1-5.dsc
 d6487cdd1e7642d4e8c85b70c22194f65485dc09 38407 dbus_1.2.1-5.diff.gz
 5322db4f0b383668cb103c7bd8bb0f3f2adbb388 1822318 dbus-1-doc_1.2.1-5_all.deb
 33ca15975f3c69d5cfb633b5ab17b335c836ef07 229016 dbus_1.2.1-5_i386.deb
 bfde3c36e2e14b97af81953b710f51c40d1e4d7b 63448 dbus-x11_1.2.1-5_i386.deb
 0f96acf34bd4fe478d3b7edeb12a2200c6e18b5c 147732 libdbus-1-3_1.2.1-5_i386.deb
 006669638cb49e7c067d0fb7bfecde44ed1fcc3f 235596 libdbus-1-dev_1.2.1-5_i386.deb
Checksums-Sha256: 
 4e93374fe27ff43852fa38ddad38238192f9f0a3bedecb62d15d988368320cfb 1538 dbus_1.2.1-5.dsc
 a7e86a2034de58e1d5b41f963b27c791386b59269a9204ff988045eb889d9905 38407 dbus_1.2.1-5.diff.gz
 0d6ffcb9ac4855d220f8bf4038c9ba8f03e247bba7943ada83cbdc1c12385070 1822318 dbus-1-doc_1.2.1-5_all.deb
 00820f2ee73ce296adb5980a6a1862b0ea6e28c9a524cb70b951a2f1c0bacd2c 229016 dbus_1.2.1-5_i386.deb
 645a4e5841ee3e3fbe9907233ddc8ea3f8a302e98633e11051edb85bcb6c2aa3 63448 dbus-x11_1.2.1-5_i386.deb
 c96b6e2b0b32a40f12075eb34d5d820f0d01414cc3d5942e440aac26e66fbb8d 147732 libdbus-1-3_1.2.1-5_i386.deb
 08167b75a3de06f592e778593393244ed280d26e391f4373f21c7ad5148e28bc 235596 libdbus-1-dev_1.2.1-5_i386.deb
Files: 
 52f7ccdff41e06473f6156268b37e3fa 1538 devel optional dbus_1.2.1-5.dsc
 5c3158b6e63b83d717f5dd8081b44e5c 38407 devel optional dbus_1.2.1-5.diff.gz
 65d3cb630ada231a1b09b991da64bf0c 1822318 doc optional dbus-1-doc_1.2.1-5_all.deb
 f3b65b62ff6d67379d0aef23bba5d5d6 229016 devel optional dbus_1.2.1-5_i386.deb
 868e7115ced3c6196c0e8bc249afa37e 63448 x11 optional dbus-x11_1.2.1-5_i386.deb
 e20b7d548c4d4ef9407d83726ab62ffa 147732 libs optional libdbus-1-3_1.2.1-5_i386.deb
 37a6786eb691800198fb81941e016a8b 235596 libdevel optional libdbus-1-dev_1.2.1-5_i386.deb

-----BEGIN PGP SIGNATURE-----

iD8DBQFJaSXuWSc8zVUw7HYRApELAJ9xeiYY+SKB2YSEkGS1wMNkoKnMUACg5wvH
QlPFufHhxIR4RrQCTVVcljU=
=X1ZZ
-----END PGP SIGNATURE-----





Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Sat, 10 Jan 2009 23:12:06 GMT) Full text and rfc822 format available.

Notification sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sat, 10 Jan 2009 23:12:06 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Feb 2009 07:27:57 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 00:01:29 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.